The ePrivacy Directive is the reason your website needs a cookie banner. Officially titled Directive 2002/58/EC, this EU law specifically governs how websites and online services handle cookies, tracking technologies, and electronic communications. While the GDPR gets most of the headlines, the ePrivacy Directive is the law that regulators actually use when they fine organisations for cookie violations.
The French data protection authority, CNIL, demonstrated this forcefully in September 2025 when it fined Google a record-breaking 325 million euros and Shein 150 million euros - both under ePrivacy rules transposed into French law, not the GDPR directly. Those fines brought CNIL's combined cookie enforcement penalties to well over half a billion euros in total.
What Does the ePrivacy Directive Actually Cover?
The Directive covers four main areas of electronic privacy. The most well-known is Article 5(3), which regulates the storage of information on, or access to information from, a user's device. This is the provision that governs cookies - but its scope extends far beyond them.
The full scope includes:
| Area | Key Articles | What It Covers |
|---|---|---|
| Cookies and tracking | Article 5(3) | Any storage of or access to information on a user's terminal equipment, including cookies, tracking pixels, device fingerprinting, and local storage |
| Confidentiality of communications | Articles 5(1), 5(2) | Prohibition on intercepting, recording, or surveilling electronic communications without consent |
| Traffic and location data | Articles 6, 9 | Rules on processing metadata such as IP addresses, timestamps, and geolocation from communications |
| Unsolicited communications | Article 13 | Rules on direct marketing via email, SMS, and automated calling systems (the "spam" rules) |
Article 5(3) is technology-neutral. It does not mention the word "cookie" at all. Instead, it refers to "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." This means that tracking pixels, JavaScript fingerprinting scripts, localStorage, and even certain uses of ETags can all fall within its scope.
The Relationship Between the ePrivacy Directive and the GDPR
This is where most website owners get confused. The ePrivacy Directive and the GDPR are separate legal instruments that work together rather than replacing each other. In legal terms, the ePrivacy Directive is lex specialis to the GDPR's lex generalis. Article 95 of the GDPR explicitly establishes this relationship: where the ePrivacy Directive provides a specific rule for a particular type of processing, that rule takes precedence over the more general GDPR provisions.
What does this mean in practice? When a visitor lands on your website and a cookie is placed on their device, the legal basis for that placement comes from the ePrivacy Directive (Article 5(3)), not from the GDPR. The GDPR's consent requirements under Article 6(1)(a) and Article 7 define how that consent must be obtained - freely given, specific, informed, and unambiguous - but the obligation to obtain consent comes from the ePrivacy Directive.
Any subsequent processing of personal data collected through those cookies, however, falls squarely under the GDPR. So if you collect a visitor's browsing behaviour via an analytics cookie, the ePrivacy Directive governs the cookie placement, while the GDPR governs what you do with the data afterwards. Both laws apply, at different stages of the same process.
Directive vs. Regulation: Why Implementation Varies by Country
A directive is not the same as a regulation. Under EU law, a regulation (like the GDPR) applies directly and uniformly in every member state. A directive, by contrast, instructs member states to achieve a particular result but leaves them free to choose how to transpose it into national law.
This has created a patchwork of national implementations across Europe. France transposed Article 5(3) into Article 82 of the French Data Protection Act, giving the CNIL authority to enforce cookie rules and impose fines up to 2% of worldwide annual turnover. The UK implemented it through the Privacy and Electronic Communications Regulations 2003 (PECR), enforced by the ICO. Germany's transposition was notoriously problematic - the old Telemedia Act (TMG) allowed pseudonymous tracking profiles on an opt-out basis, which contradicted the Directive's opt-in requirement for years until the TTDSG (Telecommunications Telemedia Data Protection Act) corrected this in December 2021.
The practical consequence for website owners operating across multiple EU countries is that enforcement standards, fine levels, and specific requirements can differ. The CNIL has been far more aggressive on cookie enforcement than most other DPAs, issuing nine-figure fines where others have favoured warning letters.
Article 5(3): The Cookie Rule in Detail
Article 5(3) is the single most important provision for anyone running a website that targets EU visitors. It establishes a simple default rule: you must obtain informed consent before storing information on, or accessing information from, a user's device.
There are only two exemptions. A cookie (or similar technology) can be placed without consent if it is:
- Strictly necessary to carry out the transmission of a communication over the network - for example, load-balancing cookies that route traffic between servers.
- Strictly necessary to provide an information society service explicitly requested by the user - for example, a session cookie (
PHPSESSID) that keeps you logged in, or a shopping cart cookie that remembers items you have added.
Everything else requires prior, informed consent. Analytics cookies like _ga and _gid from Google Analytics? Consent required. Advertising cookies like _fbp from Meta Pixel? Consent required. A/B testing scripts that store variant assignments in localStorage? Consent required. The threshold is strict, and regulators have shown little patience for creative arguments about "legitimate interest" as a basis for cookie placement - the ePrivacy Directive does not recognise legitimate interest as a lawful basis for Article 5(3) operations.
The Planet49 Ruling: A Turning Point for Cookie Consent
The CJEU's judgment in Planet49 (Case C-673/17, 1 October 2019) settled several questions that had been ambiguous since the Directive's 2009 amendment. The Court ruled that pre-ticked checkboxes do not constitute valid consent, that GDPR-standard consent (active, unambiguous, specific) applies to Article 5(3) regardless of whether the cookie contains personal data, and that website operators must inform users about both the duration of cookies and whether third parties have access to them.
The ruling removed any remaining justification for implied consent mechanisms - the "by continuing to browse this site, you consent to cookies" banners that were once commonplace across Europe. Active, affirmative action from the user is required. Scrolling, clicking through, or simply ignoring a banner does not count.
The ePrivacy Regulation That Never Was
The European Commission proposed a new ePrivacy Regulation in January 2017, intended to replace the ageing Directive and come into force alongside the GDPR in May 2018. It would have been a regulation rather than a directive, applying directly and uniformly across all member states. It would also have introduced GDPR-level fines of up to 20 million euros or 4% of global annual turnover.
It never happened. After eight years of negotiations, multiple drafts, and a stalled trilogue between the European Parliament and the Council, the European Commission formally withdrew the proposal in its 2025 work programme on 11 February 2025. The Commission's stated reason was blunt: no foreseeable agreement between co-legislators, and the proposal had become outdated given recent developments in both technology and law, including the Digital Markets Act and the Digital Services Act.
The withdrawal was officially confirmed in the EU Official Journal on 6 October 2025. The ePrivacy Directive, despite being over two decades old and last amended in 2009, remains the governing law. There is no replacement on the horizon.
EDPB Guidelines on Article 5(3): Beyond Cookies
With the ePrivacy Regulation dead, the European Data Protection Board (EDPB) has been working to modernise the interpretation of the existing Directive. In October 2024, the EDPB adopted Guidelines 2/2023 on the technical scope of Article 5(3), expanding on older guidance from the Article 29 Working Party.
These guidelines confirmed that Article 5(3) applies to far more than HTTP cookies. The EDPB identified three criteria for the provision to apply: the operation must involve "information" (not limited to personal data), it must involve "terminal equipment" connected to a public communications network, and it must constitute either storage or access to stored information. Under this framework, the following technologies all fall within Article 5(3):
- URL and pixel tracking (including the tracking pixels in marketing emails)
- Device fingerprinting via JavaScript APIs
- Local storage mechanisms (
localStorage,sessionStorage,IndexedDB) - Unique identifiers derived from hashed personal data (such as hashed email addresses used for cross-site matching)
- Internet of Things (IoT) device data where the device connects to a public network
The guidelines also confirmed that "terminal equipment" includes smartphones, tablets, laptops, smart TVs, connected cars, and IoT devices - essentially any device with a network interface, whether the connection is direct (cellular) or indirect (via Wi-Fi or Bluetooth relay).
How Enforcement Actually Works
One critical difference between ePrivacy enforcement and GDPR enforcement is jurisdiction. The GDPR's one-stop-shop mechanism allows a company to deal primarily with the data protection authority in the EU country where its main establishment is located. The ePrivacy Directive has no such mechanism. Each national authority can enforce its own transposition of the Directive independently.
This means a company like Google can face cookie enforcement actions simultaneously from the CNIL in France, the AEPD in Spain, and the ICO in the UK - without any coordination requirement. The CNIL's 2025 fine against Google was based entirely on French national law (Article 82 of the French Data Protection Act), and Google's Irish establishment offered no jurisdictional shield.
Recent enforcement trends show regulators focusing on three areas:
| Enforcement Focus | Examples | Typical Outcome |
|---|---|---|
| Cookies placed before consent | Advertising and analytics cookies firing on page load before the banner is interacted with | Fines ranging from tens of thousands to hundreds of millions of euros |
| Dark patterns in cookie banners | Asymmetric button design (prominent "Accept All", hidden or greyed-out "Reject"), misleading labels, required extra clicks to refuse | Formal notices, fines, mandatory redesign orders |
| Inadequate information | Vague purpose descriptions ("improve your experience"), missing cookie categories, no details on duration or third-party access | Compliance orders, fines for repeat offenders |
In December 2024, the CNIL issued formal notices to multiple website publishers over dark patterns in their cookie banners, giving them just one month to comply. The ICO in the UK has also expanded its online tracking strategy, issuing compliance letters to the most-visited UK websites regarding their cookie practices.
What the ePrivacy Directive Means for Your Website
If your website is accessible to visitors in the EU or UK, the ePrivacy Directive (or its national transposition) applies to you. The core compliance requirements are straightforward, even if implementation can be fiddly.
Before any non-essential cookie or tracking technology is placed on a visitor's device, you need their informed, active consent. The consent mechanism must make it equally easy to accept and refuse cookies - no dark patterns, no pre-ticked boxes, no "accept" button in bright green next to a tiny grey "reject" link. You must tell visitors what cookies you set, what each category does, how long they last, and which third parties receive data from them.
Strictly necessary cookies - session identifiers, CSRF tokens, load-balancing cookies, user-input cookies for forms - can be set without consent. But the exemption is narrow. A language preference cookie, for example, typically does not qualify because the user requested a web page, not a language-remembering service (see the guide on functional cookies for a deeper look at this distinction). The test is whether the cookie is strictly necessary for the service the user explicitly requested, not whether it improves their experience.
A cookie scanner is a practical starting point. Many websites set cookies they are unaware of, particularly when third-party scripts are loaded via tag managers. Kukie.io's cookie scanner detects both first-party and third-party cookies across your site, categorises them, and identifies those that require consent - which is the first step toward building a compliant cookie banner.
Direct Marketing Rules Under Article 13
Article 13 of the ePrivacy Directive is less discussed than Article 5(3) but equally important for marketers. It requires prior opt-in consent before sending direct marketing communications by email, SMS, or automated calling systems.
There is one exception, commonly called the "soft opt-in." If you obtained a customer's email address in the context of a sale (or sale of a service), you may send marketing emails promoting similar products or services without prior consent, provided you gave the customer a clear opportunity to opt out at the time of collection and in every subsequent message. A November 2025 CJEU judgment (Case C-654/23) clarified that even free user accounts in freemium business models can qualify as a "sale of a service" for the purposes of this soft opt-in, broadening its applicability to digital service providers.
The Directive also prohibits sending commercial emails that disguise or conceal the sender's identity, and it requires that every marketing email include a valid opt-out mechanism.
What Happens Next?
With the proposed ePrivacy Regulation officially dead, the 2002 Directive (as amended in 2009) remains the law. No replacement is expected soon. The European Commission has hinted at new, more focused legislative proposals that could address some of the issues the Regulation was meant to tackle, but nothing concrete has been announced.
In the meantime, enforcement is intensifying rather than relaxing. The EDPB's expanded interpretation of Article 5(3) means that newer tracking techniques - server-side tagging, fingerprinting, hashed email matching - are explicitly within scope. Regulators across Europe are treating cookie compliance as a priority enforcement area, with the CNIL alone issuing nearly half a billion euros in cookie fines in 2025.
For website owners, the message is clear: the ePrivacy Directive may be old, but it is very much alive. Compliance is not optional, and the cost of getting it wrong has never been higher. For more on specific cookie types and how regulations treat them differently, see the Kukie.io blog.
Frequently Asked Questions
Is the ePrivacy Directive the same as the GDPR?
No. The ePrivacy Directive (2002/58/EC) is a separate law that specifically governs cookies, electronic communications, and direct marketing. It works alongside the GDPR as lex specialis, meaning its specific rules on cookies and tracking take precedence over the GDPR's more general provisions. Both laws can apply to the same processing activity at different stages.
Does the ePrivacy Directive apply outside the EU?
The Directive itself only binds EU member states, but each national transposition can have extraterritorial effect. If your website targets visitors in France, Germany, or any other EU country, the local ePrivacy rules apply to the cookies you set on those visitors' devices - regardless of where your business is based. The UK's PECR continues to apply post-Brexit with similar requirements.
Which cookies are exempt from consent under the ePrivacy Directive?
Only cookies that are strictly necessary to transmit a communication over the network, or strictly necessary to provide a service the user has explicitly requested, are exempt. This covers session cookies, authentication tokens, shopping cart cookies, and CSRF protection cookies. Analytics cookies, advertising cookies, and preference cookies generally require consent.
What happened to the ePrivacy Regulation?
The European Commission formally withdrew its proposal for an ePrivacy Regulation on 11 February 2025, after eight years of failed negotiations. The Commission cited no foreseeable agreement between co-legislators and the proposal's outdated nature. The existing ePrivacy Directive remains in force with no announced replacement.
