At a glance
The ePrivacy Directive (2002/58/EC)1 is the EU law covering cookies, tracking, and electronic marketing. It predates GDPR by 16 years. Because it’s a Directive rather than a Regulation, each EU country implements it differently – which is why cookie laws vary across Europe.
The ePrivacy Directive has a branding problem. It’s been lumped under the vague umbrella of “cookie law” for so long that people either dismiss it as “just about banners” or assume it’s the same thing as GDPR. It’s neither.
How we got cookie banners
The ePrivacy Directive 2002/58/EC – formally the “Directive on Privacy and Electronic Communications” – was adopted in July 2002 and came into force in 2003. A significant amendment in 2009 (via the “Citizens’ Rights Directive” 2009/136/EC) introduced the explicit cookie consent requirement that we know today.
The Directive covers:
- Cookies and tracking
- Traffic and location data
- Unsolicited communications
- Security of communications networks
- Confidentiality of communications
Article 5(3) – the cookie rule explained
Article 5(3) says that storing information on, or accessing information from, a user’s “terminal equipment” is only permitted when the user has given consent, or when the storage/access is strictly necessary for the delivery of a service explicitly requested by the user.
So, in plain English:
- “Terminal equipment”: the user’s device: their browser, phone, computer.
- “Storing or accessing information”: this covers setting cookies, reading cookies, using the local storage API, device fingerprinting, and tracking pixels that read browser properties.
- “Consent”: freely given, specific, informed, unambiguous, active – the same as GDPR
- “Strictly necessary”: cookies that are genuinely essential to deliver what the user is actively requesting. For example cookies that let users log in.
What counts as “strictly necessary”?
The “strictly necessary” exemption the most frequently misunderstood (or misused) part of the Directive. Here’s the simple test: if the user requests a service (adding items to a basket), are any cookies essential to deliver that service? And which ones?
- Yes – strictly necessary: session cookies, login authentication cookies, and shopping basket cookies might all be needed so a user can add items to their basket and check out.
- No – not strictly necessary: analytics cookies (Google Analytics, Adobe Analytics), social media cookies, advertising and retargeting cookies. If these didn’t exist, the user would still be able to do their shopping. So, they’re not strictly necessary.
The fact that analytics are important to your business doesn’t make them necessary to the user. The test is about the user’s experience, not your business interests.
→ Full breakdown of cookie categories and which need consent.
Why do different countries have different cookie rules?
Here’s the key structural point: ePrivacy is a Directive, not a Regulation. Under EU law, a Directive sets binding objectives for member states but allows each country to choose how to implement them in their own national legislation.
The result: 27 different national implementations of broadly the same rules. They share the same core principles – consent is required for non-essential cookies – but differ in specifics. Imagine you gave 27 different people a box of eggs and asked them to make an omelette. The ingredients are the same, and the objective is the same, but the end results will be slightly different.
This is why a single cookie banner might need to accommodate different rules depending on where your visitors are located.
→ See how each country implements ePrivacy differently.
We almost had a regulation
In January 2017, the European Commission proposed replacing the Directive with a Regulation – which would, like GDPR, apply uniformly across all EU countries without national implementation. The ePrivacy Regulation has been in legislative limbo ever since.
Key sticking points in the negotiations included:
- The scope of “electronic communications”.
- Browser-based consent mechanisms (would browsers themselves handle consent, removing the need for per-site banners?).
- Rules for business-to-business marketing.
- Enforcement and supervisory authority jurisdiction.
As of 2026, the ePrivacy Regulation remains unfinished. The EU’s Digital Omnibus Package, proposed in early 2025, contains some adjustments to the ePrivacy framework – including potential simplification of cookie consent for privacy-preserving analytics tools. These are proposals, not law.
Practical implications for your website
Here’s what the Directive means in concrete terms for your website:
- You need a cookie consent banner that appears before non-essential cookies are set.
- The banner must offer a genuine choice – real acceptance and real rejection options.
- Scripts must be blocked until consent is given.
- Consent must be actively given – scrolling, continued browsing, or a pre-ticked box are not valid.
- Users must be able to change their choice at any time – a “manage cookies” link somewhere accessible.