Fact-checked by Grok 2 weeks ago

ePrivacy Directive

The ePrivacy Directive, formally Directive 2002/58/EC of the and of the Council of 12 July 2002, is a legislative instrument of the that regulates the processing of and the protection of specifically within the electronic communications sector. It applies to publicly available electronic communications services, harmonizing rules to ensure the confidentiality of communications and related while complementing broader data protection frameworks. Key provisions mandate security measures for , prohibit unauthorized interception or surveillance of communications or legal warrant, and require providers to notify users of breaches. Article 5(3) notably restricts the storage of information or gaining access to data on users' terminal equipment—such as via —unless users are clearly informed and consent, or it is strictly necessary for service provision. Article 13 curbs unsolicited communications, demanding prior opt-in consent for most via electronic means, with limited exceptions for existing customers. Despite achieving baseline protections for electronic and facilitating cross-border services, the directive has faced criticism for uneven transposition into national laws, resulting in fragmented enforcement across member states. Provisions, particularly on , have proven challenging to implement effectively amid rapid technological shifts, leading to widespread compliance burdens and debates over consent validity. Attempts to modernize it through an proposal, intended to align with the GDPR and address digital ecosystem gaps, were withdrawn by the in February 2025 amid political and competitiveness concerns. As of October 2025, the directive remains operative, with ongoing discussions for targeted revisions to enhance its adaptability without a full replacement.

History and Development

Adoption and Initial Framework (2002)

The ePrivacy Directive, formally Directive 2002/58/EC, was adopted by the and the on 12 July 2002 and published in the Official Journal of the on 31 July 2002, entering into force on the date of publication. It replaced the earlier Directive 97/66/EC of 15 December 1997 on the processing of and the protection of in the sector, which had been enacted amid the EU's progressive of markets in the 1990s to foster competition and dismantle state monopolies. This recast addressed the evolution from traditional to burgeoning electronic communications networks, driven by rapid adoption and the need for harmonized sector-specific rules to support cross-border services without undermining user trust in digital infrastructure. The directive's primary motivation was to safeguard the confidentiality of communications in public electronic communications networks while complementing the general framework of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of , which applied broadly but lacked specificity for telecommunications technologies. Recitals emphasized that electronic communications, unlike conventional mail, involve real-time processing of traffic and location data by network operators, necessitating targeted safeguards against unauthorized interception, storage, or use to prevent erosion of in an increasingly interconnected environment. Harmonization was justified by the causal link between inconsistent national rules and barriers to the , particularly as liberalization exposed users to new risks from diverse providers handling sensitive . Key initial provisions established strict for communications content, prohibiting or except under legal , with and requiring prior subscriber for any non-billing purposes after anonymization where feasible. For unsolicited commercial communications, an opt-in regime mandated prior for electronic mail or equivalent messages sent to individual subscribers, aiming to curb spam's interference with network efficiency and user . These measures prioritized empirical protection of end-to-end integrity in public networks to sustain reliance on electronic services, with member states required to transpose the directive into national law by 31 October 2003.

Key Amendments (2009)

Directive 2009/136/EC, adopted by the and Council on 25 November 2009, amended the ePrivacy Directive (2002/58/EC) as part of a broader reform package known as "Better ." Entering into force on 18 December 2009 following publication in the Official Journal, the directive required into national law by 25 May 2011. These amendments targeted shortcomings in the original framework, particularly amid rising deployment of tracking technologies and unchecked volumes in the mid-2000s, which empirical observations linked to diminished confidence in electronic communications . Recitals emphasized causal connections, such as unaddressed access to devices facilitating proliferation and service providers' underutilized capacity to curb unsolicited intrusions. A primary change involved Article 5(3), mandating explicit prior —via clear and free refusal options—for storing or accessing information on users' terminal equipment, such as , except where strictly necessary for service provision or terminal transmission. This addressed gaps in the version's mere notification requirement, which failed to curb pervasive behavioral tracking; Recital 66 highlighted the need for user-centric controls to mitigate risks from technologies enabling undisclosed , without ideological overreach but grounded in observed erosions from lax device access. Exceptions were delineated for operational essentials, including integrity , to prevent disproportionate burdens on legitimate functions. Amendments to Article 13 imposed stricter opt-in rules for unsolicited communications, extending prohibitions to automated calls, faxes, emails, and emerging / channels, with limited retention only for existing customers under defined conditions. Recital 67 cited empirical inadequacies in prior mechanisms, which correlated with escalating despite initial rules, urging providers to leverage their technical positions for suppression—reflecting data on mid-2000s spam surges overwhelming inboxes and evading fragmented enforcement. This aimed to restore causal balance by prioritizing user protection over unchecked commercial outreach, without exempting uses. Security provisions in amended Article 4 required providers to implement appropriate technical measures for and service security, including breach notifications to competent authorities (and users where risks to exist), with sanctions for failures. Recital 53 clarified allowances for traffic data processing tied to security objectives, such as fraud prevention and attack mitigation, acknowledging causal vulnerabilities from unmonitored communications—evident in early reports of exploits exploiting weak safeguards. These updates bridged enforcement voids by mandating proactive defenses, harmonizing with indispensable operational safeguards absent in the original directive's vaguer obligations.

Post-GDPR Era and Regulation Attempts (2017–2025)

The presented its proposal for an on 10 January 2017, seeking to repeal and replace the 2002 ePrivacy Directive with a directly applicable instrument to achieve uniform enforcement across member states and better harmonization with the GDPR, which entered into force on 25 May 2018. The draft extended protections to electronic communications via over-the-top services, such as messaging apps, and machine-to-machine interactions, while clarifying rules on metadata processing, tracking technologies, and confidentiality of end-to-end encrypted communications to address technological advancements post-Directive. Proponents argued this would reduce national divergences in transposition and enhance cross-border consistency, but the proposal immediately encountered resistance over its broader scope compared to the Directive's focus on traditional telecoms. Inter-institutional negotiations faltered amid persistent disagreements between the , which pushed for stringent bans on tracking without consent and robust enforcement mechanisms, and the , which favored exemptions for , , and uses to mitigate economic burdens on . Trilogues, initiated after the Parliament's first-reading amendments in October and the Council's general approach in 2019, yielded no breakthroughs despite revised drafts, including a version in emphasizing GDPR alignment and flexibility for value-added services. Key sticking points included the interpretation of "confidentiality of communications" for unencrypted and device scanning, with six presidencies failing to secure qualified majority agreement by , exacerbating legal fragmentation as member states diverged in Directive implementations alongside GDPR enforcement. The withdrew the proposal on 11 February 2025 as outlined in its 2025 Work Programme, determining no realistic prospect of adoption amid shifting priorities toward for competitiveness, AI data access, and simplified rules to reduce compliance costs. This retreat, following eight years of , perpetuated reliance on the Directive's national transpositions, underscoring regulatory inertia where fragmented safeguards persisted without updates for evolving threats like widespread device fingerprinting, despite supplementary GDPR mechanisms. The outcome reflected broader critiques of over-regulatory proposals yielding minimal incremental protections, as evidenced by ongoing gaps in tracking under the extant framework.

Legal Scope and Objectives

Core Subject Matter

The ePrivacy Directive (Directive 2002/58/EC) establishes targeted safeguards for the privacy of communications, emphasizing , , and within public electronic communications networks and services. Adopted on July 12, 2002, it addresses the specific vulnerabilities inherent to transmitted data over shared infrastructures, where unauthorized access poses direct risks to users' to private life and communications as enshrined in Article 8 of the . Unlike broader data protection frameworks, it functions as a sector-specific instrument, mandating technical measures to prevent and ensure secure transmission, thereby mitigating causal threats from interception in environments lacking inherent . Article 5 forms the cornerstone of these protections by requiring Member States to prohibit any listening, tapping, storage, or other interception of communications and related traffic data without the users' , except in cases of legal such as for under Article 15(1). This provision explicitly covers both the content of communications and like traffic data, compelling providers to implement secure systems that preserve end-to-end integrity during transit. Empirical evidence from the early 2000s, including reports of rising cyber intrusions into telecom networks, underscored the directive's rationale, as public switched telephone networks and nascent internet services demonstrated susceptibility to and packet sniffing without robust safeguards. The directive's scope primarily targets providers of publicly available electronic communications services, including traditional telecommunications operators and internet service providers (ISPs), who bear responsibility for network-level security under Article 4. This includes obligations to protect against fraud and unauthorized access, with notifications to subscribers about potential risks and available remedies. While originally focused on conventional telecoms, subsequent harmonization via the European Electronic Communications Code (Directive (EU) 2018/1972) extended applicability to over-the-top (OTT) services such as messaging apps and VoIP, ensuring consistent protections against interception threats across evolving digital platforms, though enforcement varies by service type due to differing controls. The exclusion of communications content from routine processing—coupled with mandates for safeguards—distinguishes it from general rules, prioritizing real-time in transit over post hoc models.

Applicability and Exemptions

The ePrivacy Directive (Directive 2002/58/EC) applies to the processing of linked to the provision of publicly available communications services within public communications networks across EU Member States. As a directive, it requires into national law by Member States to ensure uniform protection of in communications while facilitating the free movement of related data, equipment, and services. Its scope is confined to such public services and networks, thereby excluding private or communications that do not involve public availability, which circumvents the Directive's requirements through non-public transmission setups. Key exemptions include those for national security and related state activities, as the Directive explicitly does not cover processing for , defence, State security (including economic well-being tied to security), or matters under Titles V and VI of the . This carve-out permits Member States to implement measures like or in these domains without Directive constraints, provided they align with under EU law. The Directive encompasses handling of communications , such as and , but provides limited exemptions for billing purposes under 6(2), allowing only to the extent strictly necessary for subscriber billing or interconnection payments, restricted to the period during which a bill may be lawfully challenged or payment pursued. Providers must erase or anonymize such once no longer required for transmission, except in these cases, and prior subscriber notification is mandated, with opportunities for objection where applicable. These conditions highlight narrow boundaries that limit retention to verifiable operational needs, preventing broader exploitation. In relation to the General Data Protection Regulation (GDPR), the ePrivacy Directive functions as for electronic communications metadata and content, providing sector-specific rules that take precedence over GDPR's general provisions to avoid overlaps in areas like traffic data processing. This status ensures tailored protections for communications without subsuming under broader personal data frameworks, though it complements GDPR where ePrivacy is silent.

Interplay with GDPR and Broader EU Law

The ePrivacy Directive (2002/58/EC), established under Article 95 of the Treaty on the Functioning of the (TFEU) for internal market harmonization, operates as a lex specialis in relation to the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), particularly for involving the confidentiality of electronic communications, such as metadata from traffic and location data. This means its targeted provisions prevail over the GDPR's broader rules on in overlapping areas, ensuring specialized protections for communications integrity that the GDPR does not displace. For instance, the Directive's requirements on securing communications against unauthorized interception take precedence, as affirmed by the (EDPB) in Opinion 5/2019, while the GDPR supplements for ancillary not inherently tied to electronic communications. Tensions arise in consent mechanisms, where the Directive imposes stricter opt-in standards—such as prior for accessing terminal equipment data (e.g., via or tracking)—that override the GDPR's more flexible lawful bases like legitimate interests. The EDPB's Guidelines 05/2020 clarify that GDPR validity criteria (freely given, specific, informed, and unambiguous) apply to ePrivacy scenarios, but the Directive's specificity demands granular, user-initiated affirmative action, leading to interpretive conflicts resolved through national court harmonization efforts between 2016 and 2020. These efforts, including preliminary references to the Court of Justice of the EU (CJEU), emphasized the Directive's primacy to prevent dilution of communications privacy, though varying national implementations highlighted enforcement gaps absent uniform regulation. Post-2022 integration with the (, Regulation (EU) 2022/2065) and (, Regulation (EU) 2022/1925) reveals further disconnects, as these newer instruments mandate compliance with ePrivacy and GDPR rules for online platforms and gatekeepers without supplanting the Directive's outdated framework. The , for example, reinforces transparency in systemic risks involving but defers to ePrivacy for core confidentiality, exposing causal enforcement silos: the Directive's Directive status permits 27 national transpositions with divergences, contrasting the /'s direct applicability and uniform penalties up to 6% of global turnover. This stasis undermines holistic oversight, as ePrivacy's unupdated provisions fail to address modern intermediaries' flows, prompting fragmented application amid evolving digital threats.

Principal Provisions

Confidentiality of Communications

Article 5 of Directive 2002/58/EC requires Member States to prohibit the listening, tapping, storage, or other interception of electronic communications content and related traffic data without user consent, except where legally authorized for purposes such as or criminal investigations. This provision mandates secure transmission of communications via public networks and services, with providers obligated to implement technical measures like to prevent unauthorized access, while restricting any logging of content to strictly legitimate operational needs. The rule aims to safeguard the integrity of private exchanges, recognizing that breaches could expose sensitive personal information to exploitation by malicious actors or unauthorized third parties. Enforcement faces significant technical hurdles due to evolving technologies, including widespread adoption of in applications such as Signal and , which renders content inaccessible even to service providers and complicates mandated lawful interceptions. (CGNAT), deployed by ISPs to conserve IPv4 addresses by multiplexing multiple users behind shared public IPs, further limits precise targeting of individual traffic for interception, as it obscures user-specific routing and increases aggregation challenges in surveillance systems. Real-world vulnerabilities persist, with reports of state-sponsored interception attempts and exploits in unencrypted protocols underscoring ongoing risks, though empirical assessments from the early 2000s highlighted telecom network exposures that informed the Directive's framing. Exceptions permit interception under national laws authorizing law enforcement access, provided it adheres to proportionality principles balancing privacy rights against public safety imperatives, such as preventing serious crime where causal links to threats are evident. The 2023 e-Evidence Regulation facilitates cross-border orders for stored electronic evidence but defers live interception mandates to ePrivacy-compliant frameworks, requiring judicial oversight to mitigate overreach. These derogations reflect a pragmatic reconciliation, as unchecked prohibitions could hinder effective responses to evolving threats like terrorism, yet they demand rigorous safeguards to avoid undermining the Directive's core privacy protections.

Handling of Traffic and Location Data

Article 6 of Directive 2002/58/EC mandates that traffic data—encompassing details such as the source and destination of communications, date, time, duration, and volume of transmitted data—processed and stored by providers of public communications networks or publicly available electronic communications services must be erased or rendered anonymous once no longer required for the transmission of the communication itself. This provision aims to limit the retention of that could otherwise enable extensive of user behavior without accessing communication content. Exceptions permit for billing, interconnection payments, or value-added services, but only to the extent strictly necessary, with data subsequently erased or anonymized; for such purposes, providers must inform subscribers in advance of the types of data processed, retention periods, and recipients, while offering an mechanism. Pseudonymization of traffic data is allowable under Article 6(2) for billing and related functions, allowing temporary retention in a form where direct identification is obscured but re-identification remains feasible for disputes or verification; however, this does not equate to true anonymization, as the data retains linkage potential to individuals, subjecting it to ongoing safeguards and prohibiting repurposing without explicit . Further processing of traffic data for marketing or value-added services requires the user's prior, free, and , with providers obligated to notify users of processing intentions and enable withdrawal of consent at any time. The 2009 amendments via Directive 2009/136/EC reinforced these consent requirements by emphasizing user control over , though implementation has revealed gaps, as IP addresses and similar identifiers often persist in logs enabling tracking despite nominal anonymization efforts. Article 7 addresses data distinct from traffic data, such as precise geographic coordinates derived from network signals, prohibiting its except where necessary for message transmission or billing, with or anonymization required thereafter. For value-added services like or , demands specific, from users, who must be notified in real-time when data is accessed and given options to disable it; users also hold to verify the accuracy and of disclosed data. Unlike content protections, these rules underscore 's unique risks, as aggregated traffic and data can infer sensitive patterns—such as habits, associations, and movements—more revealing than isolated content, a concern amplified by empirical analyses of communication patterns. Enforcement data indicates uneven compliance, with national authorities documenting cases where providers retained geolocation beyond permitted durations, often justified under billing pretexts but enabling unauthorized analytics.

Regulation of Unsolicited Messages

Article 13 of Directive 2002/58/EC prohibits the transmission of unsolicited communications for purposes via electronic mail, , or automated calling systems without the prior of the recipient, establishing an opt-in requirement for such messages to individual subscribers. This applies to both public and private electronic communications services, targeting commercial outreach distinct from general under broader rules. For corporate subscribers, member states may permit an mechanism, allowing initial contact unless the recipient has objected, though prior remains the default for most cases. Exceptions exist for communications to existing customers where contact details were obtained in the context of a prior sale or negotiation of a , provided the message promotes similar products or services and includes a valid option at the time of sending and in every subsequent message. The 2009 amendment via Directive 2009/136/EC reinforced these protections by replacing Article 13 with provisions mandating explicit prior consent for automated unsolicited calls and faxes, and clarifying that consent must be provable by the sender. This tightening responded to the proliferation of in the , with European inboxes facing volumes exceeding 50% unwanted messages by mid-decade, prompting stricter opt-in rules compared to opt-out models like the U.S. CAN-SPAM Act of 2003. For telephony-based marketing, member states must implement or encourage do-not-call registers, ensuring providers block calls to registered numbers and honor objections to future contacts, though implementation varies—e.g., mandatory national lists in countries like and versus voluntary codes in others. Enforcement relies on member state transposition, with penalties described as effective, proportionate, and dissuasive, including fines up to national maximums such as €300,000 in for severe violations. However, compliance remains empirically low, with reports indicating widespread ignorance of Article 13 due to jurisdictional challenges against offshore spammers operating from non-EU jurisdictions like or the U.S., where cross-border cooperation is limited. Studies show EU volumes persisting at 40-60% of total traffic into the 2010s, suggesting deterrence efficacy is undermined by enforcement gaps rather than insufficient penalties, as domestic senders face traceable fines while extraterritorial actors evade via anonymized servers and disposable domains. Member states' authorities handle complaints, but low prosecution rates—often under 10% of reported cases leading to action—highlight causal factors like resource constraints and proof burdens for records.

Cookies, Tracking, and Device Fingerprinting

Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC), as amended by Directive 2009/136/EC on 25 November 2009, mandates that member states ensure the storage of information or access to information already stored in the terminal equipment of a subscriber or user occurs only with prior , subject to limited exceptions. This provision primarily targets —small data files placed on users' devices by websites to store preferences, session data, or tracking identifiers—but extends to any technology enabling similar storage or access, such as supercookies (resilient identifiers like evercookies that regenerate after deletion via local storage, cache, or other mechanisms). Exceptions apply to actions strictly necessary for the transmission of a communication over an electronic communications network or for the provision of a service explicitly requested by the user, such as essential session for login functionality or basic analytics disclosed transparently as integral to site operation. Non-essential , including those for behavioral advertising or third-party tracking, require opt-in consent that is freely given, specific, informed, and unambiguous, typically via active user action rather than implied agreement. The rule aims to protect user privacy by preventing unauthorized surveillance through device-stored data, but implementation varies by , with enforcement often relying on national data protection authorities. The directive implicitly encompasses device fingerprinting, a tracking method that collects and combines device-specific attributes (e.g., browser version, screen resolution, installed fonts, or hardware details) to generate a without traditional , as it involves accessing from the terminal equipment. (EDPB) Guidelines 2/2023, adopted on 14 November 2023 and updated in 2024, clarify that Article 5(3) applies to such techniques when they access device data for tracking purposes, requiring consent unless exempted as necessary. However, the absence of explicit prohibitions on server-side processing or probabilistic matching allows partial evasion, as identifiers can be reconstructed remotely without direct terminal writes. Empirical studies from the highlight persistent tracking despite these rules. A 2013 analysis of over 1 million websites found widespread use of canvas fingerprinting (rendering hidden images to capture rendering differences) and evercookies on 5.5% and 1.3% of sites, respectively, enabling unique identification of 69% of browsers even after cookie deletion or . A 2016 Princeton-led study further documented novel fingerprinting via non-standard (e.g., status, audio processing), deployed on major sites to bypass cookie blockers and sustain cross-site profiling. These mechanisms evaded early implementations by operating statelessly or regenerating data, underscoring gaps in the directive's terminal-focused scope before EDPB clarifications.

Protections for Value-Added Services

The ePrivacy Directive establishes user-centric safeguards for value-added services (VAS), defined as ancillary offerings beyond basic transmission, such as subscriber directories, caller identification, and itemized billing, which rely on processing communications metadata like traffic or data. These protections, primarily under Articles 6, 7, 8, and 11, mandate prior consent or mechanisms to prevent unauthorized or use of end-user , ensuring that VAS providers cannot process such information without explicit user authorization. Article 11 regulates publicly available directories of subscribers, requiring providers to inform end-users in advance, free of charge, about the types of (e.g., name, address, telephone number) intended for inclusion and the purpose of publication. End-users must be given the opportunity to refuse entry into directories entirely or to verify and limit published details, with Member States required to ensure facilities for non-public or pseudonymous entries where feasible; this effectively imposes an opt-in requirement for sensitive data beyond minimal identifiers. Providers compiling directories from multiple sources bear responsibility for verifying consent and offering free updates or deletions upon request. For caller and related VAS under Article 8, the Directive entitles end-users to restrict the calling line (CLI) presentation to recipients on a per-call or permanent basis, with providers obligated to supply technical facilities for such restrictions at no extra cost. Member States may permit overrides in specific cases, such as calls or via user-initiated activation, but must prohibit CLI transmission in connected line scenarios; this extends to tone-based or network-announced services, prioritizing user over . Article 8 also addresses malicious call traceability, allowing temporary CLI storage for purposes under strict conditions, but only to the extent necessary for prevention or detection. Itemized billing as a VAS is governed by 7, permitting providers to offer detailed usage records but requiring that end-users be able to of revealing call destinations, locations, or specific recipients to protect third-party . for any further processing of billing into VAS, such as usage or , falls under 6(2), which allows traffic solely for user-requested VAS with prior, that can be withdrawn at any time; must be erased or anonymized immediately after the service ends. Location for VAS under 9 follows analogous rules, with processing permitted only with unambiguous and user notification of ongoing use. The 2009 amendments through Directive 2009/136/EC reinforced these VAS protections by aligning the Directive's scope with updated definitions of electronic communications services under the framework, explicitly encompassing over-the-top (OTT) providers like VoIP applications that deliver interpersonal communications. This expansion addressed the rise of non-traditional VAS ecosystems, such as app-integrated directories or location-enhanced services, by subjecting them to the same consent and mandates, thereby extending safeguards to digital platforms handling equivalent volumes.

Data Retention Requirements and Challenges

Mandatory Retention Mandates

Article 6 of the (Directive 2002/58/EC) permits providers of publicly available electronic communications services to store traffic and location data only to the extent necessary for billing, interconnection payments, and the provision of the service itself, after which such data must be erased or anonymized. This provision emphasizes minimal retention aligned with commercial necessities, without prescribing a fixed duration, though processing for fraud detection and prevention is allowable insofar as it does not override subscriber interests and includes appropriate safeguards. Under Article 15(1), Member States may derogate from confidentiality protections by adopting proportionate legislative measures requiring the retention of traffic and location metadata—excluding communication content—for purposes such as preventing serious criminal offenses, safeguarding public security, or enabling investigations by law enforcement agencies (LEAs). These mandates typically specify retention periods ranging from six months to 24 months, varying by national implementation to balance investigative utility against data minimization principles; for example, certain states require up to one year for metadata relevant to criminal proceedings. Such requirements stem from the recognition that metadata enables tracing communication patterns, endpoints, and movements, which LEAs empirically utilize in a substantial portion of serious crime probes, though utility depends on query specificity and volume of retained data. Proponents of these mandates cite justifications rooted in telecommunications fraud prevention, where retained traffic data reveals anomalous patterns indicative of scams or unauthorized access, linked to annual EU-wide losses exceeding billions of euros from schemes like premium-rate fraud. Retention exclusively targets non-content , preserving formal content , yet permits aggregate analysis that reconstructs social networks, habitual locations, and relational graphs, introducing causal risks of overbroad through programmatic querying absent individualized suspicion. National variations in duration and scope reflect empirical trade-offs: shorter periods limit LEA access to transient threats like fraud rings, while longer ones heighten exposure to misuse, with implementation often favoring security imperatives over uniform baselines across the .

Judicial Invalidation and National Variations

The European Court of Justice (ECJ) invalidated the EU Data Retention Directive (2006/24/EC) on April 8, 2014, in the joined cases Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources (C-293/12) and Seitlinger and Others v Minister for Justice and Equality (C-594/12), ruling it invalid due to disproportionate interference with the rights to respect for private life and to the protection of personal data under Articles 7 and 8 of the EU Charter of Fundamental Rights. This directive, which mandated retention of traffic and location data by electronic communications providers, complemented but was distinct from retention provisions under Article 15 of the ePrivacy Directive (2002/58/EC), which permits Member States to require such retention for purposes like national security provided it is strictly necessary and proportionate. Building on this, the ECJ's Grand Chamber judgment on December 21, 2016, in Tele2 Sverige AB v Post- och telestyrelsen (C-203/15) and Secretary of State for the Home Department v Tom Watson (C-698/15) held that Article 15(1) of the ePrivacy Directive precludes national legislation imposing a general and indiscriminate obligation on providers to retain all traffic and location data, as it exceeds what is strictly necessary to achieve objectives like combating serious crime or . The Court permitted targeted retention in response to specific threats but required robust safeguards, such as prior judicial authorization and limitations to serious cases, emphasizing that blanket retention fails tests absent evidence of its effectiveness for broad security aims. Subsequent rulings, including La Quadrature du Net (C-511/18 et al.) on October 6, 2020, reinforced this by invalidating generalized retention under ePrivacy derogations, highlighting empirical shortcomings where mass retention yields minimal value for preventing compared to targeted measures. Post-ECJ rulings, Member States exhibited significant divergences in adapting national retention laws compliant with ePrivacy Directive interpretations, resulting in a patchwork of privacy protections across the . In , the struck down multiple iterations of retention laws, and the ECJ on September 20, 2022, declared German provisions—requiring up to 10 weeks of retention without sufficient targeting—incompatible with EU law for lacking necessity and proportionality. Conversely, maintained broader generalized retention obligations, justified by heightened threats, despite ECJ challenges; its laws, including indefinite retention for security purposes, faced criticism for circumventing rulings through expansive derogations under Article 15, leading to ongoing litigation. These variations—ranging from minimal or no general retention in countries like and to more permissive regimes in and others—have created inconsistent enforcement levels, undermining uniform standards while studies indicate mass retention's causal inefficacy for prevention, as it overwhelms analysts with irrelevant data and diverts from intelligence-led, warrant-based approaches.

Implementation and Enforcement

Transposition into Member State Laws

The ePrivacy Directive (2002/58/EC) mandated that EU Member States transpose its provisions into national legislation by 31 October 2003, as stipulated in Article 27 of the Directive. This included requirements for confidentiality of communications, traffic data handling, and restrictions on unsolicited messages, necessitating adaptations to fit domestic legal frameworks while aiming for harmonization. Subsequent amendments via Directive 2009/136/EC, which enhanced rules on , data breach notifications, and privacy in public communications networks, set a further transposition deadline of 25 May 2011 under Article 4. Despite these timelines, several Member States, including , delayed full implementation of specific elements like cookie consent until 2021. Transposition has resulted in notable divergences, undermining uniform application across the . The European Commission's 2015 assessment of the Directive's transposition revealed inconsistencies in national laws, particularly in interpreting and enforcing provisions on and similar technologies, where some states adopted broader definitions encompassing device fingerprinting while others limited scope to traditional HTTP . For unsolicited communications, variations persist in opt-in requirements and exemptions; for example, certain Member States permit for corporate subscribers in contexts, whereas others enforce stricter prior consent, leading to fragmented thresholds. In the , transposition occurred via the Privacy and Electronic Communications Regulations 2003 (PECR), which closely mirrored the Directive's core elements but introduced nuances such as a "soft opt-in" for to existing customers under limited conditions, diverging from more prohibitive approaches in states like or . These national adaptations have contributed to empirical compliance gaps documented in 2010s audits, including cross-border service disruptions where operators face mismatched rules on tracking data storage, prompting reliance on the least stringent for operations. The Commission's surveys underscore that while core protections achieved broad fidelity, interpretive flexibilities in directives inherently foster such unevenness, complicating in multinational ecosystems.

Oversight Mechanisms and Penalties

Enforcement of the ePrivacy Directive (Directive 2002/58/EC) is primarily handled by national competent authorities designated by EU member states, which are typically the data protection authorities (DPAs) responsible for supervising electronic communications privacy. These bodies, such as France's Commission Nationale de l'Informatique et des Libertés (CNIL) and Germany's Bundesdatenschutzbeauftragter, conduct investigations, issue guidance, and impose sanctions for breaches of national laws transposing the Directive. The Directive requires member states to empower these authorities with necessary investigative powers, including access to data and premises, to ensure effective monitoring. At the EU level, the (EDPB), established under the GDPR, facilitates coordination among national DPAs to promote consistent application of data protection rules, including where ePrivacy provisions intersect with GDPR requirements. The EDPB has clarified that DPAs retain full powers under the GDPR even when ePrivacy rules apply as , but ePrivacy-specific oversight remains anchored in national implementations without a centralized EU enforcer. This decentralized model allows for tailored responses to local contexts but can lead to variations in enforcement rigor across member states. Penalties for violations are determined by national law and must be effective, proportionate, and dissuasive, as stipulated in Article 13 of the Directive, with no uniform EU-wide fine caps specified. In practice, many member states have aligned sanctions with GDPR levels, authorizing administrative fines up to €20 million or 4% of an undertaking's global annual turnover, whichever is higher, particularly for serious infringements like unauthorized access to communications or non-compliant tracking technologies. For ePrivacy-specific breaches, such as cookie misuse without valid , fines are imposed under dedicated national provisions rather than GDPR alone, enabling DPAs to target electronic communications sectors distinctly. Enforcement trends show increasing use of fines since the mid-2010s, with DPAs issuing penalties totaling hundreds of millions of euros for Directive-related violations, often focused on failures in tracking practices. laws may also include criminal sanctions or injunctive measures for egregious cases, such as intentional of confidential communications, alongside administrative remedies like public warnings or corrective orders. Despite this framework, cross-border cooperation remains challenged by the Directive's pre-GDPR structure, with the EDPB advocating for harmonized approaches to enhance deterrence.

Key Enforcement Actions and Case Studies

In the Fashion ID GmbH v. Verbraucherzentrale NRW eV case (C-40/17), the (ECJ) ruled on September 29, 2017, that website operators are jointly responsible with third-party providers for ensuring compliance with ePrivacy Directive requirements when embedding tracking technologies like Facebook's ", as the initial storage of occurs upon page load without user . This established liability chains in embedded tracking scenarios, influencing subsequent national enforcements. The landmark Planet49 GmbH ruling (C-673/17) by the ECJ on October 1, 2019, clarified that pre-checked checkboxes do not fulfill the "freely given" consent standard under Article 5(3) of the ePrivacy Directive for non-essential , including those used for personalized advertising; valid consent requires an , such as ticking an unchecked box, and users must be informed of durations and third-party access. The decision invalidated Planet49's practices in an online lottery where unticked boxes were used for promotional , reinforcing that silence or inaction cannot equate to consent, even if tied to service access. France's CNIL imposed a €100 million fine on (split as €60 million on and €40 million on ) on , 2020, for violating ePrivacy rules by setting advertising without prior, valid and providing incomplete information on purposes and durations, despite user interactions. Similarly, on the same date, CNIL fined €60 million for analogous failures in obtaining granular, before deploying tracking , highlighting systemic issues in designs that bypass active user opt-in. In 2022, CNIL escalated enforcement with a €150 million penalty against on March 25 for persistent cookie consent violations, including automatic setting of trackers without explicit approval and inadequate , marking one of the largest single fines under ePrivacy transposition laws. Ireland faced a €60 million fine from CNIL in December 2021 for comparable infractions in deployment for behavioral , underscoring recurring non-compliance in major platforms' tracking ecosystems. National authorities have documented patterns of ongoing violations despite these actions; for instance, the Dutch DPA fined Coolblue €40,000 in April 2025 for placing without valid consent post-warnings, evidencing enforcement challenges as technologies like device fingerprinting evolve faster than compliance adaptations. Cumulative fines for ePrivacy-related and tracking breaches have exceeded €300 million across by 2022, primarily from and other DPAs targeting non-compliance, yet complaints and audits reveal persistent issues with mechanisms.

Criticisms and Controversies

Economic Burdens and Overregulation

The ePrivacy Directive's mandates for obtaining explicit prior to deploying and similar tracking technologies generate substantial expenditures for operators and providers. A 2014 analysis by the Information Technology and Innovation Foundation (ITIF) estimated that the Directive's notification requirements alone impose annual costs of approximately €1.8 billion across European businesses, incorporating expenses for development, legal consultations, and to ensure ongoing adherence. These outlays escalate for small and medium-sized enterprises (SMEs), where implementing and updating management solutions, including integration with analytics tools like , frequently surpasses €10,000 annually due to limited in-house technical resources and reliance on third-party vendors. Such regulatory impositions also precipitate revenue shortfalls in ad-supported ecosystems, amplifying economic on smaller entities. Projections from a WIK-Consult on the Directive's indicated a potential 33% in Germany's expenditures in the near term, translating to €2.475 billion in foregone revenue from display and affiliate segments, with broader EU-wide display ad losses forecasted at 45-70% by organizations like IAB Europe. SMEs, dependent on these low-barrier revenue streams for sustainability, face heightened exclusion risks, as the costs of pivoting to consent-heavy alternatives—such as user logins or proprietary tracking—disproportionately burden nascent ventures compared to multinational platforms capable of absorbing or circumventing such hurdles through scale-driven investments. By elevating entry barriers via prescriptive technical and procedural demands, the Directive fosters that entrenches dominant players while curtailing broader dynamics. Fixed overheads deter experimentation in data-intensive applications, channeling resources toward regulatory navigation rather than product development, and thereby shielding incumbents who can internalize costs or migrate to closed ecosystems. This dynamic contributes to the EU's lagging digital competitiveness against the , where less encumbered environments have sustained higher rates of venture investment and ad market expansion, underscoring a causal link between stringent electronic communications rules and diminished entrepreneurial .

Ineffectiveness of Consent and Compliance Fatigue

Empirical analyses of cookie consent banners mandated by the ePrivacy Directive reveal high rates of blanket acceptance, with studies reporting that 80-85% of users click "accept all" within seconds of encountering prompts, often without reviewing options. This pattern persists despite regulatory requirements for informed, granular consent under Article 5(3), as users prioritize access over deliberation, rendering opt-in mechanisms largely performative. Design practices exacerbate this ineffectiveness through dark patterns, such as larger "accept" buttons, multi-step rejection processes, or misleading language implying is required for site functionality; identifies these in at least 57% of banners, systematically biasing outcomes toward . validity is further compromised by banner proliferation following the 2009 ePrivacy amendments (effective May 2011), which exposed users to repeated interruptions across sessions—averaging dozens daily—fostering where subsequent prompts elicit automatic compliance rather than active choice. Alternative tracking evades these consent barriers, notably browser fingerprinting, which compiles device and behavioral signals without storing data on the user's machine, thus falling outside the Directive's cookie-centric scope and enabling persistent identification even after rejections. Data on tracking persistence post-2011 shows no measurable decline in overall surveillance volumes attributable to consent rules, as advertisers shifted to fingerprinting and server-side methods, underscoring a causal disconnect between banner interactions and reduced data flows. Policy critiques frame this opt-in regime as paternalistic overreach, presuming users incapable of defaults while empirical non-compliance yields illusory protections; analysts contend opt-out models or browser-level controls would better align with observed behaviors, avoiding fatigue without sacrificing agency.

Impacts on Innovation and Market Competition

The ePrivacy Directive's mandates for explicit prior to store or access user devices have hindered adtech innovation by curtailing the flows essential for developing and algorithms. Provisions restricting non-essential tracking, such as third-party , have led to fragmented user environments, delaying the rollout of AI-enhanced ad platforms reliant on behavioral signals. A estimated that stricter enforcement akin to the proposed could slash publisher ad revenues by 50% to 70% for entities without scale to pivot to alternative models, eroding funding for experimental adtech ventures and favoring walled-garden approaches by incumbents. In , the Directive's limits on processing like and —beyond mere —have constrained operators' ability to innovate -derived services, such as for service bundling, due to redundant consent layers overlapping with GDPR requirements. This has stifled R&D in machine-to-machine communications and ecosystems, where real-time is vital, as firms redirect efforts toward compliance audits rather than novel applications. Industry reports highlight how these rules create legal uncertainty, deterring investments in and exacerbating the EU's lag in digital service compared to less prescriptive regimes. The Directive's compliance demands, including granular consent mechanisms, impose asymmetric burdens that distort market competition by disadvantaging SMEs over large firms with dedicated infrastructures. Smaller adtech and startups, often lacking resources for platforms or legal expertise, face relative costs €1,000–€50,000 annually for analogous tooling, hindering market entry and scaling. This entrenches incumbents who can leverage for "privacy-by-design" adaptations, as seen in interactions with the where layered tracking rules amplify barriers for niche players. Empirical venture trends from the underscore the effect: EU tech averaged 0.3% of GDP yearly, versus over 1% in the , with regulatory fragmentation cited as a reducing attractiveness for data-heavy sectors. By enforcing opt-in defaults for data uses that underpin efficient matching in digital markets, the Directive skews incentives away from voluntary enhancements like , channeling resources into regulatory workarounds and diminishing ecosystem-wide experimentation. This causal dynamic—heightened fixed costs and consent friction—has perpetuated lower EU innovation outputs in competitive ad and domains, where seamless data access drives iterative advancements.

Shortcomings in Actual Privacy Safeguards

Despite the ePrivacy Directive's for the of communications under 5, practical has failed to prevent widespread evasion and through legal loopholes and technological workarounds. EU users turn to VPN providers in jurisdictions with minimal data disclosure obligations, such as those outside EU influence, to mask and data from ISPs and authorities, demonstrating the directive's inability to deliver end-to-end without supplementary tools. ENISA's threat assessments reveal that vulnerabilities in communications infrastructure, including interception risks and data exposure, have persisted without meaningful mitigation from ePrivacy-mandated safeguards. The agency's 2024 Threat Landscape report identifies threats against data confidentiality as among the top seven cybersecurity risks, with exploitation of network weaknesses continuing unabated, indicating no regulatory-induced decline in these exposures. National implementations retaining under ePrivacy exceptions for purposes have enabled disproportionate state access, as critiqued in post-Snowden judicial and scholarly analyses of practices. CJEU rulings, such as those restricting retention while affirming targeted exceptions, highlight ongoing overreach risks, yet empirical reviews post-2013 revelations show no verifiable correlation between such access and reduced threats, prioritizing retention volumes over . Privacy advocacy evaluations further contend that the directive's framework inadequately addresses evolving interception methods, such as those bypassing consent-based protections, resulting in user-centric failures where regulatory "protections" yield to market-provided alternatives like encrypted services for actual safeguarding.

Reform Efforts and Current Status

The Failed ePrivacy Regulation Proposal

The European Commission presented the ePrivacy Regulation proposal (COM/2017/010 final) on 10 January 2017 to supplant the ePrivacy Directive (2002/58/EC) with a directly applicable regulation, seeking to eliminate inconsistencies from divergent national transpositions and foster a uniform framework for electronic communications privacy across the EU. The initiative extended confidentiality obligations to machine-to-machine (M2M) communications, including devices, by incorporating them within the scope of electronic communications services and mandating protections against unauthorized interference or processing of related data. It also aimed to align rules with the General Data Protection Regulation (GDPR) for over-the-top (OTT) providers, ensuring a level playing field while clarifying handling of tracking technologies like through strict requirements and default privacy-enhancing settings. Central to the proposal were provisions safeguarding the confidentiality of communications and , barring providers from accessing or such without explicit end-user from all parties involved, save for or necessities. This framework clashed with implementations, as it reinforced providers' technical inability to decrypt or scan without , thereby heightening tensions over potential conflicts with demands or investigative access, though the text explicitly avoided mandating decryption capabilities. For M2M scenarios lacking human end-users, the designated device deployers or owners as consenting parties, yet this adaptation sparked debates on applicability and enforcement feasibility in automated systems. Negotiations advanced with the securing a in October 2017 and the adopting its general approach on 10 February 2021, initiating trilogues in May 2021 that subsequently stalled through 2024 amid unresolved disputes. Core blockers included the 's advocacy for broader exemptions in tracking and processing—such as allowances for security without per-instance —contrasting the 's insistence on rigorous, granular mechanisms aligned with GDPR's stricter standards. Privacy-focused stakeholders, including groups, demanded minimal exceptions to prevent erosion of protections, while representatives, particularly from and sectors, lobbied for legitimate interest grounds or simplified rules to mitigate hurdles from fatigue. Further contention arose over privacy-by-default settings, carve-outs, and with GDPR, prolonging deadlock despite the proposal's empirical intent to resolve Directive-induced fragmentation evidenced by varying enforcement across states.

Implications of the 2025 Withdrawal

The European Commission announced on February 11, 2025, its intention to withdraw the long-pending proposal for an ePrivacy Regulation, as outlined in its 2025 Work Programme, citing a lack of foreseeable agreement among EU institutions and a legislative backlog exacerbated by recent enactments like the Digital Services Act (DSA) and ongoing GDPR implementation. This decision leaves the 2002 ePrivacy Directive (Directive 2002/58/EC) in place as the governing framework for electronic communications privacy across the EU, with its national transpositions continuing to apply without supranational harmonization. The withdrawal perpetuates the Directive's inherent structural flaws, including persistent fragmentation due to varying implementations, which have led to inconsistent enforcement on issues like cookie and . Without a unifying , risks of further divergence intensify as national authorities adapt the Directive to , such as over-the-top () services, potentially creating a patchwork that undermines cross-border digital operations while failing to address gaps in confidential communications exposed by modern practices. This stasis signals broader regulatory fatigue with expansive, one-size-fits-all approaches, implicitly acknowledging the unworkable complexity of the proposed —which had stalled since its 2017 introduction amid disputes over scope and exemptions—over more granular, targeted amendments to the Directive. The absence of a replacement framework prioritizes legislative simplification amid competing priorities like , favoring incremental fixes to specific Directive shortcomings rather than overhauling rules ill-suited to rapid technological evolution.

Empirical Impact and Evaluation

Effects on Digital Economy and Businesses

The ePrivacy Directive, particularly its provisions on cookies and electronic communications, has imposed significant compliance costs on businesses, estimated at approximately €3.2 billion annually for cookie-related obligations alone, based on surveys of operators and expenses including legal reviews, modifications, and ongoing . These costs disproportionately affect small and medium-sized enterprises (SMEs), which often lack the resources of larger firms to absorb or outsource , leading to reduced in ; for instance, cookie has been calculated to cost €1.8 billion yearly in operational burdens. In the advertising sector, the Directive's restrictions on tracking technologies have accelerated revenue concentration in "walled gardens" such as and , where first-party data collection evades stringent third-party rules, thereby diminishing opportunities for publishers and ad tech intermediaries reliant on open-web ecosystems. This shift has reduced in markets, with European firms facing barriers to personalized ad delivery outside dominant platforms, contributing to a structural for incumbents that control user data within closed environments. Comparatively, the EU's privacy regulatory framework, including the ePrivacy Directive, correlates with slower digital innovation relative to lighter regimes like the , where tech sector output and venture capital inflows have outpaced ; for example, the hosts over 70% of global tech unicorns despite similar market sizes, attributable in part to less prescriptive rules on use that foster rapid experimentation in ad tech and . While some empirical analyses find no average revenue decline for European from the 2009 amendments, heterogeneous effects suggest smaller innovators bear the brunt, exacerbating the EU's lag in digital GDP contribution, which trails the by roughly 20 percentage points as a share of total economy.

Measurable Outcomes for User Privacy

Empirical assessments of tracking exposure in the following the ePrivacy Directive's implementation reveal limited substantive improvements in user privacy. Audits of mobile applications indicate that the proportion of apps employing at least one third-party rose from 88.44% in 2017 to 91.37% in 2020, with the number of hosts per increasing from 9 to 11 over the same period. Similarly, analyses of top websites show persistent non-compliance, with approximately % of the most visited European sites failing to honor opt-in consent requirements as of early 2025, enabling unauthorized tracking despite regulatory mandates. These patterns suggest that tracking prevalence has not diminished, as operators adapt via alternative methods like device fingerprinting and server-side tracking, which circumvent traditional cookie-based restrictions. Consent mechanisms under the Directive have exacerbated erosion through user , where repeated prompts lead to habitual acceptance of defaults rather than deliberate choices. Behavioral studies demonstrate that diminishes users' intentions to engage protective behaviors, fostering cynicism and automatic compliance with requests. This dynamic results in "apathetic users" who routinely grant broad consents to access content, effectively reverting to pre-regulation levels and undermining the Directive's aim of informed opt-in. Experimental evidence further confirms that designs often manipulate outcomes, with users exhibiting desensitization after encountering multiple notices, prioritizing over scrutiny. Causally, the Directive's consent-focused approach proves symbolic amid an ongoing technological , where privacy-invasive tools evolve faster than enforcement can adapt. While compliance audits highlight evasion—such as trackers loading prior to —core indicators like volumes and unauthorized incidents remain unaffected, as regulations target symptoms (e.g., cookies) without addressing underlying incentives for . This gap persists because alternative tracking vectors, unmitigated by the Directive's scope, sustain equivalent levels, rendering measurable gains negligible relative to baseline trends.

Comparative Effectiveness Against Alternatives

The ePrivacy Directive's emphasis on opt-in consent for electronic communications metadata and tracking technologies imposes substantially higher operational costs on firms than the United States' sectoral privacy framework, which relies on opt-out mechanisms under laws like the California Consumer Privacy Act (CCPA) for data sales disclosures. Comprehensive EU-style mandates, akin to those in ePrivacy, are projected to generate annual compliance expenses exceeding $122 billion if replicated federally in the US, compared to roughly $6 billion for targeted opt-out-oriented regulations. CCPA's initial implementation alone demanded an estimated $55 billion in upfront costs for qualifying California entities, yet this opt-out model avoids the granular consent overhead of ePrivacy, allowing streamlined business processes. Despite these disparities, empirical breach data reveals no decisive privacy edge for the EU approach; US average breach costs hit $10.22 million in 2025, amid global averages of $4.44 million, with North America logging over twice the ransomware incidents of Europe without corresponding rises in ePrivacy-attributable protections. Self-regulatory alternatives, such as the US Digital Advertising Alliance (DAA) principles for online behavioral advertising, outperform ePrivacy's mandatory consent in fostering voluntary compliance and user agency, as tools enable data use defaults that align with observed consumer behaviors rather than inducing blanket rejections. Economic analyses confirm systems drive greater and productivity by reducing friction in data flows, whereas opt-in mandates like ePrivacy's correlate with lower participation rates and persistent tracking circumvention. Theoretical models further indicate as socially optimal, balancing defaults against efficient market entry for data-driven services, unlike opt-in regimes that underprotect by deterring beneficial sharing. While indices assessing legal stringency often favor EU frameworks—including ePrivacy—for their prescriptive scope, these rankings prioritize regulatory architecture over causal outcomes like reduced misuse or enhanced trust, with Europe's top-20 dominance in privacy commitment metrics not translating to empirically lower threat exposures. Breach trends and compliance fatigue under consent-heavy rules suggest alternatives rooted in user property rights and market incentives yield more accountable data handling, as providers face direct reputational costs for overreach absent the illusion of universal opt-in efficacy.

References

  1. [1]
    2002/58 - EN - eprivacy directive - EUR-Lex - European Union
    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy.
  2. [2]
    EUR-Lex - 32002L0058 - EN - European Union
    This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in ...
  3. [3]
    [PDF] Review of the ePrivacy Directive - European Parliament
    Jan 10, 2017 · As a result, Directive. 2002/58 has been transposed under different legal frameworks at the national level. Indeed, in some countries it is part ...
  4. [4]
    European Commission Withdraws ePrivacy Regulation and AI ...
    The European Commission announced that it plans to withdraw its proposals for a new ePrivacy Regulation (aimed at replacing the current ePrivacy Directive) and ...
  5. [5]
    Denmark Proposes GDPR and ePrivacy Directive Revision
    Jul 14, 2025 · On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive.
  6. [6]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31997L0066
  7. [7]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046
  8. [8]
    L_2009337EN.01001101.xml
    Summary of each segment:
  9. [9]
    [PDF] Protecting privacy and fighting spam. - European Commission
    Protecting privacy and fighting spam. The EU's ePrivacy Directive sets specific limits on how personal data can be stored and used, particularly when it ...Missing: reports 2000s tracking
  10. [10]
    52017PC0010 - EN - EUR-Lex - European Union
    Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in ...Missing: details | Show results with:details
  11. [11]
    European Commission Proposes ePrivacy Regulation
    Jan 10, 2017 · The Proposal includes provisions with a broad scope of application covering over-the-top (OTT) services as well as communication between devices ...Missing: details | Show results with:details
  12. [12]
    Proposal for an ePrivacy Regulation | Shaping Europe's digital future
    The European Commission's proposal for a Regulation on ePrivacy aims at reinforcing trust and security in the digital world.
  13. [13]
    How the ePrivacy Regulation talks failed ... again - IAPP
    now ...Missing: trilogue | Show results with:trilogue
  14. [14]
    Council of the EU Released a (New) Draft of the ePrivacy Regulation
    Jan 6, 2021 · The regulation aims to safeguard the privacy of the end-users, the confidentiality of their communications, and the integrity of their devices.Missing: details | Show results with:details
  15. [15]
    Deadlock on ePrivacy rules creates legal uncertainty for telecoms ...
    Jan 7, 2020 · However, over the course of six successive Presidencies spanning almost three years, the EU Council failed to reach agreement on its approved ...Missing: failures | Show results with:failures
  16. [16]
    The European ePrivacy Regulation
    11 February 2025 - The European Commission Withdraws the ePrivacy Regulation. · 10 February 2021 - Council agrees its position on ePrivacy rules.Eprivacy Regulation Links · Eprivacy Regulation Training
  17. [17]
    https://hunton.com/privacy-and-information-security-law/european-commission-withdraws-eprivacy-regulation-and-ai-liability-directive-proposals
  18. [18]
    EU abandons ePrivacy, AI liability reforms as bloc shifts focus to AI ...
    Feb 12, 2025 · Still, while the Commission's proposal to replace the ePrivacy Directive with modernized regulation has now been withdrawn, the bloc's existing ...<|control11|><|separator|>
  19. [19]
    The EU's Work Programme 2025 – ePrivacy Reg and AI Liability ...
    May 9, 2025 · The 2025 Work Programme has dropped the ePrivacy Regulation and AI Liability Directive due to a lack of agreement and evolving legislation.
  20. [20]
    Directive 2002/58/EC of the European Parliament and of the Council
    Article 5U.K.Confidentiality of the communications. 1.Member States shall ensure the confidentiality of communications and the related traffic data by means ...
  21. [21]
    New European Electronic Communications Code means the ... - IAPP
    Dec 21, 2018 · The ePrivacy Directive (formally 'Directive 2002/58/EC') establishes specific rules on privacy for the electronic communications sector, ...
  22. [22]
    [PDF] Opinion 5/2019 on the interplay between the ePrivacy Directive and ...
    Mar 12, 2019 · Article 95 of the GDPR stipulates that the GDPR "should not impose additional obligations on natural or legal persons in relation to processing ...
  23. [23]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002L0058
  24. [24]
    [PDF] Guidelines 05/2020 on consent under Regulation 2016/679 Version ...
    May 4, 2020 · Therefore, the GDPR conditions for obtaining valid consent are applicable in situations falling within the scope of the e-Privacy Directive. 8.
  25. [25]
    Questions and answers on the Digital Services Act*
    The DSA has been designed in full compliance with existing rules on data protection, including the General Data Protection Regulation (GDPR) and the ePrivacy ...
  26. [26]
    [PDF] Access to data for law enforcement: Lawful interception
    As law enforcement agencies carry out lawful interception of electronic communications, they face numerous challenges stemming from rapid technological ...
  27. [27]
    [PDF] Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy ...
    Oct 7, 2024 · These guidelines address the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions, expanding on device ...
  28. [28]
    [PDF] Interception of electronic communications - http
    Jan 26, 2018 · electronic communications often comes up with resolvable risks or immediately rejects the use of backdoors without assessing the ...
  29. [29]
    E-evidence Regulation and Directive Published - eucrim
    Nov 9, 2023 · The Production Orders allow law enforcement authorities in one EU Member State to request electronic data from service providers (established or ...Missing: ePrivacy | Show results with:ePrivacy
  30. [30]
    https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0136
  31. [31]
    [PDF] Directive 2009/136/EC of the European Parliament and of the ...
    Nov 25, 2009 · DIRECTIVE 2009/136/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2009 amending Directive 2002/22/EC on universal service ...
  32. [32]
    Op-Ed: Without the ePrivacy Regulation, which challenges must still ...
    Feb 20, 2025 · The anti-spam rule, Article 13 of the ePrivacy Directive, is often ignored, due notably to issues of competence in some countries (more on that ...<|separator|>
  33. [33]
    [PDF] Review of the e-Privacy Directive - Access Now
    Exceptions can be made for billing and interconnection payments where processing for this specific purposes can be authorised if explicitly mentioned in the ...<|separator|>
  34. [34]
    EU Cookie Directive Law - Clarip
    The European Union amended the ePrivacy Directive in 2009 to require companies to obtain informed consent for storage or access of data on electronic devices.
  35. [35]
    [PDF] Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy ...
    Nov 14, 2023 · In these Guidelines, the EDPB addresses the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions. These ...
  36. [36]
    The Web never forgets: Persistent tracking mechanisms in the wild
    We present the first large-scale studies of three advanced web tracking mechanisms – canvas fingerprinting, evercookies and use of “cookie syncing” in ...Missing: 2010s | Show results with:2010s
  37. [37]
    Online tracking: A 1-million-site measurement and analysis
    We measure stateful (cookie-based) and stateless (fingerprinting-based) tracking, the effect of browser privacy tools, and "cookie syncing". This measurement is ...Missing: 2010s | Show results with:2010s
  38. [38]
    Tracking the trackers: Investigators reveal pervasive profiling of Web ...
    Nov 5, 2014 · Revealing and measuring the many commercial tools that invisibly track Web users is a key step toward improving transparency and privacy on ...Missing: evasion | Show results with:evasion
  39. [39]
    The state is watching you—A cross-national comparison of data ...
    Within the EU, they currently fall under the scope of the ePrivacy Directive (Directive 2002/58/EC), which allows mandatory retention of data for the ...
  40. [40]
    [PDF] Findings from a Cross-National Study on Data Retention in 25 ...
    Jun 20, 2023 · Within the. EU, they currently fall under the scope of the ePrivacy Directive (Directive 2002/58/EC), which allows mandatory retention of data ...
  41. [41]
    ePrivacy: Private data retention through the back door
    May 22, 2019 · Blanket data retention has been prohibited in several court decisions by the European Court of Justice (ECJ) and the German Federal ...
  42. [42]
    Recalibrating Data Retention in the EU - eucrim
    Sep 8, 2021 · These requirements are echoed in Art. 15(1) of the e-Privacy Directive, which states that data should be retained “for a limited period” and be ...<|separator|>
  43. [43]
    [PDF] Court of Justice of the European Union PRESS RELEASE No 54/14
    Apr 8, 2014 · Digital Rights Ireland and Seitlinger and Others. The Court of Justice declares the Data Retention Directive to be invalid. It entails a wide ...
  44. [44]
    62012CJ0293 - EN - EUR-Lex - European Union
    Judgment of the Court (Grand Chamber), 8 April 2014. Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others.Missing: invalidation | Show results with:invalidation
  45. [45]
    EU Data Retention Directive Declared Invalid by Court of Justice of ...
    Apr 8, 2014 · The Court of Justice of the European Union (CJEU) today held that the EU Data Retention Directive (Directive 2006/24/EC) 1 is invalid.Missing: invalidation | Show results with:invalidation
  46. [46]
    [PDF] The Members States may not impose a general obligation to retain ...
    Dec 21, 2016 · EU law precludes a general and indiscriminate retention of traffic data and location data, but it is open to Members States to make ...
  47. [47]
    62015CJ0203 - EN - EUR-Lex - European Union
    Judgment of the Court (Grand Chamber) of 21 December 2016. Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom ...
  48. [48]
    CJEU in Tele2 rules broad data retention laws invalid, raises ... - IAPP
    Dec 21, 2016 · In that judgment the CJEU held that the EU's Data Retention Directive was invalid. Some EU member states, such as Sweden and the U.K., then ...
  49. [49]
    https://privacyworld.blog/2022/10/burn-after-reading-data-retention-compliance/
  50. [50]
    CJEU: German Rules on Data Retention Not in Line with EU Law
    Nov 15, 2022 · On 20 September 2022, the CJEU (Grand Chamber) ruled that the German legislation on data retention is incompatible with EU law.
  51. [51]
    Data Retention - Verfassungsblog
    Nov 27, 2024 · France continues to implement a general data retention obligation nationwide, arguing that the national security threat required by the CJEU is ...
  52. [52]
    France seeks to bypass EU top court on data retention - Politico.eu
    Mar 3, 2021 · In 2014, the CJEU struck down the EU data retention directive. In late 2016, it ruled again against indiscriminate data retention, taking aim ...<|separator|>
  53. [53]
    [PDF] National Data Retention Laws since the CJEU's Tele-2/Watson ...
    EU data retention laws require companies to store personal data, but the CJEU requires legality, necessity, and proportionality, which most EU states don't ...
  54. [54]
    A new recipe for Cookies - The new German Telecommunications ...
    Mar 21, 2021 · Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy ...
  55. [55]
    ePrivacy Directive: assessment of transposition, effectiveness and ...
    Jun 17, 2015 · The study examines whether the ePrivacy Directive has achieved its intended effects and puts forward recommendations for future revision.
  56. [56]
    [PDF] ePrivacy Directive: assessment of transposition, effectiveness and ...
    The Framework was last amended in 2009 and the deadline for transposition of the 2009 amendments was 25 May 2011.<|separator|>
  57. [57]
    https://edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en_0.pdf
  58. [58]
    https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32002L0058&from=EN
  59. [59]
    CNIL's ePrivacy fines reveal potential enforcement trend - IAPP
    Jan 10, 2022 · The CNIL fined Google and Facebook up to a combined 210 million euros for alleged cookie violations under the ePrivacy Directive.
  60. [60]
    CNIL Issues Fines Totaling €135 Million in Landmark ePrivacy ...
    Dec 17, 2020 · Unburdened by the GDPR's “one-stop-shop” mechanism, the ePrivacy Directive can provide greater territorial reach for national authorities that ...
  61. [61]
    https://curia.europa.eu/juris/document/document.jsf?text=&docid=195614&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=123456
  62. [62]
    https://curia.europa.eu/juris/document/document.jsf?text=&docid=219202&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=123456
  63. [63]
    Tag – E-Privacy Directive - Hunton Andrews Kurth LLP
    On April 11, 2016, the European Commission launched a public consultation to evaluate and review Directive 2002/58/EC on the processing of personal data and ...
  64. [64]
    Dutch DPA intensifies cookie enforcement – key takeaways
    Apr 25, 2025 · Coolblue was fined €40,000 for placing tracking cookies and collecting personal data without valid consent. Despite earlier warnings, the ...<|separator|>
  65. [65]
    The Economic Cost of the European Union's Cookie Notification Policy
    Nov 6, 2014 · This report finds that the total annual cost of this law is $2.3 billion dollars per year. This figure includes both compliance costs for ...Missing: 1.8 | Show results with:1.8
  66. [66]
    The EU's Cookie Consent Saga: How a Well-Intentioned Privacy ...
    Oct 2, 2025 · Economic Burden on SMEs: Compliance costs for small sites can exceed €10,000 annually, including legal reviews and tech implementations, ...
  67. [67]
    [PDF] Study on the Impact of the Proposed ePrivacy Regulation
    Oct 19, 2017 · Executive Summary. General effects of the ePR. 1. The ePR and the GDPR overlap substantially. In many cases, the ePR rules deviate from the.
  68. [68]
    [PDF] Economic Impact of the ePrivacy Regulation on Online Advertising ...
    The results of this study show that the ePrivacy Regulation is likely to ... costs and low variable costs are likely to exclude small and medium-sized.
  69. [69]
    The impact of EU regulations on innovation - GIS Reports
    Dec 2, 2024 · The EU's regulatory approach is stifling innovation compared to the U.S., risking technological stagnation and diminished competitiveness ...
  70. [70]
    The Psychology Behind Cookie Consent: Why Users Click "Accept"
    Sep 1, 2025 · Even though more people care about privacy, 85% of visitors still click "Accept All" on your banner within seconds. This seems to contradict ...
  71. [71]
    Best Strategies to Improve Cookie Banner Acceptance Rate - Analyzify
    Feb 7, 2025 · Banners with pre-ticked “accept all” boxes see 83% acceptance rates; Banners requiring active choice show 40% lower acceptance; Equal-size ...
  72. [72]
    [PDF] Testing the Effect of the Cookie Banners on Behaviour
    This report tests the effect of cookie banners on behavior, aiming to provide evidence-based support for European policymaking.
  73. [73]
    [PDF] Dark Patterns after the GDPR: Scraping Consent Pop-ups and ...
    The ePrivacy Directive is connected to definitions in European data protection law, so when the GDPR [26] repealed and replaced the Data Protection Directive ...
  74. [74]
    EU watchdogs agree on how to handle certain cookie consent dark ...
    Jan 20, 2023 · Cookie consent banners that use blatant design tricks to try to manipulate web users into agreeing to hand over their data for behavioral ...
  75. [75]
    Cookie Permissions 101 - NN/G
    Nov 10, 2023 · Our study participants found cookie-permission designs annoying regardless of how willing they were to share their data. The degree of annoyance ...
  76. [76]
    [PDF] (Un)informed Consent: Studying GDPR Consent Notices in the Field
    Sep 5, 2019 · This study found that lower screen placement, binary choices, and nudging impact user consent on GDPR cookie notices. Users are more likely to ...
  77. [77]
    Here's What Your Browser is Telling Everyone About You - WIRED
    Oct 16, 2025 · There aren't any laws banning browser fingerprinting. Although the individual components of your fingerprint aren't covered by privacy ...
  78. [78]
    Websites Are Tracking You Via Browser Fingerprinting | Texas A&M ...
    which users can delete or block — fingerprinting is much harder to detect or prevent. Most users have no idea it's happening, ...Missing: evading | Show results with:evading
  79. [79]
    [PDF] Cookie Banners and Privacy Policies: Measuring the Impact of the ...
    (2) We present an extensive summary of key findings based on scientific research regarding the impact of the GDPR. We learn that although the GDPR can directly ...
  80. [80]
    Trust Us, We Know Best: The Steady Rise of Privacy Paternalism | ITIF
    Jun 24, 2021 · While opt-in requirements have certainly increased data collection costs, they have not curtailed data sharing as significantly as many privacy ...
  81. [81]
    [PDF] The Unintended Consequences of Privacy Paternalism
    Mar 5, 2014 · They argue that (1) diluting consent weakens essential privacy protections; (2) Diminishing limits on specified purposes, collection and uses of ...
  82. [82]
    [PDF] IMPACT OF EU REGULATION ON INNOVATION - BusinessEurope
    Innovation is critical to maintaining competitiveness as it provides a growth engine for the European economy. Regulation is required to set a.
  83. [83]
    Millions of small businesses aren't GDPR compliant, our survey finds
    We were surprised to learn that over half of small businesses report spending between €1,000 and €50,000 on GDPR compliance, including consultants and ...Missing: ePrivacy large
  84. [84]
    Stepping Up Venture Capital to Finance Innovation in Europe in
    Jul 12, 2024 · VC investments in the EU averaged 0.3 percent of GDP per year over the last decade, less than one-third of the US average, with US VC funds ...
  85. [85]
    Offshore VPNs: Evading Prying Eyes in Privacy-Friendly Jurisdictions
    Aug 16, 2023 · This article explores the world of offshore VPNs, offering insights into their benefits, considerations, and their role in ensuring a private and secure ...Missing: ePrivacy | Show results with:ePrivacy
  86. [86]
    Data Privacy Laws & Government Surveillance by Country
    Mar 25, 2022 · Comparitech has assessed privacy protection and the state of surveillance in 47 countries to see where governments are failing to protect privacy.Missing: ePrivacy | Show results with:ePrivacy
  87. [87]
    [PDF] ENISA THREAT LANDSCAPE 2024 - Security Delta (HSD)
    ENISA has been constantly monitoring the cybersecurity threat landscape and monitoring on its state with its annual ENISA Threat Landscape (ETL) report and ...
  88. [88]
    Cyber Threats | ENISA - European Union
    According to the latest ETL report, seven prime cybersecurity threats have been identified: threats against availability, ransomware, threats against data, ...Missing: communications ePrivacy
  89. [89]
    EU Law and Mass Internet Metadata Surveillance in the Post ...
    Sep 30, 2015 · This article considers the influence of the Snowden revelations on this landmark judgment. Subsequently, the analysis explores the significance of this ruling.
  90. [90]
    Data retention and the future of large‐scale surveillance: The ...
    May 12, 2022 · This article aims to critically analyse the legal limitations of (indiscriminate) surveillance measures, the role of the private sector in the scheme,
  91. [91]
    [PDF] ePrivacy: CJEU places restrictions on mass surveillance in decision ...
    The Court of Justice of the European. Union (the “CJEU”) has delivered two judgments confirming that the ePrivacy. Directive applies to national legislation.
  92. [92]
    The top five contested issues in the EU's developing ePrivacy ... - IAPP
    Jan 3, 2018 · The European Commission's proposal for an ePrivacy Regulation has sparked substantial debate and mobilized advocacy and lobbying efforts around ...
  93. [93]
    ePrivacy Regulation, but the fight for your privacy is far from over
    Feb 19, 2025 · It's official – the ePrivacy Regulation proposal has been withdrawn (yes, cue the collective groan from digital rights advocates in the EU).Missing: details | Show results with:details
  94. [94]
    EUR-Lex - 52017PC0010 - EN - EUR-Lex
    Summary of each segment:
  95. [95]
    Legislative train: the e-Privacy regulation - European Parliament
    According to the Commission work programme 2025, the Commission intends to withdraw the file within the next six months absent foreseeable agreement and the ...
  96. [96]
    Commission work programme 2025
    Feb 11, 2025 · On 11 February 2025, the European Commission adopted the 2025 Commission work programme and its annexes. ... Proposal for withdrawal. 4.
  97. [97]
    EU ditches plans to regulate tech patents, AI liability, online privacy
    Feb 12, 2025 · The European Commission on Wednesday scrapped draft rules regulating technology patents, AI and consumer privacy on messaging apps, ...
  98. [98]
    Long awaited ePrivacy Regulation is finally.... Dead - Lewis Silkin LLP
    Feb 19, 2025 · The ePrivacy Regulation's fate is sealed, as the European Commission withdrew it in its work programme for 2025, noting that there is no foreseeable agreement.
  99. [99]
    The Status of the ePrivacy Regulation - E-Privacy Company
    Oct 17, 2025 · Consequences of the Withdrawal. The withdrawal of the regulation leaves a significant legal gap in Europe's data protection landscape.<|control11|><|separator|>
  100. [100]
    Commission announces intention to withdraw ePrivacy Regulation ...
    Feb 12, 2025 · The European Commission announced its 2025 work programme, including plans to withdraw the ePrivacy Regulation and AI Liability Directive due to lack of ...
  101. [101]
    ePrivacy Regulation and AI Liability Directive - Arthur Cox
    On 11 February 2025, the European Commission (the “Commission”) published its 2025 work programme, announcing plans to withdraw a number of legislative ...
  102. [102]
    [PDF] The Economic Costs of the European Union's Cookie Notification ...
    1 This report finds that the total annual cost of this law is $2.3 billion dollars. This figure includes both compliance costs for European website operators ...Missing: 1.8 | Show results with:1.8
  103. [103]
    EU: Cookie legislation costs companies EUR 1.8 bln a year
    European Cookie legislation costs companies EUR 1.8 billion (USD 2.3 billion) per year, according to a report issued by the Information Technology and ...
  104. [104]
    How EU's ePrivacy law could impact publishers - Digiday
    Sep 26, 2017 · German publishers, who are particularly outspoken when it comes to the duopoly, argue that the proposal will advantage walled gardens further ...
  105. [105]
    Economic consequences of online tracking restrictions: Evidence ...
    In light of the €10.60 billion cookie-based display ad revenue in Europe, such restrictions would endanger €904 million (€576 million) annually, equivalent to € ...
  106. [106]
    Everything you need to know about Europe's data privacy regulations
    Oct 25, 2019 · “It [ePrivacy] would also further promote the development of so-called walled-gardens, strengthening the position of dominant players,” said ...
  107. [107]
    Innovation vs. Regulation: Why the US builds and Europe debates
    May 23, 2025 · In contrast, Europe has adopted a more guarded stance, especially around data privacy and consumer protection. Regulations like GDPR and the ...
  108. [108]
    The False Choice between Digital Regulation and Innovation
    Dec 11, 2024 · The gap in tech innovation between the US and EU can be explained by differences in their scaling opportunities, capital markets, bankruptcy laws, immigration ...
  109. [109]
    Online privacy and market structure: Theory and evidence
    Our empirical results indicate that the 2009 ePrivacy Directive had on average no significant effect on the revenues of European e-commerce firms. However, it ...
  110. [110]
    Before and after GDPR: tracking in mobile apps
    Jul 19, 2021 · Has the GDPR changed privacy in apps? We study how third-party tracking—a common privacy threat—has changed since the GDPR was introduced.Missing: 2000s spam
  111. [111]
    75% of most visited websites in U.S. and Europe are not compliant ...
    Despite stricter privacy enforcement in Europe, Privado found a surprising 74% of top websites in Europe do not honor opt-in consent as required by Europe's ...
  112. [112]
    'Cookie-less' identification for/against privacy? | Internet Policy Review
    Aug 6, 2025 · In contrast to 'regular' third-party cookie IDs, studies showed how users can no longer prevent tracking just by deleting their cookies (Fouad ...Missing: ineffective | Show results with:ineffective
  113. [113]
    The role of privacy fatigue in online privacy behavior - ScienceDirect
    Privacy fatigue is a multi-dimensional concept including exhaustion and cynicism. There is a significant effect of privacy fatigue on privacy coping behaviors.Missing: erosion | Show results with:erosion
  114. [114]
    A Value-centered Exploration of Data Privacy and Personalized ...
    Nov 25, 2022 · Eventually, this notice fatigue can cause us to become “apathetic users”—those who decide to consent every time to a service's data collection ...
  115. [115]
    Privacy Behaviour: A Model for Online Informed Consent
    Jul 14, 2022 · Cumulatively, this leads to consent desensitisation or fatigue in which people do not make active, informed choices, become disinterested ...
  116. [116]
    Cookie Banners and Privacy Policies: Measuring the Impact of the ...
    Aug 6, 2025 · Recent research has consistently shown that the vast majority of websites violate the GDPR [10,36, 45, 58,62] or the CCPA [85]. This reality ...<|separator|>
  117. [117]
    The impact of the General Data Protection Regulation (GDPR) on ...
    Mar 11, 2025 · This study explores the impact of the General Data Protection Regulation (GDPR) on online trackers—vital elements in the online advertising ...
  118. [118]
    The Costs of an Unnecessarily Stringent Federal Data Privacy Law
    Aug 5, 2019 · The cost of requiring data protection officers for all U.S. organizations that handle personal data would be roughly $6.4 billion annually. The ...
  119. [119]
    Developments from California: AG Estimates Costs of CCPA ...
    Dec 2, 2019 · The report goes on to estimate the total cost of initial compliance at $55 billion for all companies subject to the CCPA.<|separator|>
  120. [120]
    35+ Alarming Data Breach Statistics for 2025 - StrongDM
    Sep 15, 2025 · 11. Globally, businesses paid $4.44 million per data breach in 2025. · 12. The average cost of a data breach in the U.S. reached $10.22 million ...<|separator|>
  121. [121]
    120 Data Breach Statistics for 2025 - Bright Defense
    North America recorded 3,259 ransomware-related data breaches, Europe 1,136, Asia-Pacific 467, and the Middle East and Africa 184. (Group IB – Hi Tech Crime ...
  122. [122]
    The Economics of “Opt-Out” Versus “Opt-In” Privacy Rules | ITIF
    Oct 6, 2017 · The overwhelming evidence shows that in most cases opt out rules for data collection and sharing are better for innovation and productivity ...Missing: empirical | Show results with:empirical
  123. [123]
    (PDF) Opt In versus Opt Out: A Free-Entry Analysis of Privacy Policies
    Aug 7, 2025 · Opt out is the socially preferred privacy policy while opt in socially underperforms anonymity. Consumers never opt out and choose to opt in ...
  124. [124]
    The Privacy Mindset Of The EU Vs. The US - Forbes
    Jul 29, 2020 · In internet privacy rankings, 14 of the top 20 countries demonstrating the highest commitment to digital privacy are European (the U.S. placed ...Missing: indices ranking