GDPR vs ePrivacy Directive: How They Work Together
The GDPR and the ePrivacy Directive are complementary EU laws that work together to protect privacy. The GDPR provides the broad framework for personal data protection, while the ePrivacy Directive specifically covers electronic communications, cookies, and direct marketing. The ePrivacy Directive is often called the 'cookie law' and is implemented through national legislation in each EU member state.
| Feature | GDPR | ePrivacy |
|---|---|---|
| Geographic Scope | EU/EEA: broad personal data protection across all sectors | EU/EEA: specific to electronic communications, cookies, and direct marketing |
| Who It Applies To | Any organization processing personal data of EU residents | Providers of electronic communication services and any website using cookies/tracking |
| Consent Requirements | Opt-in consent as one of six legal bases for processing | Strict opt-in consent required for non-essential cookies and direct marketing |
| Cookie & Tracking Rules | General data processing rules apply to data collected via cookies | Specific prior consent required before placing non-essential cookies on user devices |
| Individual Rights | Access, rectification, erasure, portability, restriction, objection | Right to confidentiality of communications, right to refuse direct marketing |
| Maximum Penalties | Up to EUR 20 million or 4% of annual global turnover | Set by national legislation implementing the Directive; varies by member state |
| Enforcement Body | National Data Protection Authorities | National authorities (often the same DPAs, but implementation varies by country) |
Key Differences
The ePrivacy Directive is a sector-specific law that takes precedence over the GDPR for matters relating to electronic communications. Where the ePrivacy Directive has specific rules (such as for cookies), those rules apply instead of the general GDPR provisions. However, where the ePrivacy Directive is silent, the GDPR fills in the gaps.
For cookies and similar tracking technologies, the ePrivacy Directive requires prior informed consent before storing or accessing information on a user's device, with narrow exceptions for strictly necessary cookies. The GDPR then governs how the personal data collected through those cookies is processed. This means websites need both a valid cookie consent mechanism (ePrivacy) and a lawful basis for processing the data collected (GDPR).
The ePrivacy Directive also covers confidentiality of electronic communications, traffic data, location data, and unsolicited marketing communications. These areas receive specific protections beyond what the GDPR provides. A proposed ePrivacy Regulation has been in negotiation since 2017 and would replace the Directive with directly applicable rules across the EU, but it has not yet been adopted.
How Pryvii Helps
Pryvii checks your website against both the GDPR and ePrivacy requirements. It specifically tests whether your cookie consent mechanism meets ePrivacy standards by verifying that non-essential cookies are blocked before consent, that the banner provides clear information, and that consent is freely given. It also checks that the underlying data processing complies with GDPR.
Frequently Asked Questions
Do I need to comply with both the GDPR and the ePrivacy Directive?
Yes. If your website uses cookies or tracking technologies and is accessible to EU users, both laws apply. The ePrivacy Directive governs whether you can place cookies (requiring prior consent for non-essential ones), while the GDPR governs how you process the personal data collected through those cookies.
Which law takes priority for cookie consent?
The ePrivacy Directive takes precedence as the more specific law (lex specialis) for matters relating to cookies and electronic communications. Its consent requirements for cookies apply instead of the general GDPR consent provisions. However, the GDPR's definition of consent and its standards for valid consent inform how ePrivacy consent should be obtained.
What will happen when the ePrivacy Regulation replaces the Directive?
The proposed ePrivacy Regulation would replace the Directive with directly applicable rules across all EU member states, eliminating differences in national implementation. It is expected to align more closely with the GDPR's enforcement regime and may update rules around cookie walls and consent management. However, negotiations have been ongoing since 2017 and the final text is not yet adopted.
Related Comparisons
Check Your Compliance
Scan your website against multiple regulations in minutes.