TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. ePrivacy: What It Means for Your Website Compliance
Legal Compliance

ePrivacy: What It Means for Your Website Compliance

Learn what the ePrivacy Directive requires, how it differs from the GDPR, and what businesses must do to comply with ePrivacy rules.

TermsBox Team|April 3, 202613 min read

ePrivacy is the EU legal framework that governs how websites use cookies, tracking technologies, and electronic communications. Any business with a website accessible to European visitors needs to understand ePrivacy requirements, because enforcement authorities have issued some of the largest data protection fines in history for violations of these rules.

This guide explains what the ePrivacy Directive requires, how it relates to the GDPR, what the proposed ePrivacy Regulation would change, and the concrete steps your website needs to take. This content is for educational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What ePrivacy Means and Where It Comes From

The term "ePrivacy" refers to Directive 2002/58/EC of the European Parliament and Council, commonly known as the ePrivacy Directive. It was originally adopted in 2002 and amended significantly in 2009 by Directive 2009/136/EC, which introduced the cookie consent requirement that most website operators now deal with daily.

The ePrivacy Directive sits alongside the GDPR as part of the EU's data protection framework. While the GDPR covers the broad rules for processing personal data, the ePrivacy Directive focuses specifically on two areas:

  • Confidentiality of electronic communications: protecting the content and metadata of emails, phone calls, messaging, and internet traffic
  • Terminal equipment protection: regulating access to users' devices, which includes placing or reading cookies, tracking pixels, browser fingerprinting scripts, and local storage

Article 5(3) of the ePrivacy Directive is the provision most relevant to websites. It requires prior consent before any information is stored on, or retrieved from, a user's device, unless the storage is strictly necessary for a service the user explicitly requested.

Because the ePrivacy Directive is a directive rather than a regulation, each EU member state has implemented it through its own national legislation. Germany uses the TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz), France applies Article 82 of the Loi Informatique et Libertes, and the UK had the Privacy and Electronic Communications Regulations (PECR) before Brexit. This national variation means that specific requirements can differ slightly across countries.

ePrivacy vs GDPR: Key Differences

Many website operators confuse ePrivacy with the GDPR or assume the GDPR replaced it. They are separate laws with different scopes, and both apply simultaneously.

Scope of application

The GDPR applies whenever personal data is processed. The ePrivacy Directive applies whenever someone accesses or stores information on a user's device, regardless of whether that information qualifies as personal data. A cookie that stores a randomly generated session ID with no link to an individual still falls under ePrivacy rules, even if it might not trigger GDPR obligations on its own.

Legal instrument type

The GDPR is a regulation, meaning it applies directly and uniformly across all EU member states. The ePrivacy Directive is a directive, meaning each country must transpose it into national law. This creates differences in implementation, enforcement procedures, and penalty structures between countries.

Relationship between the two

When cookies or tracking technologies process personal data, both laws apply. The ePrivacy Directive governs whether you can place the cookie, and the GDPR governs how you handle the personal data that cookie collects. Article 95 of the GDPR establishes that the ePrivacy Directive takes precedence for matters it specifically covers (the "lex specialis" principle).

In practice, this means:

  • Cookie consent requirements come from the ePrivacy Directive (Article 5(3))
  • The definition of valid consent comes from the GDPR (Article 4(11) and Article 7)
  • Data processing obligations after consent is given come from the GDPR
  • Enforcement for cookie violations can invoke either law's penalties

Penalties

GDPR fines can reach 20 million EUR or 4% of annual global turnover. ePrivacy penalties vary by member state because each has its own implementation. However, enforcement authorities frequently rely on GDPR penalty provisions when an ePrivacy violation also involves personal data, which it usually does with analytics and advertising cookies.

What ePrivacy Requires for Cookies and Tracking

Article 5(3) of the ePrivacy Directive establishes the core rule: storing information on a user's device or accessing information already stored requires the user's prior consent.

Consent requirements

Consent under ePrivacy must meet the GDPR standard, which means it must be:

  1. Freely given: the user must have a genuine choice without facing penalties for refusing
  2. Specific: consent must be requested separately for each distinct purpose (analytics, marketing, personalization)
  3. Informed: the user must receive clear, plain-language information about what cookies do and who receives the data
  4. Unambiguous: consent requires a clear affirmative action, such as clicking an "Accept" button
  5. Prior: no non-essential cookies may load before the user provides consent

Pre-ticked checkboxes do not constitute valid consent. The Court of Justice of the European Union confirmed this in the Planet49 case (C-673/17, October 2019), ruling that active consent is required and that pre-selected options fail to meet the standard.

Strictly necessary exemption

The only exemption from the consent requirement applies to cookies that are "strictly necessary" for providing a service the user explicitly requested. This covers:

  • Session cookies that maintain login state
  • Shopping cart cookies during an active browsing session
  • Security cookies such as CSRF tokens
  • Load balancing cookies
  • The cookie that records the user's own consent preferences

Analytics cookies, advertising trackers, social media widgets, and personalization cookies are never strictly necessary, regardless of how important they are to your business operations.

Technologies beyond cookies

The ePrivacy Directive is technology-neutral. Article 5(3) applies to any method of storing or accessing information on a user's device. This includes:

  • HTTP cookies (first-party and third-party)
  • Local storage and session storage (Web Storage API)
  • IndexedDB
  • Tracking pixels and web beacons
  • Browser fingerprinting techniques
  • Device identifiers accessed through JavaScript APIs

If your website uses any of these technologies for non-essential purposes, the same consent rules apply.

The ePrivacy Regulation: What Is Coming

The European Commission proposed an ePrivacy Regulation in January 2017 to replace the ePrivacy Directive. As a regulation, it would apply directly across all EU member states without requiring national transposition, eliminating the current patchwork of national laws.

After years of negotiations between the European Parliament and the Council of the EU, the regulation has been delayed repeatedly. Key points of contention include the rules around metadata processing, the scope of the "legitimate interest" basis for certain communications data, and the role of browser settings in managing consent.

Proposed changes

The draft ePrivacy Regulation would introduce several changes compared to the current Directive:

  • Direct applicability: one set of rules across all member states instead of 27 national implementations
  • Broader scope: explicit coverage of over-the-top (OTT) communication services like WhatsApp, Signal, and Zoom
  • Browser-level consent: the possibility of managing cookie preferences through browser settings rather than individual website banners
  • Metadata rules: new provisions on when and how communications metadata (location data, connection timestamps) can be processed
  • Aligned penalties: fines matching GDPR levels (up to 20 million EUR or 4% of global turnover)

Until the ePrivacy Regulation is adopted, the 2002 Directive (as amended in 2009) remains the applicable law. Website operators should comply with current rules and monitor legislative developments.

How ePrivacy Affects Your Website

Every website that uses cookies or similar tracking technologies and is accessible to visitors in EU member states must comply with ePrivacy rules. The practical obligations fall into several categories.

Cookie consent mechanism

You need a consent management mechanism that blocks non-essential cookies until the visitor actively consents. This means your analytics scripts, advertising tags, and third-party widgets cannot load on the initial page visit. A cookie policy generator can help you create the documentation you need, but the technical implementation of blocking scripts before consent is equally important.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Your consent mechanism must:

  • Present clear information about each category of cookies before consent is given
  • Offer granular choices (accept analytics but reject advertising, for example)
  • Make refusing consent as easy as accepting it
  • Record proof of consent for each visitor
  • Allow visitors to withdraw consent at any time

Privacy policy and cookie policy

Your website needs clear documentation that explains what cookies and tracking technologies you use, their purposes, their retention periods, and which third parties receive data through them. A comprehensive privacy policy generator can help you build the required disclosures, but the information must accurately reflect your actual practices.

Confidentiality of communications

If your website or application handles electronic communications (messaging features, contact forms that process email, VoIP functionality), the ePrivacy Directive's confidentiality rules apply. Article 5(1) requires that communications are confidential and prohibits interception, surveillance, or storage of communications content without the user's consent, unless legally authorized.

Direct marketing

Article 13 of the ePrivacy Directive regulates electronic direct marketing, including email, SMS, and automated calling systems. The default rule requires prior opt-in consent for marketing communications. An exception exists for existing customer relationships, where you may send marketing about similar products or services if you collected the contact details during a sale, provided you offer an opt-out mechanism in each message.

ePrivacy Enforcement: Real Fines and Cases

Enforcement of ePrivacy rules has intensified significantly since the GDPR came into effect in 2018. Data protection authorities across Europe have used both ePrivacy and GDPR provisions to penalize cookie consent failures.

Notable enforcement actions

  • Google (France, 2022): CNIL fined Google 150 million EUR for making it difficult to refuse cookies on google.fr and youtube.com. The "Reject All" option required multiple clicks while "Accept All" required only one.
  • Meta/Facebook (France, 2022): CNIL fined Meta 60 million EUR for the same issue on facebook.com. Refusing cookies was significantly more burdensome than accepting them.
  • Amazon (France, 2020): CNIL fined Amazon 35 million EUR for placing advertising cookies without prior consent and providing insufficient information to users.
  • Vueling Airlines (Spain, 2020): The AEPD fined Vueling 30,000 EUR for using a cookie banner that only offered an "Accept" button with no option to refuse.
  • Planet49 (CJEU, 2019): The Court of Justice ruled that pre-ticked consent checkboxes are invalid, establishing binding precedent across all EU member states.

These cases demonstrate that enforcement authorities examine the actual user experience of consent mechanisms, not just whether a banner exists. A cookie banner that makes refusal difficult or confusing does not satisfy ePrivacy requirements.

Who enforces ePrivacy

Enforcement responsibility varies by country. In some member states, the data protection authority handles ePrivacy (France's CNIL, Spain's AEPD). In others, a separate telecommunications authority has jurisdiction. Germany divides responsibility between the Federal Commissioner for Data Protection and the Federal Network Agency depending on the specific provision involved.

Steps to Achieve ePrivacy Compliance

Achieving compliance with ePrivacy rules requires a combination of technical measures, documentation, and ongoing monitoring.

Audit your tracking technologies

Start by cataloging every cookie and tracking technology your website uses. For each one, document:

  • The name and domain of the cookie
  • Its purpose (analytics, advertising, functionality, security)
  • The retention period
  • Whether it processes personal data
  • Which third party sets or receives data from it

A website compliance scanner like TermsBox can automate this audit by detecting cookies and trackers that load on your pages, including third-party scripts you may not have been aware of.

Implement a consent management platform

Deploy a consent management platform (CMP) that blocks non-essential cookies until consent is obtained. Your CMP should categorize cookies by purpose and allow visitors to make granular choices. It must also record consent for compliance documentation and make withdrawal of consent straightforward.

Create required documentation

Prepare a cookie policy that lists all cookies, their purposes, durations, and the third parties involved. Your privacy policy must also address cookie usage and the data collected through tracking technologies. Keep both documents updated whenever you add or remove tracking tools.

Establish a review process

Cookie compliance is not a one-time task. New scripts, third-party updates, and marketing tool changes can introduce cookies your consent mechanism does not cover. Schedule regular scans of your website to catch new or changed cookies. Automated scanning on a weekly or monthly schedule is more reliable than manual checks.

Document everything

Keep records of your consent mechanism configuration, your cookie audit results, your legal basis assessments for each cookie, and any changes you make. Article 5(2) of the GDPR (the accountability principle) requires you to demonstrate compliance, not just achieve it.

Common ePrivacy Compliance Mistakes

Even organizations that take compliance seriously make avoidable errors. Watch for these common problems:

  • Loading scripts before consent: analytics and advertising tags fire on page load before the consent banner appears. This violates the prior consent requirement regardless of what happens afterward.
  • No reject option: consent banners that offer only "Accept" or "Learn More" without a clear "Reject" or "Refuse" button. The CNIL fines against Google and Meta targeted exactly this pattern.
  • Dark patterns: making the "Accept" button prominent and colorful while hiding the "Reject" option in small gray text or behind additional clicks.
  • Treating all cookies as necessary: classifying analytics or marketing cookies as "strictly necessary" to avoid the consent requirement. Enforcement authorities regularly reject this classification.
  • Ignoring non-cookie technologies: implementing cookie consent but ignoring local storage, fingerprinting, or tracking pixels that are subject to the same rules.
  • Outdated cookie lists: publishing a cookie policy that does not match the cookies actually present on the website. Adding a new marketing tool without updating your CMP configuration creates a compliance gap.

Frequently Asked Questions

What is the ePrivacy Directive?

The ePrivacy Directive (Directive 2002/58/EC, amended by Directive 2009/136/EC) is an EU law that governs the confidentiality of electronic communications and the use of tracking technologies such as cookies. It works alongside the GDPR to regulate how websites interact with visitors' devices and process communications data. All EU member states have transposed it into their own national laws.

How does ePrivacy differ from the GDPR?

The GDPR is a broad data protection law covering all personal data processing, while the ePrivacy Directive specifically targets electronic communications and tracking technologies. ePrivacy applies even when no personal data is involved, such as when a cookie stores non-personal preferences. The GDPR is a regulation (directly applicable), while the ePrivacy Directive requires each EU member state to implement it through national legislation, which creates some variation across countries.

Does ePrivacy apply to websites outside the EU?

Yes. If your website targets users in the EU or places cookies on the devices of EU-based visitors, the ePrivacy Directive applies to you regardless of where your business is located. This is similar to the GDPR's extraterritorial scope. Any website accessible to EU visitors that uses cookies, tracking pixels, or similar technologies must comply with the consent requirements under Article 5(3) of the Directive.

What are the penalties for violating ePrivacy rules?

Penalties vary by member state since each country implements the ePrivacy Directive through national law. In practice, enforcement authorities often rely on GDPR penalties (up to 20 million EUR or 4% of annual global turnover) when ePrivacy violations also involve personal data processing. France's CNIL has issued fines of 150 million EUR to Google and 60 million EUR to Meta specifically for cookie consent failures under ePrivacy rules.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What ePrivacy Means and Where It Comes From
  • ePrivacy vs GDPR: Key Differences
  • Scope of application
  • Legal instrument type
  • Relationship between the two
  • Penalties
  • What ePrivacy Requires for Cookies and Tracking
  • Consent requirements
  • Strictly necessary exemption
  • Technologies beyond cookies
  • The ePrivacy Regulation: What Is Coming
  • Proposed changes
  • How ePrivacy Affects Your Website
  • Cookie consent mechanism
  • Privacy policy and cookie policy
  • Confidentiality of communications
  • Direct marketing
  • ePrivacy Enforcement: Real Fines and Cases
  • Notable enforcement actions
  • Who enforces ePrivacy
  • Steps to Achieve ePrivacy Compliance
  • Audit your tracking technologies
  • Implement a consent management platform
  • Create required documentation
  • Establish a review process
  • Document everything
  • Common ePrivacy Compliance Mistakes
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.