On 12 February 2025, the European Commission officially withdrew its proposal for a new E-Privacy Regulation, concluding years of debate over new rules on electronic communications privacy. Originally introduced in 2017, the regulation aimed to complement the General Data Protection Regulation (GDPR) and replace the E-Privacy Directive (2002/58/EC). However, persistent disagreements and shifted focus have prevented any progress in making the proposal into EU law.
Reasons for Withdrawal
After years of stagnation, the proposal became increasingly outdated, especially as the EU introduced numerous new digital regulations. Legislative advancements such as the Digital Markets Act (DMA) and the Digital Services Act (DSA) addressed some of the issues initially covered by the E-Privacy Regulation. Additionally, robust GDPR enforcement actions have already tried to cover several concerns that the proposed regulation sought to regulate. As a result, the European Commission decided it was time to abandon the proposal and will hopefully consider fresh regulatory approaches.
Implications for Businesses
With the withdrawal, the E-Privacy Directive remains in force, requiring businesses to comply with a patchwork of national rules of the Member States regarding cookies/trackers, direct marketing, and metadata processing. Regulators are expected to focus on enforcing existing laws rather than drafting an immediate replacement. As a consequence, cookie consent pop-ups and other compliance requirements will likely remain in place for the foreseeable future.
