What is the ePrivacy Directive? Guide to the European Cookie Law
Cookies, tracking, and user consent – what does the ePrivacy Directive actually require? If your website collects visitor data, you need to know the rules. Our ePrivacy Directive guide explains it all – without the legal jargon.
The ePrivacy Directive (aka the EU Cookie Law) impacts every marketer working with European audiences. Whether you’re running campaigns, analyzing website traffic, or building your email list, this legislation affects how you collect and use data. Let’s break down what you actually need to know to stay compliant without sacrificing your marketing goals.
What is the ePrivacy Directive (the European Cookie Law)?
The ePrivacy Directive is officially known as the Privacy and Electronic Communications Directive (PECD). It was first introduced in 2002 and later amended in 2009 to adapt to the rapid evolution of digital communication. Its primary objective is to regulate privacy in electronic communications, and applies to any entity operating in the European Union (EU) that processes communication data, regardless of where the business is based.
While closely related to the General Data Protection Regulation (GDPR), it’s a separate piece of legislation with distinct user privacy and consent requirements.
Is your website GDPR- and ePrivacy-compliant?
Scan your website for free to find out which cookies and tracking technologies it uses.
Learn more about the evolution of the ePrivacy Directive:
From wired telecommunication to cookies and trackers
The EU has long been a leader in consumer data protection, even before the digital era. The foundation of the ePrivacy Directive can be traced back to earlier privacy protections in telecommunications. Before the widespread use of the internet, the Privacy and Electronic Communications Directive (PECD) ensured that traditional wired telecommunication services providers maintained strict privacy standards by, for example, prohibiting “listening, tapping, storage […] without the consent of the users concerned” (Article 5.1 PECD).
In 2002, the PECD was updated to include digital communications, evolving into what’s now known as the ePrivacy Directive (Directive 2002/58/EC). This revision expanded the legal framework to regulate emerging online privacy concerns, aligning it with data protection principles such as data minimization, traffic data confidentiality, and restrictions on spam communications. Crucially, it introduced early rules around cookies, marking the beginning of the EU’s regulation of online tracking technologies.
When did the PECD become the EU Cookie Law?
Remember the “cookie popups” you see everywhere? That’s because in 2009, the EU updated the ePrivacy Directive to require websites to ask for user consent before placing tracking cookies. If you’re running ads, tracking visitors, or using analytics, this law affects how you collect data. This change reinforced the principles of transparency and user control, establishing the framework that later became widely known as the EU Cookie Law.
Who does the ePrivacy Directive apply to?
Running a business website? Using analytics? The ePrivacy Directive likely applies to you. It doesn’t matter if you’re a solo blogger, an enterprise company, or an ecommerce store – if you’re tracking users in the EU, you need to pay attention.
The ePrivacy Directive (2009) governs specific areas of electronic communications privacy, setting rules that impact businesses, website owners, and marketers. Here’s what you need to know:
Use of cookies and tracking technologies You must obtain user consent before firing cookies on your website, except for those strictly necessary for its functionality. This has major implications for analytics, targeted advertising, and remarketing.
Confidentiality of communications Electronic communications must remain private, preventing unauthorized interception, monitoring, or surveillance.
Unsolicited marketing (spam rules) You must obtain consent before sending direct marketing communications via email, SMS, or automated calls. Opt-out mechanisms must be provided.
Processing of communication data Metadata, such as call logs and message records, must be protected and processed lawfully, ensuring user privacy.
User rights and transparency You must inform users about tracking technologies and provide options to manage or refuse cookies as well as marketing communications.
What the ePrivacy Directive doesn't cover
While the ePrivacy Directive regulates many aspects of digital privacy, it doesn’t cover:
Offline marketing Rules on direct mail marketing and in-person promotions fall outside the scope of the directive.
Data protection in general Unlike the GDPR, which applies to all processing of personal data, the directive is limited to electronic communications privacy.
Cross-border enforcement consistency Since it’s a directive, each EU member state implements it differently, leading to varying levels of enforcement.
Social media and behavioral profiling The directive doesn’t explicitly regulate user profiling based on behavior beyond electronic communications.
Broad cybersecurity obligations It doesn’t establish general cybersecurity standards, which are instead addressed in frameworks like the NIS Directive (Directive on security of network and information systems).
How does the ePrivacy Directive regulate cookies?
The ePrivacy Directive regulates the use of cookies by requiring that websites obtain prior informed user consent before placing any non-essential cookies – first- or third-party services – on their devices.
Think about it this way: just as you’d ask permission before taking someone’s contact information at a networking event, you need to ask before tracking their behavior on your website.
Unlike an opt-out model, where users must manually decline unwanted tracking or marketing, the opt-in requirement ensures that consent is freely given, specific, and informed before any processing occurs. The goal is to ensure that users have control over how their online activities are tracked. Key aspects include:
Prior informed consent Websites must inform users about the cookies being used and obtain their consent before storing them, except for cookies essential to website functionality.
Opt-in requirement for non-essential cookies Websites cannot drop tracking cookies unless the user has actively agreed. This means that users must actively agree before you can use cookies for tracking and analytics, send direct marketing messages – email, SMS or automated marketing calls – or process location data.
Essential cookies exemption Cookies strictly necessary for the functioning of the website – e.g., authentication, security – don’t require consent.
Transparency requirements Be upfront with users. If you're dropping a cookie to track what users click, personalize ads, or measure how long someone stays on a landing page, you need to clearly explain it. Transparency isn't just a legal requirement – it builds trust.
Easy withdrawal of consent Users must be given a straightforward option to revoke their consent at any time.
Stop stressing over cookie compliance. We’re here to help.
Scan your website, block non-compliant cookies, and get fully compliant in minutes with Cookie Information’s cookie banner tool.
Cookie consent compliance under the ePrivacy Directive: best practices for cookie banners
Clear and accessible information Users must understand why cookies are being used and have easy access to details.
Explicit opt-in mechanism No cookies should be placed before consent is obtained, except for essential ones.
User-friendly settings Users should be able to manage their consent preferences without difficulty.
Proper classification of cookies Websites should separate cookies by function (e.g., marketing, analytics, functional) to provide clear consent choices.
What are the directive's requirements for data minimization and anonymization?
The ePrivacy Directive enforces the principle of data minimization, meaning that you should only collect and process the minimum amount of data necessary.
For marketers, this means:
Instead of storing complete browsing histories, consider using aggregated data for campaign performance.
Anonymize user data when possible while still getting the insights you need.
Set reasonable retention periods for marketing analytics data.
These requirements aim to reduce privacy risks while ensuring you can still analyze aggregated, non-personal data for marketing purposes.
ePrivacy Directive vs. GDPR: key differences
Although the ePrivacy Directive and GDPR both focus on data protection, they differ significantly in scope and implementation.
Let’s clear up the confusion: the ePrivacy Directive ensures the privacy of communications, while GDPR safeguards personal data. For instance, even if a website collects anonymous browsing data, it must still comply with ePrivacy rules regulating cookies and consent.
When dealing with tracking, cookies, and digital marketing campaigns, you need to ensure you comply with both privacy laws.
ePrivacy Directive
GDPR
Scope
Electronic/digital communications
Personal data processing
Coverage
Cookies, online tracking, digital marketing
All personal data
Legal form
Directive (requires national implementation by EU member states)
Regulation (directly applicable in EU member states)
Enforcement
Varies across EU member states
Uniformly enforced across the EU
Who it applies to
Websites, marketers, telecom companies
Any entity processing personal data
ePrivacy Directive
GDPR
Scope
Electronic/digital communications
Personal data processing
Coverage
Cookies, online tracking, digital marketing
All personal data
Legal form
Directive (requires national implementation by EU member states)
Regulation (directly applicable in EU member states)
Enforcement
Varies across EU member states
Uniformly enforced across the EU
Who it applies to
Websites, marketers, telecom companies
Any entity processing personal data
ePrivacy vs. GDPR summary: which law defines which requirement
Cookie consent requirements Defined in the ePrivacy Directive, but the standard for valid consent (e.g., affirmative action, easy withdrawal) is set by GDPR.
Data protection rules Fully covered by GDPR, whereas the ePrivacy Directive focuses only on communications.
Marketing consent rules Opt-in requirements for email and SMS marketing are from the ePrivacy Directive, while rules for processing personal data in marketing are governed by GDPR.
Penalties GDPR has clear fine structures, while ePrivacy Directive fines vary by country.
Scope of personal data processing The GDPR applies to all personal data, whereas the ePrivacy Directive applies specifically to electronic communications services and cookies.
The ePrivacy Regulation: what happened?
The ePrivacy Regulation was a proposed law intended to create a more consistent, EU-wide legal framework for online privacy, and replace the ePrivacy Directive. It aimed to harmonize cookie rules, enhance privacy protections, and align more closely with the GDPR. If passed, it would have significantly impacted digital businesses, advertisers, and online service providers.
Despite years of negotiations, the ePrivacy Regulation faced multiple hurdles that prevented its adoption, and has been officially withdrawn by the European Commission in February 2025.
So what does this mean for you as a marketer? You’ll need to continue following the current ePrivacy Directive and its national implementations, as they remain the law of the land.
ePrivacy Directive vs. ePrivacy Regulation: key differences
ePrivacy Directive
ePrivacy Regulation (proposed)
Legal form
Directive (national laws)
Regulation (directly applicable)
Cookie consent
Required in many cases
More user-friendly settings
Scope
Primarily website cookies
Extended to IoT, messaging apps
Marketing regulations
Requires opt-in for marketing
Stricter consent rules
Privacy by default
Not explicitly required
Required for new technologies
ePrivacy Directive
ePrivacy Regulation (proposed)
Legal form
Directive (national laws)
Regulation (directly applicable)
Cookie consent
Required in many cases
More user-friendly settings
Scope
Primarily website cookies
Extended to IoT, messaging apps
Marketing regulations
Requires opt-in for marketing
Stricter consent rules
Privacy by default
Not explicitly required
Required for new technologies
Your ePrivacy compliance checklist: Key steps to follow
Ensuring compliance with the ePrivacy Directive is essential if you’re operating or targeting users in the EU, particularly if you rely on cookies, tracking technologies, and digital marketing.
Even with the ePrivacy Regulation’s withdrawal, privacy regulations continue evolving, and national regulators and data protection authorities have been stepping up enforcement under existing data privacy laws. Some of the most recent developments include the update of the E-Com Law in Norway, enforcement actions by the French data protection authority (CNIL), and a new digital strategy outlined by the UK’s Information Commissioner’s Office (ICO).
These initiatives make it more important than ever to follow ePrivacy compliance best practices and national variations in implementation.
How to ensure ePrivacy compliance: step-by-step guide for website owners
Implement a compliant cookie banner Ensure explicit user consent before placing non-essential cookies.
Offer an easy opt-out option Users must be able to withdraw consent as easily as they gave it.
Classify cookies correctly Clearly categorize cookies by function (e.g., marketing, analytics, functional).
Maintain a consent log Store records of when and how user consent was obtained.
Ensure compliance with national variations Adapt cookie policies to country-specific requirements.
Review and update cookie policies regularly Stay aligned with regulatory updates and enforcement trends.
Use a Consent Management Platform (CMP) Automate compliance with an effective consent management tool.
Does your website use cookies or online trackers? Let's help you collect valid consent
Cookie Information’s Consent Solution provides a professional website cookie banner tool designed to help marketers like you collect explicit consent from users in compliance with the ePrivacy Directive and all other major international and national privacy regulations, including GDPR, CCPA, LGPD, and PDPA.
Your website will not only get a top-notch cookie banner, but you’ll also gain access to a complete solution to secure compliance.
What’s included in Cookie Information Consent Management Platform (CMP)?
Frequent website scans
to detect cookies and tracking technologies.
Automatic blocking of cookies
that transfer personal data before consent is given.
Privacy controls
for users to opt out of cookies easily.
Customizable
cookie consent popup to match your website design.
Comprehensive cookie policy
generation to keep your website visitors informed.
Privacy compliance doesn’t have to kill your marketing efforts. With the right approach, you can respect user privacy while still gathering valuable insights. The key is transparency, user control, and smart data practices that build trust with your audience while keeping you on the right side of regulations.
What is the EU cookie law (or ePrivacy Directive)?
The ePrivacy Directive, also known as the EU Cookie Law, is an EU regulation that governs the confidentiality of electronic communications. It mandates that websites obtain prior consent before placing non-essential cookies on users’ devices and regulates direct marketing and data privacy in electronic communications.
What is the Cookie Law in Europe?
The Cookie Law in Europe refers to the rules set out in the ePrivacy Directive, which requires websites to obtain explicit user consent before using cookies, except for those strictly necessary for website functionality.
Is the ePrivacy Directive still in force?
Yes, the ePrivacy Directive remains in force. While there were attempts to replace it with the ePrivacy Regulation, that proposal was withdrawn in February 2025. The directive continues to be implemented at the national level by EU member states.
Does the ePrivacy Directive apply to my marketing team?
The directive applies to any business or organization operating a website that targets EU users, regardless of whether the company is based in the EU. It affects website owners, digital marketers, SaaS providers, and telecom operators processing electronic communication data.
Is the ePrivacy Directive binding?
As a directive, it requires national implementation by EU member states. Each country enforces the directive with its own specific rules, which can vary. Unlike a regulation – such as the General Data Protection Regulation (GDPR) –, it’s not directly applicable across all EU states without national legislation.
So, what exactly does this law cover? If you’re handling online tracking, marketing emails, or customer communication data, the ePrivacy Directive applies. Here’s a quick breakdown:
Cookie consent and online tracking – Requires explicit consent for non-essential cookies.
Confidentiality of communications – Protects against unauthorized interception.
Direct marketing regulations – Requires opt-in for marketing emails, SMS, and automated calls.
Metadata protection – Ensures call logs, location data, and other electronic communication metadata are handled securely.
What is the territorial scope of the ePrivacy Directive?
The directive applies to any entity processing electronic communications data from EU users, regardless of where the company is based. Even non-EU businesses must comply if they target EU consumers.
What are the cookie consent requirements for ePrivacy Directive compliance?
To comply with the ePrivacy Directive, websites must:
Obtain prior informed consent before placing non-essential cookies.
Ensure that consent is freely given, specific, and unambiguous.
Allow users to easily withdraw consent at any time.
Provide clear and transparent cookie notices.
What is the difference between GDPR and ePrivacy Directive?
GDPR applies to all personal data processing, while ePrivacy focuses on electronic communications and tracking technologies.
GDPR enforcement is uniform, whereas ePrivacy implementation varies by country.
ePrivacy mandates cookie consent, whereas GDPR provides the framework for valid consent collection.
What are the fines under the ePrivacy Directive?
Fines vary by country, as each EU member state enforces the directive independently. However, recent enforcement actions include:
Amazon fined €35 million (France, 2020) for dropping cookies without consent.
Telecom Italia fined €9.5 million (Italy, 2023) for non-compliance with both the GDPR (processing of personal data) and ePrivacy (unsolicited communications).
What is the ePrivacy Regulation 2024?
There is no new ePrivacy Regulation, as the original regulation proposal was withdrawn in February 2025. The ePrivacy Directive remains in force, and national regulators continue enforcing existing rules.
What is the ePrivacy Directive Guide?
The ePrivacy Directive guide explains the key rules and requirements of the EU Cookie Law, helping businesses understand how to comply with regulations on cookies, online tracking, and digital marketing.
Why was the ePrivacy Regulation withdrawn by the European Commission?
Despite years of negotiations, the ePrivacy Regulation faced multiple hurdles that prevented its adoption and was officially withdrawn in February 2025. The primary reasons include:
Political disagreements – EU legislators could not reach a consensus on balancing business interests with privacy protections.
Pushback from industry stakeholders – Digital businesses and advertisers opposed stricter consent rules, arguing they would hurt online advertising revenues and user experience.
Overlapping data privacy laws – With GDPR already imposing strict data protection requirements, regulators debated whether additional ePrivacy rules were necessary.
Official withdrawal – In February 2025, the European Commission formally withdrew the proposal. The GDPR and national implementations of the ePrivacy Directive remain the primary enforcement tools.
