ePrivacy Directive

The ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) is an EU directive that specifically addresses privacy in electronic communications. Unlike the GDPR, which is a regulation directly applicable in all EU member states, the ePrivacy Directive must be transposed into national law by each country, leading to some variation in implementation. Article 5(3) of the directive is the legal basis for cookie consent requirements, mandating that storing or accessing information on a user’s device requires prior informed consent, except for cookies that are strictly necessary for providing a service explicitly requested by the user.

The ePrivacy Directive works alongside the GDPR — the directive handles the specific rules about cookies and electronic communications, while the GDPR provides the general framework for consent and personal data processing. A proposed ePrivacy Regulation has been under negotiation for years and would replace the directive with a directly applicable regulation, potentially strengthening requirements. Until the new regulation is adopted, the current directive remains in force, and its cookie consent requirements are enforced by national authorities across the EU.