EU ePrivacy Regulation (withdrawn)

What it is

Regulation on Privacy and Electronic Communications, COM(2017) 10 final. Proposed in January 2017 to modernise the 2002 ePrivacy Directive, harmonise cookie/consent rules, and extend the regime to over-the-top messaging and IoT communications. The European Commission's 2025 Work Programme announced its withdrawal on 11 February 2025; the Commission formally approved the withdrawal on 16 July 2025 and published it in the Official Journal on 6 October 2025.

Why it matters

Site owners spent eight years preparing for an ePrivacy Regulation that never arrived. The practical effect is no change: GDPR plus the existing 2002 ePrivacy Directive (as transposed by each member state) remain the binding framework for cookies, consent, and electronic communications. Any 'ePrivacy Regulation compliance' tooling sold between 2017 and 2025 is now obsolete.

Who it applies to

Would have applied to providers of electronic communications services and websites with EU users — but the proposal was withdrawn before adoption.

• Jurisdictions: European Union

How WQI scores it

Web Quality Index considers this standard satisfied when all of the 2 supporting factors pass.

0 of 2 supporting factors are currently collected. Sites where the remaining 2 haven't been measured will show as partial or unknown on this standard until the data lands.

Related standards

See also

Cookie consent , GDPR

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

• Australian Privacy Act + APPs 2 shared factors Privacy Australia's federal privacy law, anchored on the 13 Australian Privacy Principles. The 2024 reforms added a statutory tort for serious privacy invasions and direct OAIC penalty powers.
• Colorado Privacy Act 2 shared factors Privacy Colorado's CCPA-shaped privacy law, with a hard requirement to honour Universal Opt-Out Mechanisms like Global Privacy Control as of July 2024.
• Connecticut Data Privacy Act 2 shared factors Privacy Connecticut's CCPA-shaped privacy law. Like Colorado, recognises Global Privacy Control as a valid opt-out signal — and the AG has been actively issuing cure notices since 2023.
• COPPA 2 shared factors Privacy If your site is directed at U.S. children under 13 — or you knowingly collect from them — you need verifiable parental consent before any data collection. The 2025 amendments tightened this further around third-party advertising.
• HIPAA 2 shared factors Privacy If your site collects, displays, or transmits protected health information, HIPAA applies. A privacy policy plus an explicit Notice of Privacy Practices and a clear consent flow are the minimum visible signals.

Other references

• regulation European Parliament Legislative Train — ePrivacy reform (status: withdrawn)
• regulation EUR-Lex — original proposal COM(2017) 10