Ch 16.1 - ePrivacy requirements

ePrivacy laws: unsolicited messages and cookies

The ePrivacy Directive adds consent/information rules to digital marketing by phone, fax and electronic mail (incl. SMS, IM, push). The general rule: most digital marketing, other than person-to-person phone calls, needs prior opt-in consent, with a limited opt-out exemption for email to existing customers. Unlike the GDPR, the ePrivacy Directive has no direct effect - it was transposed into national laws, so requirements and enforcement vary by member state.

Because the ePrivacy Directive has no direct effect, some states put it in data-protection law and others in telecoms law; enforcement sits with the DPA in some countries and the telecoms regulator in others. So international organisations face significant differences in interpretation and rigour of enforcement.

The ePrivacy default

Most forms of digital marketing - except person-to-person telephone calls - require the recipient's prior opt-in consent. The main carve-out is the email 'soft opt-in' for existing customers.

Key terms - quick answers

What is “Direct effect”?

The ability of an EU instrument to be relied on directly. The GDPR (a Regulation) has direct effect; the ePrivacy Directive does NOT - it had to be implemented into national law.

What is “Prior opt-in consent”?

Consent obtained before the message is sent / cookie is set. The default ePrivacy rule for most digital channels.

← Right to opt out of direct marketing Online behavioural advertising (OBA) →