Directive 2002/58/EC concerning privacy and electronic communications (Cookie Directive)
The ePrivacy Directive, also known as the 'cookie law', specifically regulates the use of cookies, tracking and electronic communications. Together with the GDPR, this directive forms the basis for cookie management and online privacy protection in Europe.
The ePrivacy Directive (officially Directive 2002/58/EC) is a European directive specifically aimed at protecting privacy in the electronic communications sector. The directive was revised in 2009 by Directive 2009/136/EC, which tightened the well-known cookie rules. Unlike the GDPR, which is a regulation and applies directly, the ePrivacy Directive has been transposed into national legislation by each EU member state. The directive requires websites to obtain prior consent before placing cookies or similar technologies on a user's device, with the exception of strictly necessary cookies. A new ePrivacy Regulation has been under negotiation for years as a successor.
All websites and web applications that use cookies or tracking technologies
Providers of electronic communication services (telecom, email, messaging)
Companies that conduct direct marketing via email, SMS or telephone
Organizations that process location data or traffic data of users
Advertising networks and ad-tech companies that deploy online tracking
Any party that stores information on or reads from the device of an end user
Before non-essential cookies or similar technologies (such as pixels, fingerprinting and local storage) are placed on a user's device, explicit prior consent must be obtained.
Users must receive clear and understandable information about which cookies are placed, what they are used for and how long they remain active, before giving consent.
Cookies that are strictly necessary for the functioning of the requested service (such as session cookies or shopping cart cookies) are exempt from the consent requirement.
Electronic direct marketing (email, SMS, automated calls) may only be sent to persons who have given prior consent, with the exception of existing customer relationships (soft opt-in).
Listening to, tapping, storing or otherwise intercepting electronic communications without the consent of the users involved is prohibited.
The penalties for violations of the ePrivacy Directive vary by EU member state, as each member state has transposed the directive into its own national legislation. In Belgium, the Data Protection Authority (GBA) can impose fines of up to 600,000 euros for violations of cookie legislation. In combination with the GDPR, additional fines of up to 20 million euros or 4% of global annual turnover may be imposed.
Consentr automates ePrivacy Directive compliance so you can focus on your business.
Consentr automatically scans your website and detects all cookies, pixels and tracking technologies, including those from third parties.
All detected cookies are automatically categorized into necessary, functional, analytical and marketing, in accordance with ePrivacy requirements.
Our cookie banner automatically blocks all non-essential cookies until the user actively gives consent, fully in line with the prior consent requirement.
Consentr automatically generates a comprehensive cookie policy with information about each cookie, its purpose, the provider and the retention period.
Visitors can choose per category which cookies they accept, meeting the requirement of specific and informed consent.
Consentr continuously monitors your website for new cookies or trackers and alerts you when changes are detected that require action.
The GDPR is a broad privacy law that governs all processing of personal data. The ePrivacy Directive is specifically aimed at electronic communications and cookies. They complement each other: the ePrivacy Directive determines when consent is needed for cookies, and the GDPR sets the requirements that consent must meet.
Only strictly necessary cookies are exempt. This includes cookies that are essential for the functioning of the service, such as session cookies, authentication cookies, shopping cart cookies and security cookies. Analytical cookies and marketing cookies always require consent.
The European Commission has proposed an ePrivacy Regulation to replace the current directive. Negotiations have been ongoing since 2017. When this regulation is adopted, it will apply directly in all EU member states without transposition into national legislation.
Yes, the ePrivacy Directive applies to all technologies that store information on or read from a user's device. This includes not only cookies in web browsers, but also SDKs, tracking pixels and device fingerprinting in mobile apps.