You’ve probably heard of GDPR. But there’s another EU privacy law that directly affects your website – and it’s the one most responsible for the cookie banners that have become ubiquitous across the web.
ePrivacy is the EU Directive that covers cookies, tracking, and electronic marketing. It works alongside GDPR – you need both, but they cover different things.
The ePrivacy Directive – sometimes called “the cookie law” – has been around since 2002 and updated in 2009. It’s often overshadowed by GDPR, but for practical website compliance purposes, ePrivacy is just as important. In some ways, it’s more immediately visible to your visitors.
What is the ePrivacy Directive?
The ePrivacy Directive1 (2002/58/EC, amended by 2009/136/EC) is an EU Directive covering the privacy of electronic communications. Its full title is the “Directive on Privacy and Electronic Communications” – but nobody calls it that.
It covers three main areas:
- Cookies and tracking technology: setting cookies or accessing any information stored on a user’s device requires either consent (for non-essential cookies) or strict necessity
- Electronic marketing: email, SMS, direct messages, push notifications to individuals
- Confidentiality of communications: the privacy of electronic messages and traffic data
ePrivacy vs GDPR – what’s the difference?
People often conflate ePrivacy and GDPR, or assume one replaces the other. They don’t – they work together, covering different things.
| GDPR | ePrivacy Directive | |
|---|---|---|
| Covers | All personal data processing | Cookies, electronic marketing, communications |
| Legal instrument | Regulation (same in all EU countries) | Directive (each country implements its own version) |
| Came into force | 2018 | 2003, updated 2011 |
| Cookie consent requirement | No specific rule on cookies | Yes – consent required for non-essential cookies |
| Legal basis options | 6 legal bases (consent, contract, etc.) | Consent is the primary mechanism |
Importantly: ePrivacy is lex specialis to GDPR – meaning where ePrivacy has a specific rule, it takes precedence over GDPR’s general rules. The cookie consent requirement comes from ePrivacy, not GDPR. But ePrivacy borrows GDPR’s definition of what valid consent looks like.
The cookie rule
ePrivacy Article 5(3)2 says that storing or accessing information on a user’s terminal device (their browser, phone, computer) is only allowed if:
- The user has given consent, or
- The cookie is strictly necessary for a service explicitly requested by the user
That covers cookies, but also local storage, fingerprinting, tracking pixels – any technology that accesses or stores information on a user’s device.
Strictly necessary has a narrow definition. It means cookies that are essential to deliver what the user is actively requesting: session cookies for logging in, shopping basket cookies, load balancing cookies to make sure you can book your concert tickets the moment they’re released. It does not cover analytics, marketing, or A/B testing cookies – you might deem them essential, but they are definitely not essential to the user.
→ See the full breakdown of which cookie categories need consent.
The electronic marketing rule
ePrivacy also governs direct marketing by electronic means. The headline rule: you need prior consent before sending unsolicited marketing emails, SMS, or other electronic messages.
There’s one exception – the “soft opt-in” – for existing customers: if someone has bought something from you, you can send them marketing about similar products using a single opt-out mechanism, provided you gave them the opportunity to refuse when they first bought.
“Similar products” is narrower than it sounds. A customer who bought running shoes from a sports retailer can reasonably receive emails about other running gear – not about holidays, financial services, or anything outside the scope of what they bought.
Why national laws vary
Because ePrivacy is a Directive, each EU country writes its own national law to implement it. The core principles are the same – but the details differ. France requires that “Reject” and “Accept” buttons are equally prominent. Germany’s TDDDG has specific provisions for certain types of tracking. Italy takes a strict approach to cookie walls.
If your website operates across multiple EU markets, you need to understand the strictest standards that apply to you – because your banner needs to comply in Germany just as much as it does in Ireland.
→ See how ePrivacy is implemented country by country.
What about the ePrivacy Regulation?
You may have heard that the ePrivacy Directive is being replaced by an ePrivacy Regulation. It’s not law yet – and it’s been “coming soon” since 2017.
The regulation was proposed in January 2017, entered years of difficult negotiations, and has been through multiple revised drafts. As of 2026, it remains stuck in the EU legislative process. More recently, the EU’s Digital Omnibus Package has proposed some changes to the ePrivacy framework – but again, these are proposals, not law.
For now: the current ePrivacy Directive (as implemented in your target markets) is the law you need to follow. We’ll update this page when anything changes.