ePrivacy Directive
Directive on Privacy and Electronic Communications
Overview
The ePrivacy Directive (ePD), often called the "cookie law," complements the GDPR by providing specific rules for privacy in electronic communications. It covers confidentiality of communications, use of tracking technologies, and direct marketing.[1]
As a directive, implementation varies across Member States. The proposed ePrivacy Regulation was officially withdrawn in February 2025, meaning the Directive remains the applicable law.
Relationship with GDPR
- ePD is lex specialis: Takes precedence over GDPR for electronic communications
- GDPR principles apply: Consent under ePD must meet GDPR standards
- Combined enforcement: Both sets of rules enforced by data protection authorities
Key Requirements
Cookie Consent (Article 5(3))[2]
Consent is required before placing or accessing information on a user's device:
| Cookie Type | Consent Required? |
|---|---|
| Strictly necessary | No (exempt) |
| Preference/functionality | Yes |
| Analytics/statistics | Yes (some jurisdictions allow exemptions) |
| Advertising | Yes |
| Third-party tracking | Yes |
Consent Requirements
Valid consent must be:
- Prior: Obtained before cookies are set
- Freely given: Real choice without detriment for refusing
- Specific: Clear about purposes and types of cookies
- Informed: Users understand what data is collected
- Unambiguous: Clear affirmative action required
- Withdrawable: Users can change preferences easily
Cookie Banner Best Practices
| Do | Don't |
|---|---|
| Provide granular choices | Pre-tick consent boxes |
| Make "Reject All" equally prominent | Hide rejection behind multiple clicks |
| Store consent proof | Set cookies before consent |
| Enable easy withdrawal | Make withdrawal harder than consent |
| Clear, plain language | Technical jargon |
Confidentiality of Communications (Article 5)
- Prohibition of interception and surveillance
- Technical storage necessary for transmission is permitted
- Content and metadata protected equally
Direct Marketing (Article 13)
| Type | Requirement |
|---|---|
| Email/SMS marketing | Prior opt-in consent required |
| Existing customers | Soft opt-in for similar products (with easy opt-out) |
| B2B marketing | Member State rules vary |
Unsolicited Communications
- Sender identity must not be disguised
- Valid opt-out mechanism required
- National "do not call" registers must be respected
Proposed Digital Omnibus Changes (2025)
The European Commission has proposed streamlining cookie rules through the "Digital Omnibus" package:[3]
- Move certain ePD provisions into GDPR
- Expand exemptions for analytics and security cookies
- Enable centralized consent signals to reduce "consent fatigue"
Note: These proposals are not yet adopted. Current ePD requirements remain in force.
Enforcement Examples
| Authority | Entity | Fine | Reason |
|---|---|---|---|
| CNIL (France) | €150M | Cookie consent violations | |
| CNIL (France) | €60M | Difficult cookie rejection | |
| ICO (UK) | Multiple | Warnings | Hidden reject buttons |
| AEPD (Spain) | Various | €10K-100K | Improper consent collection |
Developer Implementation Checklist
Cookie Consent Banner
- Obtain consent before setting non-essential cookies
- Provide granular category controls
- Make "Reject All" equally accessible
- Store and timestamp consent records
- Allow easy consent withdrawal
- Block third-party scripts until consent
Technical Requirements
- Audit all cookies and tracking technologies
- Categorize by purpose and necessity
- Document cookie purposes and retention
- Ensure scripts respect consent signals
- Implement consent sync for subdomains