We’re a Google Certified CMP Partner!
It's official, Google has recognized our CMP as one of the best in class.
What is the ePrivacy Directive?
Compliance sucks.
We make it simple.
Create a GDPR-ready Privacy Policy, Terms & Cookie Banner in under 5 minutes.
If you’re just starting a website or business in the EU, you’ll need to understand what the ePrivacy Directive is, and how it interacts with the GDPR and your business. This article is a summary of the ePD, breaking down what it is, who it applies to, and how it affects cookies, consent banners, and online marketing in practical, business-friendly terms you’ll understand.
Read the full guide to GDPR compliance
Read our GDPR ChecklistIn this article
- What is the ePrivacy Directive?
- Why is it called the ePrivacy “Directive” not the ePrivacy “regulation”
- Do I need to comply with the ePrivacy Directive?
- ePrivacy Directive national implementions
- Who does the ePrivacy directive apply to?
- What does the ePrivacy directive do?
- What is the difference between GDPR and ePrivacy?
- Is PECR the same as the ePrivacy Directive?
- What is a public communication network, according to the ePD?
- What does the ePD mean when it refers to the “Community”?
- What does the ePD mean by “traffic data”?
- What does the ePD mean by “location data”?
- What does the ePD mean by a “value added service”?
What is the ePrivacy Directive?
The Directive on Privacy and Electronic Communications, more commonly known as the ePrivacy Directive or the cookie law, is an EU directive that aims to provide stronger protections against risks associated with modern technologies. It introduced clear consent requirements for service providers storing communications or related traffic data in their systems, or using software to store or track data on devices (such as cookies). It also set requirements for service providers aimed at protecting information confidentiality and reducing spam.
You can read the official text here.
Why is it called the ePrivacy “Directive” not the ePrivacy “regulation”
In the EU, regulations are laws. They apply directly in all member states e.g. the GDPR. On the other hand, directives, as the name suggests, give directions for countries in the EU to introduce their own laws, e.g. the PECR. A directive provides a set of requirements that must be met, but gives each member state the freedom to create their own national laws to comply with this directive by a certain date.
Do I need to comply with the ePrivacy Directive?
Not technically, but if you’re operating an online business in the EU you will likely have to meet it’s obligations. Because the ePrivacy Directive is not a regulation, you don’t have to comply with the Directive itself, but with the relevant national laws implemented under it. That said, the ePrivacy directive’s requirements are a good guide, as the implementation for most countries is almost identical outside of the enforcement and penalties.
The most important step for complying the requirements of the ePD is acquiring user consent – you can do this with our Consent Management Platform.
ePrivacy Directive national implementions
The ePrivacy Directive required each EU/EEA member state to transpose it’s requirements into national law by 31 October 2003, leading to distinct acts or amendments focused on electronic communications privacy, cookie consent, and marketing rules. Each of these national laws vary in naming and scope, often integrating with broader data protection or telecommunications frameworks, however for the most part they followed the consent requirements of the ePD closely.
ePD implementations by EU Member States
| Country | Implementing Act(s) |
| Austria | Originally the “Telekommunikationsgesetz 2003 (TKG 2003)” and since updated to “Telekommunikationsgesetz 2021 (TKG 2021). |
| Belgium | Law of 13 June 2005 on Electronic Communications, often referred to as the Belgian “Electronic Communications Act”, “Telecom Act” or “Telecommunications Act.” |
| Bulgaria | The Bulgarian “Electronic Communications Act” (often abbreviated “ECA”) |
| Croatia | The Croatian “Electronic Communications Act” (in Croatian often abbreviated as “Zakon o elektroničkim komunikacijama” or “ZEK”) |
| Cyprus | “Regulation of Electronic Communications and Postal Services Law 112(I)/2004,” often shortened to the “Electronic Communications Law” or “Telecoms Law.” |
| Czechia | Act No. 127/2005 Coll., “the Electronic Communications Act” (zákon č. 127/2005 Sb., o elektronických komunikacích) |
| Denmark | The Act on Electronic Communications Networks and Services together with the Executive Order on Information and Consent for Storing and Accessing Information in End-User Terminal Equipment (the “Cookie Order”, Executive Order no. 1148/2011). |
| Estonia | The Electronic Communications Act (in Estonian: Elektroonilise side seadus) |
| Finland | The Act on Electronic Communications Services (in Finnish: Laki sähköisen viestinnän palveluista, Act 917/2014, as amended) |
| France | The French Data Protection Act (Loi Informatique et Libertés) and the Postal and Electronic Communications Code (Code des postes et des communications électroniques, CPCE). |
| Germany | The Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG)) recently updated to the Telecommunications and Digital Services Data Protection Act (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz, TDDDG) |
| Greece | Law 3471/2006 on the protection of personal data and privacy in the electronic communications sector aka “Law 3471/2006” (Νόμος 3471/2006 για την προστασία των δεδομένων προσωπικού χαρακτήρα και της ιδιωτικής ζωής στον τομέα των ηλεκτρονικών επικοινωνιών) |
| Hungary | Act C of 2003 on Electronic Communications, often referred to as the Electronic Communications Act (2003. évi C. törvény az elektronikus hírközlésről) |
| Ireland | S.I. No. 336 of 2011 – European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Often referred to as the Irish ePrivacy Regulations or the 2011 ePrivacy Regulations. |
| Italy | Legislative Decree no. 196/2003, commonly called the “Codice in materia di protezione dei dati personali” or Italian Privacy Code. |
| Latvia | The Electronic Communications Law aka the ECL (Elektronisko sakaru likums) |
| Lithuania | The Law on Electronic Communications of the Republic of Lithuania (Lietuvos Respublikos elektroninių ryšių įstatymas) |
| Luxembourg | The Law of 30 May 2005 on the protection of privacy in the electronic communications sector (loi du 30 mai 2005 relative à la protection de la vie privée dans le secteur des communications électroniques) |
| Malta | The Processing of Personal Data (Electronic Communications Sector) Regulations issued under chapter 586 of the Data Protection Act (Regolamenti dwar l-Ipproċessar ta’ Dejta Personali (Is-Settur tal-Komunikazzjonijiet Elettroniċi)) |
| Netherlands | The Dutch Telecommunications Act (Telecommunicatiewet) |
| Poland | The Act of 18 July 2002 on the Provision of Services by Electronic Means (Ustawa z dnia 18 lipca 2002 r. o świadczeniu usług drogą elektroniczną). |
| Portugal | Law no. 41/2004, of 18 August concerning the processing of personal data and the protection of privacy in the electronic communications sector (Lei n.º 41/2004, de 18 de agosto, relativa ao tratamento de dados pessoais e à proteção da privacidade no sector das comunicações eletrónicas) |
| Romania | Law no. 506/2004 on the processing of personal data and the protection of privacy in the electronic communications sector (Legea nr. 506/2004 privind prelucrarea datelor cu caracter personal şi protecţia vieţii private în sectorul comunicaţiilor electronice) |
| Slovakia | Act No. 351/2011 Coll. on Electronic Communications (Zákon č. 351/2011 Z. z. o elektronických komunikáciách), since updated to Act No. 452/2021 Coll. on Electronic Communications (Zákon č. 452/2021 Z. z. o elektronických komunikáciách). |
| Slovenia | The Electronic Communications Act (Zakon o elektronskih komunikacijah aka ZEKom‑1). |
| Spain | Law 34/2002 on information society services and electronic commerce (Ley 34/2002, de servicios de la sociedad de la información y de comercio electrónico) |
| Sweden | The Electronic Communications Act (Lagen om elektronisk kommunikation (2022:482)) |
ePD implementations by EEA members and UK
| Country | Implementing Act(s) |
| Iceland | Act No. 81/2003 on Electronic Communications (Lög nr. 81/2003 um fjarskipti) |
| Liechtenstein | The Communications Act (Kommunikationsgesetz vom 17. März 2006) aka KomG |
| Norway | Electronic Communications Act, aka the “Electronic Communications Act” or “E‑Com Act.” (lov om elektronisk kommunikasjon) |
| United Kingdom | Privacy and Electronic Communications Regulations 2003 (PECR) |
Who does the ePrivacy directive apply to?
The ePrivacy Directive applies to organizations established in EU member states that provide electronic communications services or process personal data. This includes website operators using cookies or tracking technologies, businesses engaged in digital marketing, telecommunications companies, messaging service providers, internet access providers, and anyone sending direct marketing communications. Unlike GDPR, the ePrivacy Directive applies based on where the organization is established, not where users are located and does not have extraterritorial effect.
What does the ePrivacy directive do?
The ePrivacy Directive required EU countries to introduce laws governing how websites and online services handle communications data and tracking. It is the reason websites use cookie banners to obtain consent for non-essential cookies and similar technologies. It also contributes to fewer unsolicited marketing messages and stronger confidentiality and security of electronic communications in the EU compared with many other regions.
Because of the ePD, anyone providing online services or communications services must:
- Implement and keep up-to-date technical and organizational measures to keep their services secure and match the level of risk.
- Obtain explicit, informed and revocable user consent before:
- Storing or accessing information on a device (e.g. cookies), except when it’s essential to the provision of the service.
- Processing traffic data, except when it’s essential to the provision of the service.
- Processing non-traffic location data, except when it’s essential to the provision of the service.
- Delete or anonymize traffic data once it is no longer needed for transmission, billing or legal purposes.
- Restrict access to, and processing of, traffic data to authorized staff, and only for purposes such as billing, customer support, fraud detection, or marketing.
- Provide customers with the option to receive more confidentially through non-itemized bills.
- Never send direct marketing via automated calls, faxes, or emails requires prior consent, with limited allowances for marketing similar products to existing customers who can opt out at any time.
- Provide a verified authentic identity and sender address when sending marketing messages.
What is the difference between GDPR and ePrivacy?
The main difference is that the GDPR is a general law for all personal data processing, while the ePrivacy Directive specifically covers privacy in electronic communications, such as email and cookies. In the specific area of electronic communications, the ePrivacy Directive takes precedence over the GDPR.
| Feature | GDPR | ePrivacy Directive |
| Legal Nature | The GDPR is a Regulation, and therefor directly applies across all EU member states with uniform enforcement | The ePD is a directive, requiring member states to implement their own national laws to meet it’s requirements. |
| Legal Scope | General data protection, applying to all personal data processing across all sectors. | Specifically covers electronic communications, including confidentiality of communications, cookies, tracking technologies, and direct marketing. |
| Territorial Scope | Has extraterritorial effect – applies based on where users/data subjects are located, regardless of where the organization is established | Does not specify territorial scope in the Directive itself; enforcement primarily applies where users are located within each member state’s jurisdiction, with each supervisory authority enforcing for users in its territory |
| Data Types | Regulates any information that can identify an individual (personal data) | Regulates all types of communication data, which can include both personal and non-personal data. |
| Legal Basis for Processing | Multiple legal grounds including consent, legitimate interest, contractual necessity, and legal obligation | Primarily consent-based, especially for cookies and tracking technologies |
| Key Areas Covered | Data subject rights, data transfers, breach notification, data protection by design, accountability | Cookie consent, confidentiality of communications, spam/unsolicited marketing, traffic data, location data |
| Penalties | Up to €20 million or 4% of global annual turnover (whichever is higher) | Varies by member state implementation – no standardized EU-wide penalties |
| Legal Hierarchy | A general data protection framework (lex generalis) that applies broadly to all personal data processing when sector specific laws don’t exist. | A sector-specific law that complements GDPR (lex specialis) taking precedence for electronic communications matters. |
Is PECR the same as the ePrivacy Directive?
The answer may as well be yes. The PECR is the UK’s implementation of the ePrivacy Directive, as the ePD was introduced prior to the UK leaving the EU. So, the PECR meets the ePD’s legislative requirements, and is essentially the same thing – electronic marketing, cookies/terminal equipment, and confidentiality/security of communications – but it takes things a step further with more detailed rules, actual enforcement practice, and guidance.
Has the ePrivacy Regulation replaced the ePrivacy Directive?
No, as of Febuary 2025, the proposed ePrivacy Regulation has been blocked by the EU and the proposal has been withdrawn. The original 2002 ePrivacy directive and it’s implementations are still in place.
What is a public communication network, according to the ePD?
When the ePrivacy Directive talks about “public communications networks,” it basically means the shared infrastructure people use to get online or connect – like the internet, mobile networks, and fixed-line phone networks. Networks that are openly available to the public and carry signals for everyday services such as calls, emails, messaging apps, and general internet access.
What does the ePD mean when it refers to the “Community”?
When the ePD refers to the “Community”, it is referring to the member states of the EU, or what modern EU legislation refers to as the “European Union” or “the Union”. It was the name for the EU member states at the time the Directive was adopted and reflects the older treaty setup.
What does the ePD mean by “traffic data”?
When the ePD refers to “Traffic data”, it’s referring to any data created and used to transmit a communication across an electronic communications network, including data required to charge for the transmission. In practice, it covers things related to the actual transmission of a call, message, or connection, rather than the actual content of the communication itself.
What does the ePD mean by “location data”?
When the ePD refers to “Location data”, it’s referring to data in the network that shows where a user’s device is in the real world. In practice, it’s data that reveals the geographic position of a phone, tablet, or other terminal equipment while it is using a publicly available electronic communications service.
What does the ePD mean by a “value added service”?
When the ePD refers to a “value added service”, it’s referring to any extra service that needs to use traffic or location data for more than just delivering the communication or working out the bill. E.g. Voicemail or location-based services, like “find my device”.
Related Articles
Find us on the WordPress Plugin Directory!
You can now install and update our plugin straight from your WordPress dashboard!
What the EU Digital Omnibus Proposal means for Cookie Banners
Is the Digital Omnibus Proposal going to put an end to cookie banners in the EU?
