Scope

The proposed Regulation applies to the processing of data in connection with the provision and use of electronic communication services. In additional to traditional telecom companies, the proposal will apply to Over-The-Top (OTT) service providers offering messaging, voice calls, and email services over the internet (e.g. WhatsApp, Skype, and Gmail).

Companies using electronic communication data (e-com data) for advertising and marketing purposes (including by employing cookies and similar tracking technologies) are also subject to the Regulation.

Relevance

In the Commission work programme 2025 of 11 February 2025, the Commission has announced plans to withdraw the proposed ePrivacy Regulation. The European Parliament and the Council will have an opportunity to communicate their views on the proposed withdrawal before the Commission decides whether to proceed.

If eventually finalized and adopted, the ePrivacy Regulation will necessitate adjustments in the Norwegian Electronic Communications Act and Marketing Act. Companies will need to re-assess how they provide electronic communication services and direct marketing and prepare for the operational, strategic, and financial implications of compliance. Regulatory fines are proposed set to the higher of EUR 10,000,000 or 2 % of the worldwide annual turnover for undertakings.

Key obligations

The proposal imposes strict confidentiality requirements for e-com data, including a general prohibition on listening, tapping, intercepting, or processing communications without user consent. The proposal further details specific lawful grounds for the processing of e-com data, related metadata and content (voice, video, sounds exchanged through an electronic communications service).

Specific obligations with respect to the use and collection of information from terminal equipment (such as smartphones, laptops, and connected smart home devices), which includes the use of cookies and similar technology. As a general rule, an informed, specific, and freely given consent is required unless such terminal equipment use is non-privacy intrusive, or necessary to provide a service or transmit communication. The proposal opens up for providing consent “by using the appropriate technical settings of a software application enabling access to the internet” (such as a web browser).

Software that enables electronic communications, including internet browsing, must include options to block third-party information storage or processing on the user’s device. When installing such software, users must be informed about privacy settings and must consent to a specific setting before proceeding.

Finally, the proposal imposes restrictions on unsolicited marketing communications, i.e. by requiring explicit consent as a starting point.