The ePrivacy Directive (ePD) is a European data privacy and protection directive that regulates cookie use, data minimization and email marketing. The ePrivacy Directive is informally referred to as the “cookie law” – and that’s where you need to be compliant.
The ePrivacy Directive is a non-binding set of guidelines that address data privacy and protection in the European Union. Much like GDPR, which also governs data privacy protection for European citizens, the directive requires user consent before cookies can be used.
The GDPR extends this by defining cookies as a way to obtain personal data (which – again – requires explicit, unambiguous and informed consent). As a directive, it is not legally binding but is a guideline issued at the EU level to encourage member states to make their own national laws to address concerns surrounding data privacy and electronic communications.
First of all, the ePrivacy Directive itself is not legally binding at the EU level. It is a set of rules and recommendations that individual EU member states should adopt and adapt to their own national data privacy laws. An example here is France’s CNIL, the data privacy regulator, which has been aggressive about pursuing and fining violators of data privacy regulations.
Organizations that adhere to GDPR should be on the right side of safeguarding user privacy, but it is important to note that the ePD aims to:
Prevent unlawful data capture and interactions:
It is not permitted to intercept, store, monitor, scan or surveil electronic communications, unless consented to
Track only with explicit consent:
Tracking using various technologies for non-necessary purposes without explicit and specific user consent
Get consent for data access:
Accessing information stored on a user’s devices without their consent
Prevent unsolicited communication:
It is not permitted to send unsolicited emails, texts, automated calls or other electronic communications “spam”
Avoid unconsented processing of metadata:
Metadata from electronic communications, such as location data or recipient data, may not be processed without consent or the legal right to do so
The directive is applicable to any organization that processes personal data from EU residents or provides digital communications services. This could include:
Any business (worldwide) that processes personal data of EU residents, engaged in digital marketing, cookie-based tracking, or any other tracking methods to collect personal data of users
Third parties using tracking technologies
Website owners and operators who use tracking technologies
Communications service providers, such as internet companies, telephone operating companies, and so on, which enable personal data collection
The ePrivacy Directive, intersecting as it does with the GDPR, confers a number of similar data privacy rights to consumers, including:
Consumers can expect to be informed about what data is collected, why and by whom, typically in the form of cookie banners and privacy notices
Consumers must give informed and explicit consent before any non-essential cookies or similar tracking technologies are used
Consumers may refuse or withdraw consent at any time
Consumers are entitled to confidentiality of communications, including protection against interception or surveillance of communication or unauthorized data retention
Consumers have control over any attempt to store information or access information on their devices, such as cookies, local storage or tracking pixels
Consumers have the right not to receive unsolicited marketing communications, such as emails, SMS, etc.
Dubbed the “cookie law”, the ePrivacy Directive is one of the main reasons cookie banners appear on most websites, prompting users to consent to opting in or out of cookie use. The directive requires that websites get user consent before storing cookies in a user’s browser unless for strictly functional cookies that are required for the website to work. This consent-gathering practice also requires that users be informed of the cookies’ purpose(s) before consenting to their use.
Penalties for violating parts of the ePD are indirect in that they are imposed by the data protect regulators of each EU member states. Many fines have been issued for cookie consent breaches. The fines issued mirror those of the GDPR, and individuals adversely affected by violations have the right to compensation from the offending organization.
Review data practices:
Obtain explicit, prior consent for cookies and tracking
Respect user consent rights to choose and withdraw:
Give users the ability to make granular choices about accepting and rejecting cookies
Provide accessible information:
Explain what data is being collected, how it will be used and shared, and with whom
Ensure partner and third-party compliance:
Check that third parties and partners are also compliant with the directive
As a consent management platform that ensures GDPR compliance, CookieHub helps you align with the ePrivacy Directive’s requirements for consent and cookie management. Website owners around the world rely on CookieHub to uncover hidden website cookies and trackers and to ensure compliance.
The ePrivacy Directive (also known as the "Cookie Law") governs the processing of personal data and the protection of privacy in electronic communications. It covers areas such as confidentiality, tracking technologies (like cookies), unsolicited communications (spam), and data retention by telecom providers. It applies to businesses offering electronic communication services within the EU.
Personal data refers to any information that can identify an individual, either directly or indirectly. This includes names, email addresses, IP addresses, phone numbers, and even online identifiers that can be traced back to a person.
While the ePD itself doesn't define "sensitive data" explicitly, it complements the General Data Protection Regulation (GDPR), which defines sensitive data as information revealing racial or ethnic origin, political opinions, religious beliefs, health status, sexual orientation, and more. If such data is processed via electronic communications, the ePD’s provisions may also apply.
Each EU member state enforces the ePD through its national Data Protection Authority (DPA). These authorities monitor compliance, handle complaints, and may impose sanctions. The European Data Protection Board (EDPB) provides guidance and coordination across the EU.
Some exceptions apply, such as when cookies are strictly necessary for providing a service explicitly requested by the user (e.g., items in a shopping cart). Law enforcement or national security activities may also be exempt from certain provisions.
You can find official information on the European Commission’s ePrivacy Directive page, or consult your national Data Protection Authority’s website for localized guidance.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
