ePrivacy Regulation Readiness Checker

Assess your cookie and tracking setup against the forthcoming EU ePrivacy Regulation

Answer questions about cookies, localStorage, fingerprinting, email pixels, and your consent mechanism to gap-assess your setup against the proposed EU ePrivacy Regulation. Get a readiness score, a prioritised list of gaps, and concrete remediation steps. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

How does the ePrivacy Regulation differ from GDPR?

GDPR governs personal data broadly. The ePrivacy Regulation specifically governs access to a user's device and the confidentiality of communications. It requires consent for almost all non-essential storage or reading on the device, and unlike GDPR it does not allow legitimate interest as a basis for that terminal access.

The proposed EU ePrivacy Regulation will tighten the rules around cookies, storage, and tracking well beyond the current cookie banner status quo. This checker scores your existing setup against its expected requirements so you can close the highest-risk gaps before it lands.

ePrivacy Regulation versus the current ePrivacy Directive

The current legal framework is the ePrivacy Directive of 2002, amended in 2009, which each EU member state implemented differently — producing the patchwork of cookie rules across Europe that has generated widespread non-compliance and regulatory uncertainty. The forthcoming Regulation replaces it with directly applicable EU law: same rules, same wording, every member state, no national implementation gaps.

The key substantive changes expected in the Regulation versus the current Directive:

  • No legitimate interest for terminal access. The Directive allows some ambiguity; the Regulation is expected to require genuine, informed consent as the only basis for reading or writing non-essential information on a user’s device.
  • Browser-level consent signals. The Regulation is expected to give legal weight to technical consent signals set in the browser itself, reducing the need for per-site banners when users have a global preference set.
  • Cookie walls expressly prohibited in most cases. Conditioning access to a service on tracking consent is not freely-given consent.
  • Extended scope to messaging metadata. Communications metadata (who called whom, when) is brought into scope, not just content.

How the checker scores your setup

Each question maps to a substantive ePrivacy rule and carries a weight. Risky answers add to a risk total; the readiness score is the inverse:

risk total  = sum of weights of risky answers
readiness % = (max weight − risk total) / max weight × 100

The heaviest weights sit on the rules with no wiggle room: setting non-essential storage before consent, fingerprinting, and relying on legitimate interest for terminal access. Lighter weights cover UX expectations such as equally prominent reject buttons and honouring signalled consent.

The gaps that move the score fastest

Pre-consent storage is the highest-weight issue because it is also the most common violation. If an analytics pixel fires before the user dismisses a banner, or if session storage is written before any consent is collected, you are already in scope. Fix: defer all non-essential scripts and storage writes to a post-consent event.

Fingerprinting is treated the same as cookies under the Regulation — accessing device characteristics to build an identifier requires consent. If you use any fingerprinting library, even as a backup identifier for users who clear cookies, it needs to be gated behind consent.

Legitimate interest as a basis for terminal access is not expected to survive into the final Regulation text. Begin planning how to convert any legitimate-interest processing of this kind to a consent-based model.

Notes and example

A site that drops analytics cookies before the banner is dismissed, relies on legitimate interest, and uses a single accept-all button will score poorly and surface three high-weight gaps. Fixing them in order — block non-essential storage until affirmative consent, switch off legitimate interest for terminal access, and add granular per-purpose choices with an equally easy reject option — moves the score up fastest. Because the regulation is still being finalised, treat this as preparation rather than a definitive compliance verdict, and revisit it as the final text is agreed.