EU Regulation

ePrivacy Directive (2002/58/EC)

The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".

Effective: 31 July 2002Last updated: 19 December 2009

Overview

The ePrivacy Directive (Directive 2002/58/EC), as amended by Directive 2009/136/EC, regulates privacy and data protection in the electronic communications sector. Often referred to as the "Cookie Law," it complements the GDPR by providing sector-specific rules for electronic communications services.

The directive's scope covers all providers of publicly available electronic communications services and networks within the EU. Since its 2009 amendment, it has required prior informed consent for the storage of or access to information on a user's terminal equipment — the legal basis for cookie consent banners seen across European websites.

Article 5 establishes the principle of confidentiality of communications, prohibiting the interception, surveillance, or storage of communications and related traffic data without the consent of the users concerned. Member states may adopt legislative measures restricting this right only when necessary, appropriate, and proportionate within a democratic society, in line with Article 15.

Cookie and tracking technology requirements are detailed in Article 5(3): storing information or gaining access to information already stored in terminal equipment is only permitted with clear and comprehensive information and prior consent. Exceptions exist for cookies strictly necessary for providing a service explicitly requested by the user and for the sole purpose of carrying out a communication.

The directive also regulates unsolicited electronic communications (spam). Article 13 requires prior opt-in consent for direct marketing via email, SMS, or automated calling systems. A limited "soft opt-in" exception allows marketing to existing customers about similar products or services if they were given the opportunity to object when their details were collected and in every subsequent message.

Traffic and location data must be erased or anonymised when no longer needed for transmission or billing, unless consent has been obtained for value-added services. Calling line identification (caller ID) must be offered with the option to override on a per-call or per-line basis.

The ePrivacy Directive was intended to be replaced by an ePrivacy Regulation to align with the GDPR. After years of legislative negotiations, the ePrivacy Regulation proposal remains under discussion. Until it is adopted, the directive — as transposed into national law by each member state — continues to apply. National implementations vary, creating a somewhat fragmented landscape for cross-border electronic communications services. Enforcement is carried out by national data protection authorities or telecommunications regulators, depending on the member state.

Key Articles & Provisions

Art. 5

Confidentiality of communications

Establishes the fundamental right to confidentiality of electronic communications, prohibiting interception and surveillance. Also contains the cookie consent requirement (paragraph 3).

Art. 5(3)

Cookie consent requirement

Requires prior informed consent for storing information (cookies, pixels, fingerprinting) on user devices. Exempts cookies strictly necessary for requested services and transmission.

Art. 6

Traffic data

Requires erasure or anonymisation of traffic data when no longer needed for communication transmission or billing. Further processing requires user consent.

Art. 9

Location data other than traffic data

Location data may only be processed with consent or after anonymisation. Users must be informed of data types, purposes, duration, and whether data is shared with third parties.

Art. 13

Unsolicited communications (spam)

Requires opt-in consent for electronic direct marketing. Permits soft opt-in for existing customers receiving marketing about similar products, with easy opt-out in every message.

Art. 15

Retention of data

Allows member states to restrict scope of communication confidentiality rights through legislative measures when necessary and proportionate for national security, defence, or crime prevention.

Penalties & Enforcement

Maximum Fine

Determined by national law (no harmonised maximum)

Or

Varies by member state transposition

Enforcement Examples

  • CNIL (France) fined Google €150M and Facebook €60M (2022) for making cookie rejection more difficult than acceptance
  • Garante (Italy) fined TIM/Telecom Italia €27.8M (2020) for unsolicited marketing communications
  • AEPD (Spain) fined CaixaBank €6M (2021) for processing data for commercial communications without valid consent
  • The German Federal Court of Justice ruled that pre-ticked cookie consent checkboxes are invalid (2020, "Planet49" follow-up)

Check Your Compliance Status

Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.

Start Free Assessment

Disclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.

ePrivacy Directive (2002/58/EC) by Country

Explore how ePrivacy Directive is implemented and enforced in each EU member state.

🇩🇪Germany🇫🇷France🇳🇱Netherlands🇪🇸Spain🇮🇹Italy🇵🇱Poland🇵🇹Portugal🇸🇪Sweden🇦🇹Austria🇧🇪Belgium🇩🇰Denmark🇫🇮Finland🇮🇪Ireland🇭🇺Hungary

ePrivacy Directive (2002/58/EC) by Industry

See industry-specific requirements and guidance for ePrivacy Directive.

Technologyhigh risk
Retail & E-Commercemedium risk
Telecommunicationshigh risk