CIPP/E Study Guide
Ch 16.8-16.9 - Enforcement

Enforcement and conclusion

Enforcement of direct-marketing rules - especially cookies and unsolicited communications - is rising: class actions (Lloyd v Google in the UK; Salesforce/Oracle in NL), regulators prioritising tracking/cookie data, and NGO complaints (NOYB filed 422 cookie-banner complaints). Under Article 15(2) ePrivacy, member states must apply the GDPR's remedies, liabilities and sanctions to ePrivacy breaches. A key nuance: in some states ePrivacy enforcement sits with telecoms/consumer regulators, not the DPA, which can mean tougher enforcement of spam/cookie rules than of general DP.

  • Risks under the GDPR: fines and administrative sanctions by DPAs, plus civil and sometimes criminal liability.
  • Art 15(2) ePrivacy applies the GDPR's remedies, liabilities and sanctions to ePrivacy breaches.
  • In some states (e.g. the Netherlands) ePrivacy enforcement by telecoms/consumer regulators has been more vigorous on spam and cookie consent than general DP enforcement.
  • Drivers of rising enforcement: class actions, regulators prioritising cookie/tracking data (CNIL fined Amazon, Google, Carrefour), and NGO complaints (NOYB's 422 complaints).
GDPR-compliant collection ≠ ePrivacy-compliant sending

The conclusion's headline trap: collecting email addresses from public sources may be fully GDPR-compliant, yet using them to send unsolicited emails can still breach ePrivacy laws. Always treat processing and the communication as separate legal questions.

Key terms - quick answers

What is “Article 15(2)”?
ePrivacy provision requiring member states to apply the GDPR's judicial remedies, liabilities and sanctions to infringements of the ePrivacy Directive.
What is “NOYB”?
Max Schrems' NGO ('none of your business') that filed 422 formal GDPR complaints with ten DPAs over cookie banners.
What is “Lloyd v Google”?
UK class-action that reached the UK Supreme Court, which rejected the representative action - an example of private enforcement around tracking/cookies.