GuidesePrivacy
European Union · ePrivacy

ePrivacy Directive & Cookie Law Guide

The EU's cookie-specific rule that sits alongside GDPR — often the harder bar to clear.

Last reviewed: 2026-04-29

What the ePrivacy Directive is

The ePrivacy Directive (Directive 2002/58/EC, amended in 2009) is an EU law specifically about confidentiality of electronic communications. Its most consequential provision — Article 5(3) — requires prior informed consent before storing information on, or accessing information from, a user's device. That covers cookies, local storage, fingerprinting, and pixels.

Because it's a directive (not a regulation), each EU member state implements it through national law. National examples include PECR in the UK, the TTDSG in Germany, the LCEN in France, and similar acts elsewhere.

ePrivacy vs GDPR

GDPR governs personal data; ePrivacy governs storage and access on a device. They overlap heavily in practice — most cookies that need ePrivacy consent also process personal data — but ePrivacy is broader on the storage question and stricter:

  • ePrivacy applies even when no personal data is involved.
  • ePrivacy permits no legal basis other than consent, except for the two narrow exemptions.
  • ePrivacy is "lex specialis" — when both laws apply, ePrivacy wins on cookie questions.

Who ePrivacy applies to

Any service that places terminal equipment storage on a user located in the EU. The territorial trigger is the user's location, not the operator's — meaning sites worldwide can fall under member-state ePrivacy law if they have EU visitors.

Core requirements

  • Prior consent — the user must opt in before any non-essential cookie is set or read.
  • Clear information — purpose, identity of controllers, retention, and recipients must be visible at the moment of consent.
  • Granular choice — separate toggles for distinct purposes; bundled consent is not valid.
  • Withdrawal at any time — and as easily as consent was given.

Common violations

The most common ePrivacy failure is scripts firing on page load — even before the consent banner has a chance to render. Because ePrivacy is strict-liability on the storage question, every cookie or pixel that fires before the user clicks is a discrete violation. Other recurring issues:

  • Treating "implied consent" (continued browsing) as opt-in — not valid since 2018.
  • Cookie walls that condition access on accepting — disallowed in most member states.
  • Pre-ticked boxes for non-essential cookies in the preferences panel.
  • Failing to apply withdrawal: the user opts out, but the next page load still sets the tracker because consent state isn't checked at script load time.

ePrivacy Regulation status

The proposed ePrivacy Regulation, intended to replace the 2002 directive and harmonise rules across the EU, has been stuck in negotiation since 2017. Until it's adopted, ePrivacy obligations vary country by country in the details — though the core consent requirement is consistent everywhere. Watch for movement post-2026 European Commission mandate; final form may still tighten cookie rules further.

What CookieGap measures for ePrivacy

Derived from the live scanner rubric — updates automatically when the rubric changes.

  • No consent banner present
  • No reject button (consent not freely given)
  • Tags fired without matching consent (CMP-verified)
  • Non-necessary cookies persist after reject
  • No privacy policy found
  • Legitimate interest claimed on consent-required TCF purposes
  • Trackers declared as necessary / uncategorized
  • Non-necessary cookies set before consent (ePrivacy is strict)

For the full picture — including what we don't measure — see scope & limitations.

Frequently asked questions

Why is the ePrivacy Directive often called 'the cookie law'?

Because Article 5(3) of the directive specifically governs storing or accessing information on a user's terminal equipment — which includes cookies, localStorage, sessionStorage, IndexedDB, fingerprinting, and pixels. It was the EU's first instrument to address tracking technologies directly.

If GDPR already requires consent, why does ePrivacy matter?

ePrivacy applies to all storage and access — even when no personal data is involved. A purely anonymous cookie still needs prior consent under ePrivacy, whereas it might escape GDPR. ePrivacy also applies device-by-device: each browser session triggers the rule independently.

Are there any exceptions?

Two narrow ones: cookies strictly necessary for transmission of a communication (low-level networking), and cookies strictly necessary to provide a service the user explicitly requested. Everything else — analytics, ad-tech, A/B testing, social embeds — needs consent.

Has the ePrivacy Regulation replaced the directive yet?

No. The proposed ePrivacy Regulation has been in legislative limbo since 2017. Until it passes, member states implement the 2002/2009 directive through national laws (PECR in the UK, TTDSG in Germany, the LCEN in France, etc.) — which is why guidance varies subtly by country.

Does ePrivacy apply to fingerprinting and pixel tracking?

Yes. National DPAs and the EDPB have repeatedly confirmed that ePrivacy covers any technique that reads or stores information on the user's device — including device fingerprinting, ETag tracking, and tracking pixels, regardless of cookie usage.

See where your site stands

Run a free CookieGap scan and get a ePrivacy compliance report in under a minute.

Scan your site free

This guide is informational only and does not constitute legal advice. Privacy laws evolve frequently — always confirm current obligations with qualified counsel before making compliance decisions.