Skip to content
Last reviewed: 2026-05-04 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
European Union emblem — editorial referenceReproduced for editorial reference under generally permitted educational use. Not affiliated with the European Union, the European Commission, or any EU institution.
ePrivacy Directive National DPAs and electronic-communications regulators

REGULATION · EU DIRECTIVE · IN FORCE SINCE 2002

ePrivacy Directive 2002/58/EC (as amended by Directive 2009/136/EC)

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Where it applies — 20 jurisdictions

🇦🇹Austria
AT
🇧🇪Belgium
BE
🇨🇿Czech Republic
CZ
🇩🇰Denmark
DK
🇪🇪Estonia
EE
🇫🇮Finland
FI
🇫🇷France
FR
🇩🇪Germany
DE
🇬🇷Greece
GR
🇭🇺Hungary
HU
🇮🇪Ireland
IE
🇮🇹Italy
IT

+ 8 more — see full list

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Confidentiality of communications Art 5(1)

    Listening, tapping, storage or other kinds of interception or surveillance of communications and related traffic data is prohibited without the consent of the users concerned, except when legally authorised.

  2. 02
    Cookie / terminal-equipment consent Art 5(3)

    Storing information, or accessing information already stored, on a user's terminal equipment requires prior informed consent — except when strictly necessary to deliver an explicitly-requested service or to carry out the transmission of a communication.

  3. 03
    Traffic-data minimisation Art 6

    Traffic data must be erased or anonymised when no longer needed for transmission, except for billing and interconnection purposes (limited retention) or with consent for value-added services.

  4. 04
    Location-data restrictions Art 9

    Location data other than traffic data may only be processed when anonymised, or with consent, to the extent and for the duration necessary for the value-added service. Users must be able to withdraw consent or temporarily refuse processing per session.

  5. 05
    Unsolicited communications / direct marketing Art 13

    Automated calling systems, fax, email and SMS for direct marketing require prior opt-in consent. Soft opt-in permitted for similar products to existing customers, with an opt-out in every message.

  6. 06
    Caller-ID and itemised billing Art 7-8

    Subscribers have the right to receive non-itemised bills and to suppress presentation of calling-line identification per call and per line, free of charge.

  7. 07
    Security of electronic-communications services Art 4

    Providers must take appropriate technical and organisational measures to safeguard service security, and must notify subscribers (and the competent authority) of personal-data breaches without undue delay.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 5(3) 1st exemption

Strictly-necessary (technical) exemption

Storage/access is technically required to carry out the transmission of a communication over an electronic-communications network.

Common for: Load balancers, network routing, anti-CSRF tokens
Art 5(3) 2nd exemption

Service explicitly requested by the user

Storage/access is strictly necessary to provide an information-society service that the subscriber or user has explicitly requested.

Common for: Login session cookies, shopping-cart cookies, language preference, security cookies
Art 5(3) main rule

Prior informed consent

User is given clear and comprehensive information and gives a freely-given, specific, informed and unambiguous indication of agreement (GDPR-grade consent — EDPB Guidelines 05/2020).

Common for: Analytics, advertising, social plugins, A/B testing, fingerprinting, session replay
Art 13(2)

Soft opt-in (existing-customer marketing)

Email/SMS to an existing customer about similar products, where the address was obtained in the course of a sale and an opt-out was offered at collection and in every subsequent message.

Common for: Customer newsletters about similar products, transactional upsell emails
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to refuse cookies / terminal-equipment access Art 5(3) Right to refuse storage of, or access to, information on terminal equipment via clear and prominent means before any non-essential cookie is set. No fixed response window — refusal must be honoured immediately.
Right to opt out of unsolicited marketing Art 13 Right not to receive direct-marketing communications without prior consent (or after withdrawing soft opt-in). Every message must include a free opt-out mechanism that takes effect immediately.
Right to non-itemised billing Art 7 Subscribers have the right to receive bills that do not list itemised calls. Member States may provide alternatives (e.g. last digits suppressed).
Right to suppress caller-ID Art 8 Calling user can suppress presentation of calling-line identification on a per-call basis; subscriber can do so on a per-line basis. Free of charge.
Right to control directory listing Art 12 Subscribers must be informed of directory purposes before inclusion and may verify, correct or withdraw their data from public directories free of charge.
Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 4% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

  1. 2022-01 €150.0M
    Google LLC + Google Ireland CNIL · FR · Art 82 LIL (Art 5(3))

    google.fr and youtube.com banners did not provide a refusal mechanism as simple as acceptance. €90M Google LLC + €60M Google Ireland.

  2. 2020-12 €100.0M
    Google LLC + Google Ireland CNIL · FR · Art 82 LIL (Art 5(3))

    Cookies deposited on google.fr without prior consent, no information, no opt-out mechanism. Largest cookie fine in EU history at the time.

  3. 2022-01 €60.0M
    Facebook Ireland (Meta) CNIL · FR · Art 82 LIL (Art 5(3))

    facebook.com cookie banner did not allow refusal of cookies as easily as acceptance — 'reject all' equivalent missing.

  4. 2023-06 €40.0M
    Criteo CNIL · FR · GDPR Art 7/12/13/15/17 + Art 82 LIL

    Behavioural-advertising consent not demonstrably valid across publisher network; transparency and DSR failures. Cookie/Art 5(3) component significant.

  5. 2020-12 €35.0M
    Amazon Europe Core CNIL · FR · Art 82 LIL (Art 5(3))

    Advertising cookies set on amazon.fr without consent and without sufficient information. Confirmed by Conseil d'État June 2022.

  6. 2023-12 €10.0M
    Yahoo EMEA CNIL · FR · Art 82 LIL (Art 5(3))

    yahoo.com cookies deposited on user terminals without consent, and the AOL Mail withdraw-consent mechanism penalised users (loss of mailbox access).

  7. 2023-01 €5.0M
    TikTok UK + TikTok Ireland CNIL · FR · Art 82 LIL (Art 5(3))

    tiktok.com banner did not allow refusal of cookies as easily as acceptance and provided incomplete information about cookie purposes.

  8. 2024-09 €5.0M
    Cdiscount CNIL · FR · Art 82 LIL (Art 5(3))

    Cookie consent banner used dark patterns and pre-ticked checkboxes; refusal required more clicks than acceptance.

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇩🇪 Germany DE TDDDG (formerly TTDSG) Stricter TTDSG renamed TDDDG on 14 May 2024 (Digitale-Dienste-Gesetz package). §25 TDDDG transposes Art 5(3) — strict prior-consent rule, no legitimate-interest workaround for cookies. DSK guidance treats Consent Mode 'cookieless pings' as terminal-equipment access.
🇫🇷 France FR Loi Informatique et Libertés Art 82 Stricter CNIL is the most active cookie regulator in the EU. 2019 + 2020 cookie guidelines mandate equally-easy 'Reject all' button. Major fines: Google €100M (Dec 2020), Amazon €35M (Dec 2020), Facebook €60M (Jan 2022), TikTok €5M (Jan 2023), Yahoo €10M (Dec 2023).
🇬🇧 United Kingdom UK PECR 2003 (Privacy and Electronic Communications Regulations) Aligned Post-Brexit divergence: UK GDPR + PECR retained, but Data (Use and Access) Act 2025 introduced limited cookie exemptions for low-risk analytics. ICO position remains pragmatic but enforcement increasing on cookie banners (2023 strategy).
🇮🇹 Italy IT Codice Privacy Art 122 (D.lgs 196/2003) Stricter Garante 2021 cookie guidelines mandate granular consent, prohibit cookie walls (with limited exceptions) and scroll-as-consent. Active enforcement against analytics tools and adtech.
🇪🇸 Spain ES LSSI-CE Art 22.2 (Ley 34/2002) Aligned AEPD published Guía sobre el uso de las cookies (latest revision Jan 2024) — aligned with EDPB. Cookie walls permitted only with genuine alternative access. Enforcement focuses on banner clarity.
🇳🇱 Netherlands NL Telecommunicatiewet Art 11.7a Stricter Dutch implementation explicitly bans cookie walls (AP guidance 2019). Analytics cookies that are 'privacy-friendly' (configured per AP manual) may run without consent — narrow analytics exemption.
🇧🇪 Belgium BE Loi du 13 juin 2005 sur les communications électroniques Art 129 Stricter APD/GBA issued the landmark IAB Europe TCF decision (2 Feb 2022, ruling 21/2022) finding the IAB Europe Transparency & Consent Framework non-compliant. Confirmed in CJEU C-604/22 (7 March 2024) on TC String as personal data.
🇦🇹 Austria AT TKG 2021 §165 (replaced TKG 2003 in Nov 2021) Stricter DSB has ruled GA pre-DPF unlawful (Dec 2021 decision D155.027). Cookie rules align with §165 TKG 2021 — full opt-in, equally-prominent reject button required (DSB 2022 guidance).
🇩🇰 Denmark DK Cookiebekendtgørelsen (Executive Order on Cookies, BEK nr 1148 of 9/12/2011) Aligned Datatilsynet 2020 guidance: opt-in required, withdrawal must be as easy as consent. Pragmatic enforcement, focus on clarity and granularity.
🇮🇪 Ireland IE S.I. No. 336/2011 (ePrivacy Regulations) Aligned DPC 2020 cookie sweep + 2022 guidance: implied consent invalid, pre-checked boxes invalid, 'continue browsing = consent' invalid. Lead DPA for many US adtech vendors.
🇵🇹 Portugal PT Lei n.º 41/2004 Aligned CNPD aligned with EDPB baseline; less active on cookie enforcement than CNIL/Garante.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

What's the difference between ePrivacy and GDPR?
GDPR (Regulation EU 2016/679) governs the processing of personal data in general. The ePrivacy Directive (2002/58/EC) is lex specialis for the electronic-communications sector and for terminal-equipment access (cookies, fingerprints, SDKs) — it applies regardless of whether the information is personal data. A typical advertising cookie triggers both: ePrivacy Art 5(3) for setting/reading the cookie, GDPR for the subsequent processing. The CJEU confirmed in Planet49 (C-673/17, October 2019) that ePrivacy consent must meet the GDPR consent standard.
Do I need a cookie banner under ePrivacy?
If your site sets or reads any non-essential cookie, pixel, fingerprint or local-storage item, yes — Art 5(3) requires prior informed consent, which in practice means a banner or CMP. You do not need a banner if the only storage you use is strictly necessary (session, CSRF, load balancer, language, shopping cart, login). 'Strictly necessary' is interpreted narrowly by EDPB and most DPAs — analytics is not strictly necessary.
Is ePrivacy a directive or a regulation?
It is a directive — Directive 2002/58/EC, amended by Directive 2009/136/EC (the 'cookie directive'). Each Member State transposes it into national law (TDDDG in Germany, Art 82 LIL in France, Art 122 Codice Privacy in Italy, LSSI in Spain, PECR in the UK). National variations matter: Germany's TDDDG and Italy's Codice are stricter than the directive baseline.
What is the ePrivacy Regulation status?
The proposed ePrivacy Regulation (intended to replace the 2002 Directive and align with GDPR) has been stuck in the EU legislative pipeline since 2017. The Council reached a general approach in February 2021, but trilogue negotiations stalled and the file remains pending as of May 2026. The Commission's 2025 work programme did not announce withdrawal but no progress is expected in the current mandate. Until adoption, the 2002 Directive plus national transpositions remain authoritative.
Strictly-necessary cookies — what's allowed?
Per Art 5(3) and EDPB Opinion 04/2012 (still cited): cookies for user-input persistence (form fields, shopping cart), authentication sessions, security (CSRF, fraud detection), load balancing, multimedia player session state, UI customisation chosen by the user (language, font size), and social-plugin content sharing for logged-in users. Analytics, advertising, A/B testing, fingerprinting and most third-party cookies are NOT strictly necessary.
Can I rely on legitimate interest for cookies under ePrivacy?
No. Art 5(3) of the ePrivacy Directive requires consent and offers only two narrow exemptions (transmission necessary; service explicitly requested). Legitimate interest is a GDPR Art 6(1)(f) lawful basis for the subsequent processing of personal data — but it cannot replace the ePrivacy consent gate for setting/reading the cookie itself. This is settled doctrine across CNIL, Garante, AEPD, ICO, DSK and the EDPB.
ePrivacy and Consent Mode v2 — compatible?
Consent Mode v2 is Google's signalling mechanism; it does not replace consent. You must still obtain Art 5(3) consent before any non-essential storage or pings. If the user denies consent, Consent Mode v2 sends 'cookieless pings' (anonymised model signals) — but several DPAs (DSK Germany, CNIL signals 2024) treat these pings themselves as terminal-equipment access requiring consent, because they read the user agent and timing data to send a request. The conservative reading: do not fire Consent Mode v2 pings at all without consent.
ePrivacy Brexit — what about the UK?
The UK retained the directive's transposition as the Privacy and Electronic Communications Regulations 2003 (PECR) and added UK GDPR. The Data (Use and Access) Act 2025 introduced narrow exemptions for low-risk first-party analytics cookies, diverging slightly from the EU baseline. The ICO continues to enforce PECR; large fines remain possible (PECR caps at £500K for marketing violations under DPA 1998 framework). UK-targeting sites must comply with PECR even if EU-based.
What's a 'cookie wall'?
A 'cookie wall' (or 'tracking wall') blocks access to a site unless the user accepts non-essential cookies. EDPB Guidelines 05/2020 ruled cookie walls invalidate consent (consent is not 'freely given'). Several Member States (Netherlands, Austria) ban them outright. Pay-or-okay variants — accept tracking OR pay a subscription — were addressed by EDPB Opinion 08/2024: permissible only where the paid alternative is genuinely equivalent and the price is not prohibitive. Active enforcement area in 2025.
Does ePrivacy apply to non-EU sites?
Art 5(3) applies to anyone storing/accessing information on terminal equipment located in the EU/EEA, regardless of where the operator is established. A US e-commerce site with EU visitors triggers Art 5(3) the moment it sets a non-essential cookie on an EU user's browser. National implementations (TDDDG, Art 82 LIL, Codice Privacy) generally follow the same territorial logic — the equipment, not the company, defines scope. Schrems II / DPF transfer issues are a separate, additional GDPR layer.