What is the ePrivacy Directive?

What is the ePrivacy Directive?

The Directive on Privacy and Electronic Communications, more commonly known as the ePrivacy Directive or the cookie law, is an EU directive that aims to provide stronger protections against risks associated with modern technologies. It introduced clear consent requirements for service providers storing communications or related traffic data in their systems, or using software to store or track data on devices (such as cookies). It also set requirements for service providers aimed at protecting information confidentiality and reducing spam.

You can read the official text here.

Why is it called the ePrivacy “Directive” not the ePrivacy “regulation”

In the EU, regulations are laws. They apply directly in all member states e.g. the GDPR. On the other hand, directives, as the name suggests, give directions for countries in the EU to introduce their own laws, e.g. the PECR. A directive provides a set of requirements that must be met, but gives each member state the freedom to create their own national laws to comply with this directive by a certain date.

Do I need to comply with the ePrivacy Directive?

Not technically, but if you’re operating an online business in the EU you will likely have to meet it’s obligations. Because the ePrivacy Directive is not a regulation, you don’t have to comply with the Directive itself, but with the relevant national laws implemented under it. That said, the ePrivacy directive’s requirements are a good guide, as the implementation for most countries is almost identical outside of the enforcement and penalties.

The most important step for complying the requirements of the ePD is acquiring user consent – you can do this with our Consent Management Platform.

Who does the ePrivacy directive apply to?

The ePrivacy Directive applies to organizations established in EU member states that provide electronic communications services or process personal data. This includes website operators using cookies or tracking technologies, businesses engaged in digital marketing, telecommunications companies, messaging service providers, internet access providers, and anyone sending direct marketing communications. Unlike GDPR, the ePrivacy Directive applies based on where the organization is established, not where users are located and does not have extraterritorial effect.

What does the ePrivacy directive do?

The ePrivacy Directive required EU countries to introduce laws governing how websites and online services handle communications data and tracking. It is the reason websites use cookie banners to obtain consent for non-essential cookies and similar technologies. It also contributes to fewer unsolicited marketing messages and stronger confidentiality and security of electronic communications in the EU compared with many other regions.

Because of the ePD, anyone providing online services or communications services must:

• Implement and keep up-to-date technical and organizational measures to keep their services secure and match the level of risk.
• Obtain explicit, informed and revocable user consent before:
  • Storing or accessing information on a device (e.g. cookies), except when it’s essential to the provision of the service.
  • Processing traffic data, except when it’s essential to the provision of the service.
  • Processing non-traffic location data, except when it’s essential to the provision of the service.
• Delete or anonymize traffic data once it is no longer needed for transmission, billing or legal purposes.
• Restrict access to, and processing of, traffic data to authorized staff, and only for purposes such as billing, customer support, fraud detection, or marketing.
• Provide customers with the option to receive more confidentially through non-itemized bills.
• Never send direct marketing via automated calls, faxes, or emails requires prior consent, with limited allowances for marketing similar products to existing customers who can opt out at any time.
• Provide a verified authentic identity and sender address when sending marketing messages.

What is the difference between GDPR and ePrivacy?

The main difference is that the GDPR is a general law for all personal data processing, while the ePrivacy Directive specifically covers privacy in electronic communications, such as email and cookies. In the specific area of electronic communications, the ePrivacy Directive takes precedence over the GDPR.

Is PECR the same as the ePrivacy Directive?

The answer may as well be yes. The PECR is the UK’s implementation of the ePrivacy Directive, as the ePD was introduced prior to the UK leaving the EU. So, the PECR meets the ePD’s legislative requirements, and is essentially the same thing – electronic marketing, cookies/terminal equipment, and confidentiality/security of communications – but it takes things a step further with more detailed rules, actual enforcement practice, and guidance.

Has the ePrivacy Regulation replaced the ePrivacy Directive?

No, as of Febuary 2025, the proposed ePrivacy Regulation has been blocked by the EU and the proposal has been withdrawn. The original 2002 ePrivacy directive and it’s implementations are still in place.

What is a public communication network, according to the ePD?

When the ePrivacy Directive talks about “public communications networks,” it basically means the shared infrastructure people use to get online or connect – like the internet, mobile networks, and fixed-line phone networks. Networks that are openly available to the public and carry signals for everyday services such as calls, emails, messaging apps, and general internet access.

What does the ePD mean when it refers to the “Community”?

When the ePD refers to the “Community”, it is referring to the member states of the EU, or what modern EU legislation refers to as the “European Union” or “the Union”. It was the name for the EU member states at the time the Directive was adopted and reflects the older treaty setup.

What does the ePD mean by “traffic data”?

When the ePD refers to “Traffic data”, it’s referring to any data created and used to transmit a communication across an electronic communications network, including data required to charge for the transmission. In practice, it covers things related to the actual transmission of a call, message, or connection, rather than the actual content of the communication itself.

What does the ePD mean by “location data”?

When the ePD refers to “Location data”, it’s referring to data in the network that shows where a user’s device is in the real world. In practice, it’s data that reveals the geographic position of a phone, tablet, or other terminal equipment while it is using a publicly available electronic communications service.

What does the ePD mean by a “value added service”?

When the ePD refers to a “value added service”, it’s referring to any extra service that needs to use traffic or location data for more than just delivering the communication or working out the bill. E.g. Voicemail or location-based services, like “find my device”.