How does the ePrivacy Regulation differ from GDPR?

GDPR governs personal data broadly. The ePrivacy Regulation specifically governs access to a user's device and the confidentiality of communications. It requires consent for almost all non-essential storage or reading on the device, and unlike GDPR it does not allow legitimate interest as a basis for that terminal access.

Are cookie walls allowed?

Generally no. A cookie wall that blocks access to a service unless the user consents to tracking is unlikely to count as freely given consent. There are narrow exceptions, but most consumer sites should avoid forcing consent as a condition of access.

Does fingerprinting need consent too?

Yes. Device fingerprinting and similar passive identifiers access information on the user's terminal equipment, so they fall under the same consent requirement as cookies. The same applies to email open-tracking pixels.

Is the ePrivacy Regulation in force yet?

Not as of writing — it is still in the EU legislative process and the current ePrivacy Directive continues to apply. The substantive direction is clear enough to prepare against, which is what this tool assesses.

Is the result legal advice?

No. This is a self-assessment aid that reflects the regulation's expected requirements. Treat the score and remediation as guidance and confirm your position with a qualified privacy adviser.

ePrivacy Regulation Readiness Checker

The proposed EU ePrivacy Regulation will tighten the rules around cookies, storage, and tracking well beyond the current cookie banner status quo. This checker scores your existing setup against its expected requirements so you can close the highest-risk gaps before it lands.

How it works

Each question maps to a substantive ePrivacy rule and carries a weight. Risky answers add to a risk total; the readiness score is the inverse:

risk total  = sum of weights of risky answers
readiness % = (max weight − risk total) / max weight × 100

The heaviest weights sit on the rules with no wiggle room: setting non-essential storage before consent, fingerprinting, and relying on legitimate interest for terminal access — none of which the regulation permits. Lighter weights cover UX expectations such as equally prominent reject buttons and honouring signalled consent.

Notes and example

A site that drops analytics cookies before the banner is dismissed, relies on legitimate interest, and uses a single accept-all button will score poorly and surface three high-weight gaps. Fixing them in order — block non-essential storage until affirmative consent, switch off legitimate interest for terminal access, and add granular per-purpose choices with an equally easy reject option — moves the score up fastest. Because the regulation is still being finalised, treat this as preparation rather than a definitive compliance verdict, and revisit it as the final text is agreed.