Jump to

ePrivacy Directive (EU 2002/58 + ePrivacy Regulation)

What is the ePrivacy Directive?

The ePrivacy Directive (Directive 2002/58/EC), also known as the “cookie law” after its 2009 amendment, is the EU’s sectoral privacy law for electronic communications — covering confidentiality of communications, traffic and location data, cookies/tracking, and unsolicited commercial communications. ePrivacy operates as lex specialis to GDPR for electronic communications: where ePrivacy and GDPR overlap, ePrivacy rules govern. The proposed ePrivacy Regulation (in legislative limbo since 2017) would replace the Directive with a directly applicable EU-wide regulation but has stalled in trilogue negotiations.

Key ePrivacy obligations

  • Article 5(3) — cookie consent: any storage of information on user’s terminal equipment (cookies, local storage, fingerprinting) requires prior informed consent — except strictly necessary cookies.
  • Article 6-9 — traffic and location data: deletion or anonymisation when no longer needed; processing for billing limited.
  • Article 13 — unsolicited communications: opt-in for email, SMS marketing to individuals; soft opt-in for existing customers.
  • National transposition variance: implementation differs across member states (German TTDSG, French RGPD-loi, etc.) — pan-EU compliance is fragmented.

Cookie banner enforcement evolution

  • 2018-2020: wide non-compliance; cookie walls and pre-ticked boxes common.
  • EDPB Guidelines 5/2020: clarified consent must be unambiguous, granular, easy to withdraw.
  • 2021-2024: NOYB campaigns, large fines (Google, Facebook in France for €60-150M each).
  • Dark pattern crackdown: EDPB Guidelines 3/2022 on dark patterns; equal prominence for “reject all” required.

ePrivacy in the product stack

The ePrivacy Directive is why cookie banners exist, and its logic outlived its age: confidentiality of communications and terminal-equipment rules require consent for storing or reading non-essential identifiers, alongside marketing-communication consent rules. It operates as lex specialis next to GDPR — the cookie consent travels under ePrivacy, the subsequent processing under GDPR. For Turkish companies the same architecture arrives twice: through EU users (Directive-implementing national laws apply territorially) and through the domestic mirror — KVKK’s cookie guidance and the E-Commerce Law/İYS regime for commercial messages reproduce the consent-first structure. Build one consent-management layer satisfying the stricter reading: granular categories, prior consent for tracking, evidence logs, and parity between the banner’s promises and the tags actually firing.