GDPR & ePrivacy: Technical Implications for AdTech and MarTech Platforms
On April 27, 2016, the European Union adopted the General Data Protection Regulation (GDPR), triggering a two-year transition period before its enforcement date of May 25, 2018. Every company collecting data about European citizens and residents was required to update its policies, agreements, and technical operations to comply with the new rules.
Alongside the GDPR sits the ePrivacy regulation — a separate but related piece of EU legislation that, at the time of writing, was still being negotiated among the three EU legislative institutions in a trialogue process.
Because AdTech and MarTech platforms collect vast amounts of user data every day, both regulations carry substantial implications for how those platforms are built and operated. Much has been written about the legal requirements, but the technical side deserves equal attention: compliance isn't only a matter of updated terms and conditions — it requires changes to the underlying systems and data flows that power online advertising and marketing.
This guide outlines the main areas of the GDPR and ePrivacy that directly affect the AdTech and MarTech ecosystem and explains what those requirements mean from a technical perspective.
What is the GDPR?
The General Data Protection Regulation — formally Regulation (EU) 2016/679 — was developed through the three EU legislative institutions: the European Parliament, the European Commission, and the Council of the European Union.
It replaced the Data Protection Directive (Directive 95/46/EC) when it came into force on May 25, 2018. The core objectives of the GDPR are to return meaningful control over personal data to data subjects within the EU and to create a simpler, more consistent regulatory environment for international businesses operating across member states.
What is ePrivacy?
The ePrivacy directive is a piece of EU legislation focused on protecting the privacy of EU and EEA citizens and residents specifically in the context of electronic communications. Within the online advertising and marketing industries, it is commonly referred to as the "cookie law," since one of its most visible requirements concerns the use of cookies and similar online identifiers. That said, its scope extends well beyond cookies — it covers privacy in electronic communications broadly.
At the time of writing, ePrivacy existed as a directive but was in the process of being transformed into a regulation, which would simultaneously repeal the existing directive. The timeline for the ePrivacy regulation's entry into force remained uncertain: some industry observers expected enforcement to align with the GDPR's May 25, 2018 date, while others anticipated a late-2018 commencement. Because negotiations were still ongoing, the final version of the regulation retained the potential to further affect how AdTech and MarTech platforms interact with online identifiers — both under the GDPR itself and under the evolving ePrivacy framework.
How the GDPR and ePrivacy Differ
Both regulations draw their authority from the EU Charter of Fundamental Rights, the document codifying the rights and freedoms protected across the EU — but they stem from different articles.
- GDPR is grounded in Article 8, which concerns the protection of personal data.
- ePrivacy is grounded in Article 7, which concerns respect for private and family life, the home, and communications.
In practical terms, the GDPR is primarily a data-protection instrument, while ePrivacy focuses on a data subject's right to privacy in their communications and personal life.
A key legal relationship between the two is that ePrivacy functions as lex specialis of the GDPR: where the two regulations address the same situation, ePrivacy takes precedence. This means AdTech and MarTech vendors cannot treat the GDPR as the default rulebook in areas where ePrivacy applies — they need to evaluate both frameworks together and apply the more specific standard where it governs.
Understanding this hierarchy is a necessary starting point before diving into the technical compliance requirements that follow for AdTech and MarTech platforms operating under EU law.