The Optimus blog

The blog that inspires leaders in the UK education sector

The Optimus blog

The blog that inspires leaders in the UK education sector

Lisa Griffin

What is the ePrivacy Regulation?

Thought you’d heard the last of changes to data compliance? Get ready for the new ePrivacy Regulation.

The EU have proposed that the current ePrivacy Directive be replaced by the ePrivacy Regulation (ePR) and sit alongside the General Data Protection Regulation (GDPR), which came into force in May this year. The current Directive is implemented in the UK as the Privacy and Electronic Communications Regulations (PECR) and continues to apply until replaced.


The PECR cover several areas.

  • The security of public electronic communications services.
  • The privacy of customers using communications networks or services regarding traffic and location data, caller ID and call return, and directory listings.

The current Directive is commonly referred to as the ‘cookie law’ and will likely be familiar in the form of cookie consent popups or banners on some websites. Consenting to cookies allows a website to recognise a user’s device and store information about preferences or past actions, such as what the user has viewed or clicked on. If a user doesn’t give consent to cookies being used, access to a website can be blocked.

The current Directive (and proposed ePR) aren’t just about cookies though. They focus on personal data protection and all electronic communications. This includes marketing by electronic means, such as:

  • phone calls
  • emails
  • texts
  • instant or social media messaging (e.g. Skype or WhatsApp)
  • apps
  • faxes.

If you use electronic marketing, cookies or a similar technology on your website, or a phone directory (or a similar public directory), the regulations apply to you.

The PECR apply even if you are not processing personal data.

What’s changed?

The current ePrivacy Directive requires local governments to implement accordingly, which has resulted in inconsistencies where the Directive has been interpreted differently. Like the GDPR, the new rules are regulations (not directives), so they will automatically apply to all EU member states and become legally-binding.

The ePR aims to work in conjunction with the GDPR to:

  • ensure data is handled transparently and with care by organisations
  • strengthen the control individuals have over the use of their personal data.

The ePR proposes to remove consent for non-privacy intrusive cookies, such as remembering what’s in your shopping basket. The Regulation also aims to simplify the use of cookies, by requiring internet browsers (such as Google Chrome or Firefox, for example) to give users more control over how cookies are used on their devices or internet browsers. This means control of any private or sensitive information stored and settings to allow or deny cookie use.

The changes would include no longer seeing cookie pop-ups or banners on individual sites, as we would be able to set the types of cookies that are deployed when we first set up a browser.


Consent to tracking will have to be given in line with the GDPR definition, i.e. it will have to be ‘freely given, specific, informed, unambiguous’. Tracking personal devices via cookies or tracking people without their clear approval through public hotspots or Wi-Fi will also be prohibited.

Direct marketing by electronic means is allowed if an individual has provided consent to receive such communications. So, contacting a named person’s business email address directly would require consent for email marketing. Contacting a generic business email address, for example info@XXXXX dot com, would not.

Available methods of consent include:

  • signing a paper consent statement
  • ticking an opt in box
  • clicking an opt in button or link
  • selecting from yes/no options
  • choosing technical settings/through a dashboard
  • responding to an email
  • answering ‘yes’ orally to a clear request
  • volunteering information for a specific purpose.

It should be as easy for consent to be withdrawn as it is to give it, so you’ll need to make it clear how an individual can do this.

What does it mean for schools?

Like the GDPR, if the new ePR is breached the ICO can impose a fine of up to £500,000. The ICO can also pursue criminal prosecution.

Again, like working with third parties under the GDPR, if you pay someone else to do your marketing, you are both responsible for complying with the ePR. If someone else makes calls on your behalf or sends your emails, you are still responsible, as you are ‘instigating’ those calls or messages i.e. they are coming from you.

The ICO recommend having a written contract that sets out the responsibilities of any third party you work with.

How does it relate to the GDPR?

The ePR is designed to sit alongside, and work in conjunction with, the GDPR and to strengthen the control individuals have over the use of their personal data. It was proposed that the new ePR would be implemented at the same time as the GDPR but was delayed.

What do we need to do?

Be aware! We don’t yet know the date when the ePR will be published nor applied but changes are afoot. Preparations made ahead of the GDPR implementation should mean that you’re compliant so you’re in good shape.

GDPR for Schools

Our GDPR for Schools conference will be providing more information and guidance on the new ePR, as well as an update from the ICO.

Taking place in London on 27 November and Manchester on 24 January 2019, you can secure your place now.


Similar Posts

Tiffany Beck

Multi-academy trust governance: your questions answered

Governance was a hot topic at our annual MATs Summit. Tiffany Beck, chair of trustees at Maritime Academy Trust, answers some popular questions from the event. 1. We have a shortage of governors and trustees and require more skilled professionals. Can you share any tips on recruitment? Ask your...
John Viner

We need to talk about Ofsted

New proposals from Ofsted have prompted a shift in the rhetoric around inspection. John Viner summarises the changing times. With the departure of Her Majesty’s Chief Inspector of Schools, Sir Michael Wilshaw, Ofsted moved into a new phase under the leadership of Amanda Spielman. Out went the old-...
John Viner

Pupil premium: is it making a difference?

While pupil premium funding was introduced with the good intention of helping schools narrow the attainment gap, its future looks increasingly uncertain. In April 2011, the coalition government introduced the pupil premium and the service premium. This injected an additional £625 million of funding...