The European Union (EU) has some of the world’s most stringent data privacy laws with the General Data Protection Regulation (GDPR) and ePrivacy Directive. The long proposed ePrivacy Regulation would have brought changes to data protection and cookie consent and broadened the scope of which organizations would have been impacted.
As of early 2025, however, the data privacy landscape in the EU has changed significantly from the one regulators were planning for in prior decades. We look at what the ePrivacy Directive is, how data privacy and processing are protected today, and what the future looks like.
What is the ePrivacy Directive (ePD)?
The EU ePrivacy Directive (sometimes known as the “cookie law”) was enacted in 2002 and updated in 2009. It specifically addresses privacy issues in electronic communication.
The ePD mandates:
- Confidentiality of communication over public networks
- Prior user consent for cookie use
- Setting guidelines for the security of electronic communication services
- Regulation of direct marketing practices
Cookie consent banners became more prominent after the ePrivacy Directive’s enactment, as they are a practical way to provide required notifications about data collection and use, and to obtain explicit and granular consent from users on websites, apps, or other connected platforms.
Read about optimize cookie banners now
The ePD is required to be incorporated into national laws of EU member states, leading to variations in enforcement across the Union. It is not a pan-EU regulation, however, like the General Data Protection Regulation (GDPR).
In November 2023, the European Data Protection Board (EDPB) issued new guidelines that widened the scope of technologies covered under the directive.
Who does the ePrivacy Directive apply to?
The ePD applies to organizations that provide electronic communications services or process personal data from EU residents. The groups that the ePD primarily applies to include:
Businesses that process personal data: Whether they are located in or outside the EU, companies engaged in digital marketing, tracking via cookies, or otherwise using digital means to collect personal data via websites or other digital services.
Third parties using tracking technologies: Any third parties, like social media platforms, advertisers, or analytics providers, that use cookies or other tracking technologies on websites or apps to track user behaviors or activities.
Electronic communications services providers: Like internet service providers (ISP), telephone service providers, or public communications networks, which enable electronic communications and collection of personal data.
Website operators: For sites that use cookies or other tracking technologies to collect information about site visitors, customers, etc.
What actions does the ePrivacy Directive prohibit?
The ePD includes a number of specific prohibitions to protect users’ privacy rights:
- Any interception, storage, monitoring, scanning, or otherwise surveilling of electronic communications data by anyone other than the end users (unless expressly permitted by the regulation)
- Use of tracking technologies for non-technically necessary purposes without obtaining explicit consent
- Gaining access to information stored on a user’s terminal equipment (e.g. phone or computer) without their consent
- Sending unsolicited electronic communications or spam, covering unsolicited emails, text messages, and automated calling systems
- Processing metadata derived from electronic communications (such as location data, call times, and recipient information) without user consent or another legal basis
How has the ePrivacy Directive been updated?
Article 5(3) of the ePrivacy Directive provides that before a company or website can store information on or get information from a user’s device (like a computer or smartphone), they must obtain prior consent from the user.
Under the Guidelines 2/2023 on the Technical Scope of Article 5(3) of ePrivacy Directive, the European Data Protection Board (EDPB) expanded the ePD’s application for storing or accessing information on a user’s device.
The EDPB adopted a wide reading of what constitutes terminal equipment (like smartphones or personal computers) and the nature of information, suggesting that many digital tracking methods will require prior consent unless they are necessary for delivering a requested service.
The guidelines specifically address the use of several modern tracking technologies that have become prevalent in digital marketing and online tracking.
URL and pixel tracking
Tracking pixels are tiny images embedded in websites or emails, linked to a server. When an email containing a tracking pixel is opened or a web page with a tracking pixel is visited, it allows the server to record the action and capture details, such as the time the email was opened, the IP address of the recipient, and the type of device used. URL tracking links to websites help identify where visitors come from.
Local processing
Sometimes, websites use APIs to access information stored on a user’s device, such as location data. If processed information is made available over the network, it is considered gaining access to stored information under ePD guidelines.
Tracking based on IP address only
Some technologies rely only on the collection of the IP address for the tracking of users. If the IP address originates from the terminal equipment of the user, Article 5(3) of the ePrivacy Directive would apply.
Internet of Things (IoT) reporting
Under ePD guidelines, companies require user consent for data collection and processing by devices connected directly or indirectly to the internet. This applies to smart devices like fridges or fitness trackers, whether they send data directly or through another device like a smartphone.
Unique Identifier
Unique Identifiers (UID) are special codes that are attached to a user’s online data to signify that it belongs to the user. It often comes from persistent personal data, or personal information that doesn’t change much over time, such as email addresses, usernames or account IDs, or date of birth.
UIDs are used to recognize users across different websites or apps. When a website tells a user’s browser to send this data, it’s accessing information on the device and invokes Article 5(3) of the ePD.
What is the ePrivacy Regulation (ePR)?
The proposed ePrivacy Regulation was a legal framework that was intended to update and replace the existing ePrivacy Directive, giving it jurisdiction across the EU.
The primary focus of the proposed ePrivacy Regulation was to enhance privacy protections in electronic communications beyond traditional telecommunications providers, including the text, images, speech, videos, and metadata. The proposed regulation would also have covered communication services like instant messaging applications, VoIP services, and email.
Who would the ePrivacy Regulation have applied to?
The ePrivacy Regulation would have applied to any business processing data in connection with any form of online communication service, using online tracking technologies, or engaging in electronic direct marketing, including both natural and legal persons involved in electronic communication.
Examples of organizations to which the ePR would have applied:
- Website owners
- Owners of apps that have electronic communication as a component
- Natural or legal persons sending direct marketing communications
- Telecommunications companies
- Messaging service providers (e.g. WhatsApp, Facebook)
- Internet access providers (e.g. a café providing open Wi-Fi access)
- Providers of machine-to-machine communications (Internet of Things)
What happened to the ePrivacy Regulation?
The proposal to expand the ePD and implement the ePR dates back to 2017. The plan was to make it a full regulation to complement the GDPR to protect privacy and personal data in electronic communications in the EU. The ePR would also have had extraterritorial scope. However, the process was delayed for quite some time.
The ePR was officially withdrawn by the European Commission on February 5, 2025 after legislators could not reach agreement on the plan and it was noted that the proposal was growing increasingly dated. The Commission noted that, after years of delays, “The proposal is outdated in view of some recent legislation in both the technological and the legislative landscape.”
Did any law replace the intended ePrivacy Regulation?
The ePrivacy Directive’s guidelines remain in place for EU member states. Also, European Commission spokesman Thomas Regnier has noted that the Digital Services Act (DSA), which came into effect in November 2022, provides a “strong framework to ensure a high level of privacy, especially for minors (Article 28)”.
Among other functions, the DSA regulates use of personal data for advertising. Platforms must obtain prior consent from EU audiences to use their data for advertising. The DSA also bans the use of minors’ data for targeted advertising and prohibits the use of data categorized as sensitive, such as health information or religious or political views, for ads as well in most cases.
Do all cookies require consent under the ePrivacy Directive?
No, under the ePrivacy Directive, cookies that are “strictly necessary” for the delivery of a service explicitly requested by the user do not require consent. These cookies are essential for the basic functioning of the website or to provide the service the user has directly requested, including the following kinds of cookies and uses:
- Maintaining the state of a user’s activities on a website during a browsing session, such as maintaining logged-in status, or the contents of an ecommerce shopping cart
- Supporting security features and to help identify and prevent security risks
- Remembering information entered by the user, such as username, language, or region, to provide a more personalized experience
While these cookies are exempt from the consent requirement, you are still expected to inform users about the use of such cookies, typically via a cookie and/or privacy policy.
Read about cookie policy now
How does the ePrivacy Directive compare to the GDPR?
The GDPR and ePrivacy Directive share several similarities, including:
- Passed by the European Parliament and Council
- Goal of aligning data privacy laws across the EU
- Apply to processing and protection of personal data of individuals residing in the EU, with extraterritorial scope
- High fines for noncompliance
There are, however, some major differences between the two regulations, which are outlined in the table below.
| GDPR | ePrivacy Directive | |
|---|---|---|
| Scope | Applies to the processing of EU residents’ personal data, irrespective of the technology used. | Focused on the processing of personal data and metadata in electronic communications. |
| Definition | “Personal data” means any data that can be used to identify someone. | Data from “electronic communications” means any data that is communicated electronically, whether or not it can be used to identify someone. |
| Reach | Narrower than the ePD, but still applies to all EU residents and organizations that collect and use their personal data. | Broader than the GDPR since it includes non-identifying personal data, but also applies to all EU residents and organizations that collect and use their personal data. |
| Purpose | To protect the personal data of EU residents, providing them with greater control over their personal information and ensuring that their data is processed securely, transparently, and with explicit consent by organizations. | To ensure privacy and confidentiality in electronic communications involving EU residents, specifically regulating tracking technologies, digital marketing, and the security of users’ communications data. |
| Types of data | Covers any personal data, whether it is electronic or in hard copy format. | Covers only “electronic” communications data, not hard copy data. |
| Lex specialis | GDPR is the less specific law when it comes to electronic communications. Because of this, the ePrivacy Directive takes precedence over the GDPR in electronic communications cases. | The ePrivacy Directive is more specific than the GDPR regarding electronic communications, so takes precedence in cases centering around electronic communications. |
| Applicability | Any controller or processor that collects and/or uses personal data of EU residents. Data controllers are those who decide why and how personal data should be processed, e.g. a company you buy from online. Data processors are the ones doing the actual data processing for the controller, e.g. the payment processor that completes the credit card transaction. | Businesses employing electronic communications that process personal data; third parties using tracking technologies; electronic communications services providers; website, app, or other connected platform operators. |
| Who has rights and protections | Natural persons | Natural and legal persons (i.e. organizations, companies, etc.) |
| Date in force | May 25, 2018 | July 31, 2002 (ePrivacy Regulation proposal withdrawn February 5, 2025) |
When will the ePrivacy Regulation come into force?
The ePrivacy Regulation was initially intended to come into effect alongside the GDPR on May 25, 2018, but was not adopted. The EU Council published a draft, finalized on February 10, 2021, which was then in negotiations between the Council and European Parliament.
If the draft had been approved, it would have passed into law in all 27 EU member states, and there would have been a two-year period before the regulation would be enforced.
As the ePrivacy Regulation has been abandoned by the European Commission, the future status of the regulation or replacement legislation is seriously in doubt.
What are the penalties for ePrivacy Directive violations?
Penalties for ePD violations are levied by data protection authorities of individual EU member states, and a variety of fines have been imposed for breaching cookie consent rules.
The ePD uses the same tiered system for fines as the GDPR, so EUR 10 million or two percent of annual global turnover (whichever is greater) for first-time or less severe infractions, or EUR 20 million or four percent of annual global turnover (whichever is greater) for repeated or more serious infractions.
Additionally, individuals who suffer material or non-material damage as the result of a violation of the ePD have the right to compensation from the organization that committed the violation.
France’s CNIL has levied a number of large fines against large tech platforms — including Google, Facebook (Meta), Amazon, and Tiktok — for ePD violations, in some cases repeatedly over several years.
What is the future of EU privacy regulation and data protection?
The ePrivacy Directive is aging rapidly, as is the GDPR. When the ePD was last updated in 2009, the iPhone was only two years old and TikTok was years away.
The EU has since passed a number of laws to protect consumers and data privacy from various angles, but the challenge of creating regulations that remain valid for many years and also reflect rapidly changing business and technology landscapes remains constant.
Laws like the DSA and Digital Markets Act (DMA) also aim to protect personal data in part, and privacy is built into regulations that are peripherally related, like the AI Act. Decisions by the European Court of Justice also provide valuable information to guide enforcement.
With or without the ePrivacy Regulation, transparency and valid consent remain central to regulatory compliance (in the EU and around the world), building trusted and long-term customer relationships, and developing your Privacy-Led Marketing strategy.
Usercentrics CMP is automatically updated to help you stay compliant with evolving privacy regulations that are relevant to your business without requiring a lot of manual intervention. Notify your users, provide consent choices, and show your respect for customers’ privacy every day.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
