Directiva de la UE

ePrivacy Directive (2002/58/EC)

The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".

En vigor desde: 31 de julio de 2002Última actualización: 19 de diciembre de 2009

Resumen

The ePrivacy Directive (Directive 2002/58/EC), as amended by Directive 2009/136/EC, regulates privacy and data protection in the electronic communications sector. Often referred to as the "Cookie Law," it complements the GDPR by providing sector-specific rules for electronic communications services.

The directive's scope covers all providers of publicly available electronic communications services and networks within the EU. Since its 2009 amendment, it has required prior informed consent for the storage of or access to information on a user's terminal equipment — the legal basis for cookie consent banners seen across European websites.

Article 5 establishes the principle of confidentiality of communications, prohibiting the interception, surveillance, or storage of communications and related traffic data without the consent of the users concerned. Member states may adopt legislative measures restricting this right only when necessary, appropriate, and proportionate within a democratic society, in line with Article 15.

Cookie and tracking technology requirements are detailed in Article 5(3): storing information or gaining access to information already stored in terminal equipment is only permitted with clear and comprehensive information and prior consent. Exceptions exist for cookies strictly necessary for providing a service explicitly requested by the user and for the sole purpose of carrying out a communication.

The directive also regulates unsolicited electronic communications (spam). Article 13 requires prior opt-in consent for direct marketing via email, SMS, or automated calling systems. A limited "soft opt-in" exception allows marketing to existing customers about similar products or services if they were given the opportunity to object when their details were collected and in every subsequent message.

Traffic and location data must be erased or anonymised when no longer needed for transmission or billing, unless consent has been obtained for value-added services. Calling line identification (caller ID) must be offered with the option to override on a per-call or per-line basis.

The ePrivacy Directive was intended to be replaced by an ePrivacy Regulation to align with the GDPR. After years of legislative negotiations, the ePrivacy Regulation proposal remains under discussion. Until it is adopted, the directive — as transposed into national law by each member state — continues to apply. National implementations vary, creating a somewhat fragmented landscape for cross-border electronic communications services. Enforcement is carried out by national data protection authorities or telecommunications regulators, depending on the member state.

Artículos y disposiciones clave

Art. 5

Confidentiality of communications

Establishes the fundamental right to confidentiality of electronic communications, prohibiting interception and surveillance. Also contains the cookie consent requirement (paragraph 3).

Art. 5(3)

Cookie consent requirement

Requires prior informed consent for storing information (cookies, pixels, fingerprinting) on user devices. Exempts cookies strictly necessary for requested services and transmission.

Art. 6

Traffic data

Requires erasure or anonymisation of traffic data when no longer needed for communication transmission or billing. Further processing requires user consent.

Art. 9

Location data other than traffic data

Location data may only be processed with consent or after anonymisation. Users must be informed of data types, purposes, duration, and whether data is shared with third parties.

Art. 13

Unsolicited communications (spam)

Requires opt-in consent for electronic direct marketing. Permits soft opt-in for existing customers receiving marketing about similar products, with easy opt-out in every message.

Art. 15

Retention of data

Allows member states to restrict scope of communication confidentiality rights through legislative measures when necessary and proportionate for national security, defence, or crime prevention.

Sanciones y aplicación

Multa máxima

Determined by national law (no harmonised maximum)

O

Varies by member state transposition

Ejemplos de aplicación

  • CNIL (France) fined Google €150M and Facebook €60M (2022) for making cookie rejection more difficult than acceptance
  • Garante (Italy) fined TIM/Telecom Italia €27.8M (2020) for unsolicited marketing communications
  • AEPD (Spain) fined CaixaBank €6M (2021) for processing data for commercial communications without valid consent
  • The German Federal Court of Justice ruled that pre-ticked cookie consent checkboxes are invalid (2020, "Planet49" follow-up)

Compruebe su estado de cumplimiento

Realice nuestra evaluación gratuita para analizar la situación de cumplimiento de su organización. Obtenga en minutos un informe personalizado con recomendaciones prácticas — sin necesidad de registrarse.

Iniciar evaluación gratuita

Aviso: la información de esta página tiene fines informativos y no constituye asesoramiento jurídico. Para una orientación específica de cumplimiento, consulte a un profesional jurídico cualificado en su jurisdicción.

ePrivacy Directive (2002/58/EC) por país

Descubra cómo se implementa y aplica ePrivacy en cada Estado miembro de la UE.

🇩🇪Germany🇫🇷France🇳🇱Netherlands🇪🇸Spain🇮🇹Italy🇵🇱Poland🇵🇹Portugal🇸🇪Sweden🇦🇹Austria🇧🇪Belgium🇩🇰Denmark🇫🇮Finland🇮🇪Ireland🇭🇺Hungary

ePrivacy Directive (2002/58/EC) por sector

Consulte los requisitos sectoriales y las orientaciones sobre ePrivacy.

Technologyriesgo alto
Retail & E-Commerceriesgo medio
Telecommunicationsriesgo alto
ePrivacy — Compliance Guide for European SMEs | Viktoria Compliance | Viktoria Compliance