ePrivacy Directive & Proposed Regulation

EU rules on privacy in electronic communications, including cookie consent and tracking restrictions.

Often referred to as the cookie law, the ePrivacy Directive (2002/58/EC, as amended in 2009) governs the privacy of electronic communications within the EU, complementing the GDPR with sector-specific rules. While GDPR provides the general framework for personal data protection, the ePrivacy Directive addresses the confidentiality of communications, the use of tracking technologies, and direct marketing via electronic channels. The proposed ePrivacy Regulation, intended to replace the directive and align it with GDPR, has been under negotiation since 2017 and remains pending, creating a prolonged period of regulatory uncertainty.

The current directive applies to providers of electronic communications services, website and app operators, and any entity using cookies, tracking pixels, device fingerprinting, or similar technologies to access information stored on users' terminal equipment. It also covers unsolicited commercial communications (spam) via email, SMS, and other electronic messaging. In practice, virtually every business with an online presence must comply with ePrivacy rules regarding consent for non-essential cookies and tracking, and for sending marketing communications.

Under the directive, storing or accessing information on a user's device requires the user's prior informed consent, with limited exceptions for strictly necessary cookies. This consent must meet the GDPR standard: it must be freely given, specific, informed, and unambiguous. The directive also requires confidentiality of communications content and traffic data, restricts the processing of location data, and mandates opt-in consent for direct marketing emails and messages.

Enforcement is handled by national authorities, and implementation varies across Member States due to the directive's nature as a transposition instrument. This fragmentation has been one of the driving forces behind the proposed ePrivacy Regulation, which would create directly applicable, harmonised rules across the EU. The proposed regulation would update the rules for modern communications services, including over-the-top messaging platforms, and potentially simplify cookie consent mechanisms through browser-level settings.

The ePrivacy framework's interaction with GDPR is fundamental. Where both instruments apply, the ePrivacy rules act as lex specialis, meaning they take precedence for matters within their scope. The two frameworks share the same definition of consent and the same data subject rights. For businesses, this means that cookie and tracking compliance requires attention to both ePrivacy and GDPR requirements, and any changes to the ePrivacy framework -- whether through the pending regulation or through evolving national interpretations -- must be closely monitored to maintain compliant digital operations.

Select your company type for tailored compliance guidance.