ePrivacy Directive: What Website Owners Must Know
Understand the ePrivacy Directive, its cookie consent rules, how it works alongside the GDPR, and what your website needs to comply.
The ePrivacy Directive is the EU law that directly governs how websites use cookies, tracking technologies, and electronic communications. While the GDPR gets most of the attention, the ePrivacy Directive is the legislation that specifically requires your website to obtain consent before placing non-essential cookies on a visitor's device.
This guide explains what the ePrivacy Directive covers, how it interacts with the GDPR, what it means for your website's cookie practices, and the practical steps you need to take to comply. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Is the ePrivacy Directive?
The ePrivacy Directive (formally Directive 2002/58/EC, as amended by Directive 2009/136/EC) is a piece of EU legislation that regulates privacy in electronic communications. It was originally adopted in 2002 and significantly amended in 2009 to introduce the cookie consent requirement that most website owners now associate with EU privacy law.
The directive covers four main areas:
- Cookies and tracking technologies: Article 5(3) requires prior consent before storing or accessing information on a user's device, with a narrow exception for strictly necessary cookies
- Confidentiality of communications: Articles 5(1) and 5(2) prohibit interception or surveillance of electronic communications without consent
- Unsolicited marketing: Article 13 sets rules for direct marketing via email, SMS, and automated calling systems, requiring prior opt-in consent
- Traffic and location data: Articles 6 and 9 govern the processing of data generated by electronic communications networks
Unlike the GDPR, which is a regulation that applies directly in all EU member states, the ePrivacy Directive is a directive. This means each member state must transpose it into national law, which creates some variation in how the rules are implemented and enforced across the EU. Germany's Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG), France's Loi Informatique et Libertes, and Spain's Ley de Servicios de la Sociedad de la Informacion (LSSI) are all national implementations of the same directive.
How the ePrivacy Directive Relates to the GDPR
The ePrivacy Directive and the GDPR are separate laws that work together. Understanding their relationship is essential because regulators apply both frameworks simultaneously when investigating cookie compliance.
The GDPR (Regulation 2016/679) is the general law governing all processing of personal data. It establishes principles like lawfulness, purpose limitation, and data minimization, and it defines what valid consent means through Article 4(11) and the conditions for consent in Article 7.
The ePrivacy Directive is the specific law for electronic communications. Under the legal principle of lex specialis (specific law takes precedence over general law), the ePrivacy Directive's cookie rules apply as the primary authority for cookies and tracking technologies. Recital 173 of the GDPR explicitly states that the ePrivacy Directive applies as a lex specialis to the GDPR.
In practical terms, here is how the two laws divide responsibilities:
- The ePrivacy Directive (Article 5(3)) creates the requirement to obtain consent before placing cookies
- The GDPR (Articles 4(11) and 7) defines the standard for what qualifies as valid consent
- The ePrivacy Directive determines which cookies are exempt from consent (strictly necessary cookies)
- The GDPR governs what you do with the personal data collected through cookies once consent is obtained
This means a cookie consent violation can trigger enforcement under both laws. When CNIL fined Google 150 million EUR for cookie consent failures in 2022, the authority cited both the ePrivacy Directive's transposition into French law and the GDPR's consent standards.
ePrivacy Directive Cookie Consent Requirements
Article 5(3) of the ePrivacy Directive is the provision that most directly affects website owners. It states that storing information on a user's terminal equipment, or gaining access to information already stored, is only allowed if the user has given consent after being provided with clear and comprehensive information about the purposes of the processing.
What cookies require consent
Under the ePrivacy Directive, consent is required for any cookie or similar technology that is not strictly necessary for the service explicitly requested by the user. This includes:
- Analytics cookies: Google Analytics, Matomo (with cookies enabled), Hotjar, Mixpanel, and any measurement tool
- Advertising and remarketing cookies: Google Ads, Meta Pixel, LinkedIn Insight Tag, programmatic advertising tags
- Social media plugins: Share buttons, embedded feeds, and login widgets that set cookies
- Personalization cookies: A/B testing, content recommendation engines, behavioral profiling
- Third-party cookies: Almost all cookies set by domains other than the one the user is visiting
What cookies are exempt
The strictly necessary exemption under Article 5(3) is narrow. Only cookies that are essential to provide a service the user explicitly requested qualify:
- Session authentication cookies
- Shopping cart cookies during an active session
- Load balancing cookies
- The cookie that stores the user's own consent preferences
- Security cookies such as CSRF tokens
- User-selected interface preferences like language choice
The European Data Protection Board (EDPB) has repeatedly emphasized that "strictly necessary" must be interpreted from the user's perspective, not the website operator's. A cookie is not strictly necessary just because the business considers it important.
Consent standards
Because the GDPR defines valid consent for ePrivacy Directive purposes, cookie consent must be:
- Prior: Obtained before non-essential cookies are placed, not retroactively
- Freely given: The user must have a genuine choice with no penalty for refusing
- Specific: Separate consent for each purpose (analytics, advertising, social media)
- Informed: Clear explanation of what each cookie category does and who receives data
- Unambiguous: A clear affirmative action, such as clicking an accept button
- Withdrawable: Users must be able to withdraw consent as easily as they gave it
Pre-ticked checkboxes do not constitute valid consent. The Court of Justice of the European Union confirmed this in the Planet49 ruling (Case C-673/17, October 2019), holding that Article 5(3) of the ePrivacy Directive requires active consent.
Enforcement of the ePrivacy Directive Across Member States
Because the ePrivacy Directive is transposed into national law, enforcement varies across the EU. Some member states have been aggressive in pursuing cookie violations, while others have focused their resources elsewhere.
Notable enforcement actions
The most significant fines related to ePrivacy Directive cookie violations include:
- Google (France, 2022): 150 million EUR for making it difficult to refuse cookies on google.fr and youtube.com
- Facebook/Meta (France, 2022): 60 million EUR for the same issue on facebook.com
- Amazon (France, 2020): 35 million EUR for placing advertising cookies without consent on amazon.fr
- Vueling Airlines (Spain, 2020): 30,000 EUR for cookie wall practices violating the LSSI
These fines demonstrate that enforcement extends to both tech giants and smaller companies. The amounts reflect the severity and scale of the violation.
National variations
Key differences in how member states implement the ePrivacy Directive include:
- France (CNIL): Among the most active enforcers. Issued detailed cookie guidelines in 2020 with a six-month grace period, then began enforcement in April 2021
- Germany (TTDSG): Adopted specific cookie legislation in December 2021, aligning with the Planet49 ruling
- Spain (AEPD): Enforces through the LSSI with fines ranging from 30,001 to 150,000 EUR for serious infractions
- Italy (Garante): Updated cookie guidelines in 2021 requiring granular consent options and a visible reject button
- Netherlands (AP): Fined a financial services firm for using tracking cookies without consent
Your website must comply with the national law of each member state where your visitors are located, which in practice means following the strictest interpretation across the EU.
The ePrivacy Directive and Cookie Consent Banners
A cookie consent management platform (CMP) is the standard mechanism for complying with Article 5(3) of the ePrivacy Directive. An effective consent banner must meet specific requirements that go beyond simply showing a notification.
Requirements for a compliant consent banner
Your cookie consent banner must:
- Block non-essential cookies until the visitor makes an active choice. Scripts for analytics, advertising, and social media cannot fire before consent is obtained.
- Offer granular choices for each cookie category. A single "accept all" button without equally prominent options to refuse or customize is not sufficient.
- Make refusal as easy as acceptance. If accepting all cookies takes one click, refusing all non-essential cookies must also take one click. Burying the reject option behind multiple menus violates the "freely given" requirement.
- Provide clear information about each cookie category, including purpose, duration, and whether third parties receive data.
- Record and store proof of consent including what was consented to, when, and the version of the cookie policy in effect. Article 7(1) of the GDPR places the burden of proof on the data controller.
- Allow easy withdrawal of consent at any time, accessible from every page of the website.
If your website operates across EU markets, a privacy policy generator can help you create the disclosure document that your consent banner should link to, covering how personal data collected through cookies is processed.
Common compliance failures
Regulators have identified recurring issues with cookie consent implementations:
- Loading Google Analytics or advertising scripts before the visitor interacts with the banner
- Presenting a "cookie wall" that blocks content access until cookies are accepted
- Using dark patterns such as a bright "Accept All" button next to a barely visible "Manage Preferences" link
- Treating continued browsing or scrolling as implicit consent (the CJEU ruled this invalid in Planet49)
- Failing to honor consent withdrawal by continuing to set cookies after preferences are changed
- Not re-obtaining consent after significant changes to cookie practices
ePrivacy Directive Beyond Cookies
While cookies dominate the discussion around the ePrivacy Directive, the law covers broader areas of electronic communications privacy that also affect website operators.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowEmail marketing (Article 13)
Article 13 of the ePrivacy Directive requires prior opt-in consent for direct marketing sent by electronic means, including email, SMS, and automated calling systems. There is one exception: the "soft opt-in," which allows marketing to existing customers about similar products or services, provided the customer was given the opportunity to opt out at the point of data collection and in every subsequent message.
This means:
- Cold marketing emails to individuals require prior consent
- You can email existing customers about related products without separate consent, but must include an unsubscribe option
- Every marketing email must identify the sender and provide a clear opt-out mechanism
Confidentiality of communications (Article 5)
Articles 5(1) and 5(2) protect the confidentiality of electronic communications. For website owners, this is relevant when implementing features like session recording tools (Hotjar, FullStory), chat widgets, or any technology that captures the content of communications. These tools may trigger obligations beyond just cookie consent if they record or intercept the content of user interactions.
Browser fingerprinting and similar technologies
Article 5(3) of the ePrivacy Directive applies not just to cookies but to any technology that stores or accesses information on a user's device. This includes browser fingerprinting, local storage, IndexedDB, and tracking pixels. If your website uses any of these technologies for non-essential purposes, consent is required under the same rules as cookies.
The Proposed ePrivacy Regulation
The European Commission proposed the ePrivacy Regulation in January 2017 to replace the ePrivacy Directive. The regulation would apply directly across all member states (eliminating national transposition differences) and update the rules for modern technologies. However, negotiations have stalled repeatedly, and as of early 2026, the regulation has not been adopted.
Key proposed changes
The draft ePrivacy Regulation would introduce several changes relevant to website owners:
- Direct applicability: No more national transposition, meaning uniform rules across all 27 member states
- Browser-level consent: Allowing users to set cookie preferences in their browser settings rather than responding to individual consent banners
- Expanded scope: Covering over-the-top (OTT) communication services like WhatsApp, Signal, and Messenger
- Aligned penalties: Fines matching the GDPR scale of up to 20 million EUR or 4% of global annual turnover
- Metadata protection: Stronger rules for processing communications metadata (who contacted whom, when, for how long)
What this means for you now
Until the ePrivacy Regulation is adopted, the ePrivacy Directive remains in force. Website owners should comply with the current directive as interpreted by the CJEU and national supervisory authorities. When the regulation eventually passes, there will be a transition period. Building compliant cookie practices now means less disruption later.
Tools like TermsBox's website compliance scanner can help identify which cookies and tracking technologies your site currently uses, making it easier to build an accurate consent mechanism and maintain an up-to-date cookie policy generator disclosure.
Practical Steps for ePrivacy Directive Compliance
Complying with the ePrivacy Directive requires a systematic approach. The following steps address the most common obligations for website owners.
Step 1: Audit your cookies and tracking technologies
Scan your website to identify every cookie and tracking technology in use. Document each one with its name, provider, purpose, duration, and whether it is first-party or third-party. Pay attention to cookies set by third-party scripts you may not have explicitly added, such as those embedded by tag managers, CMS plugins, or embedded content.
Step 2: Classify cookies by purpose
Group cookies into categories that align with the consent requirements:
- Strictly necessary (exempt from consent)
- Analytics and performance
- Advertising and remarketing
- Social media and sharing
- Personalization and preferences
Be conservative in your classification. If a cookie's necessity is debatable, treat it as requiring consent.
Step 3: Implement a compliant consent mechanism
Deploy a cookie consent banner that blocks non-essential cookies by default, offers granular category-level choices, presents refuse and accept options with equal prominence, and records consent for audit purposes.
Step 4: Create and maintain a cookie policy
Document all cookies in a clear, accessible policy that explains what each cookie does, why it is used, how long it persists, and who has access to the data. Link this policy from your consent banner and your main privacy policy generator page.
Step 5: Review third-party contracts
Ensure your contracts with third-party service providers address data processing obligations. Under both the ePrivacy Directive and the GDPR, you remain responsible for cookies set by third-party scripts on your website.
Step 6: Establish a review cycle
Cookie compliance is not a one-time task. New scripts, plugin updates, and content changes can introduce cookies you did not authorize. Regular scanning and review keeps your consent mechanism and cookie policy accurate.
Frequently Asked Questions
What is the ePrivacy Directive?
The ePrivacy Directive is EU legislation (Directive 2002/58/EC, as amended by Directive 2009/136/EC) that governs privacy in electronic communications. It sets rules for cookies and tracking technologies, unsolicited marketing, confidentiality of communications, and traffic data processing. It works alongside the GDPR and is often called the EU cookie law because Article 5(3) requires consent before placing non-essential cookies on a user's device.
How does the ePrivacy Directive differ from the GDPR?
The GDPR is a broad regulation covering all personal data processing, while the ePrivacy Directive specifically targets electronic communications. The GDPR defines what valid consent means, but the ePrivacy Directive is the law that actually requires consent for cookies and similar tracking technologies under Article 5(3). The GDPR applies directly across all EU member states, whereas the ePrivacy Directive must be transposed into each country's national law, which creates some variation in enforcement.
Does the ePrivacy Directive apply to websites outside the EU?
Yes. If your website targets users in EU member states or places cookies on the devices of visitors located in the EU, the ePrivacy Directive applies regardless of where your business is based. Each EU country's national transposition of the directive determines enforcement, but the territorial reach follows the location of the user, not the operator. This mirrors the GDPR's extraterritorial scope established in Article 3.
What are the penalties for violating the ePrivacy Directive?
Penalties vary by member state because each country transposes the directive into its own national law with its own enforcement provisions. In practice, supervisory authorities often enforce cookie violations under both the ePrivacy Directive and the GDPR simultaneously, which can result in GDPR-level fines of up to 20 million EUR or 4% of annual global turnover. France's CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for cookie consent failures under both frameworks.