ePrivacy Directive (EU 2002/58 + ePrivacy Regulation)

What is the ePrivacy Directive?

The ePrivacy Directive (Directive 2002/58/EC), also known as the “cookie law” after its 2009 amendment, is the EU’s sectoral privacy law for electronic communications — covering confidentiality of communications, traffic and location data, cookies/tracking, and unsolicited commercial communications. ePrivacy operates as lex specialis to GDPR for electronic communications: where ePrivacy and GDPR overlap, ePrivacy rules govern. The proposed ePrivacy Regulation (in legislative limbo since 2017) would replace the Directive with a directly applicable EU-wide regulation but has stalled in trilogue negotiations.

Key ePrivacy obligations

• Article 5(3) — cookie consent: any storage of information on user’s terminal equipment (cookies, local storage, fingerprinting) requires prior informed consent — except strictly necessary cookies.
• Article 6-9 — traffic and location data: deletion or anonymisation when no longer needed; processing for billing limited.
• Article 13 — unsolicited communications: opt-in for email, SMS marketing to individuals; soft opt-in for existing customers.
• National transposition variance: implementation differs across member states (German TTDSG, French RGPD-loi, etc.) — pan-EU compliance is fragmented.

Cookie banner enforcement evolution

• 2018-2020: wide non-compliance; cookie walls and pre-ticked boxes common.
• EDPB Guidelines 5/2020: clarified consent must be unambiguous, granular, easy to withdraw.
• 2021-2024: NOYB campaigns, large fines (Google, Facebook in France for €60-150M each).
• Dark pattern crackdown: EDPB Guidelines 3/2022 on dark patterns; equal prominence for “reject all” required.