What is the ePrivacy Directive?
The ePrivacy Directive (Directive 2002/58/EC), also known as the “cookie law” after its 2009 amendment, is the EU’s sectoral privacy law for electronic communications — covering confidentiality of communications, traffic and location data, cookies/tracking, and unsolicited commercial communications. ePrivacy operates as lex specialis to GDPR for electronic communications: where ePrivacy and GDPR overlap, ePrivacy rules govern. The proposed ePrivacy Regulation (in legislative limbo since 2017) would replace the Directive with a directly applicable EU-wide regulation but has stalled in trilogue negotiations.
Key ePrivacy obligations
- Article 5(3) — cookie consent: any storage of information on user’s terminal equipment (cookies, local storage, fingerprinting) requires prior informed consent — except strictly necessary cookies.
- Article 6-9 — traffic and location data: deletion or anonymisation when no longer needed; processing for billing limited.
- Article 13 — unsolicited communications: opt-in for email, SMS marketing to individuals; soft opt-in for existing customers.
- National transposition variance: implementation differs across member states (German TTDSG, French RGPD-loi, etc.) — pan-EU compliance is fragmented.
Cookie banner enforcement evolution
- 2018-2020: wide non-compliance; cookie walls and pre-ticked boxes common.
- EDPB Guidelines 5/2020: clarified consent must be unambiguous, granular, easy to withdraw.
- 2021-2024: NOYB campaigns, large fines (Google, Facebook in France for €60-150M each).
- Dark pattern crackdown: EDPB Guidelines 3/2022 on dark patterns; equal prominence for “reject all” required.
Türk e-ticaret ve SaaS için
AB pazarına yönelen Türk e-ticaret ve SaaS’lerin AB ziyaretçilerine ePrivacy uyumlu cookie consent yönetimi sağlaması gerekir. Türk yerel pazarda KVKK Tebliğleri benzer (ancak daha gevşek) consent standartları getirir; AB ziyaretçileri için ayrı sıkı consent UX gerekir. Türk şirketlerin “AB cookie banner” varsayım kullanımı pek çok durumda yetersizdir — dark pattern olmaması, granular consent, ülke-spesifik geolocation gating gerek. PSD3/ePrivacy Regulation netleşince Türk fintech’lerin AB consent yapıları yeniden gözden geçirilecektir.
Do: implement IAB TCF v2.2 or equivalent consent management; segment cookies by category (necessary, statistics, marketing); offer reject-all with equal prominence to accept-all.
Don’t: rely on “implied consent” or cookie walls — both have been declared non-compliant by EDPB and member state DPAs; fines have followed.