ePrivacy Directive & Proposed Regulation
The EU framework governing privacy in electronic communications -- cookie consent, direct marketing, metadata protection, and the confidentiality of digital communications. The current directive has been in force since 2002; its proposed replacement has been stalled since 2017.
Every time you visit a website in Europe and see a pop-up asking whether you accept cookies, that is the ePrivacy Directive at work. This EU law, in force since 2002, sets the rules for how companies handle your privacy when you use phones, email, messaging apps, or browse the web. Its core principle is simple: no one should access or store information on your device without your permission, unless it is strictly necessary to provide the service you asked for.
The directive covers more than just cookies. It protects the confidentiality of your phone calls and messages, restricts how companies can use your location and browsing data, and requires your explicit consent before anyone sends you marketing emails or texts. These rules apply to every business operating in the EU, from the smallest blog with a tracking pixel to the largest social media platform.
The European Commission proposed a new ePrivacy Regulation in 2017 to replace the ageing directive with a single, uniform law. The regulation would have extended the rules to cover modern messaging services like WhatsApp and Signal, allowed you to set your privacy preferences once in your browser instead of clicking banners on every site, and imposed GDPR-level fines for violations. Instead, it became one of the most stalled legislative proposals in EU history -- nine years on, negotiations remain stuck.
Until the regulation is adopted, the original directive remains the law. Each EU country has transposed it differently, creating a patchwork of national rules with varying levels of strictness and enforcement. For businesses, this means navigating 27 different implementations of the same underlying obligation. For users, it means cookie consent banners remain the imperfect status quo.
Switzerland is not bound by the ePrivacy Directive, but Swiss companies targeting EU users must comply with it as nationally transposed in each Member State. Any Swiss website placing cookies on EU visitors' devices, sending marketing emails to EU recipients, or tracking EU users through analytics tools falls within scope. The Swiss Federal Act on Data Protection (nDSG), revised in 2023, does not contain an equivalent cookie consent requirement -- meaning Swiss domestic sites face lighter obligations than those targeting the EU.
Swiss businesses operating across EU markets should align their cookie consent and direct marketing practices with the strictest national implementations (France and the Netherlands in particular) rather than the minimum standard, to avoid enforcement actions from multiple DPAs.
The ePrivacy Directive (2002/58/EC) is the EU's specialist law on privacy in electronic communications. It sits alongside the GDPR as lex specialis -- where the ePrivacy Directive addresses a specific situation, its rules take precedence over the general GDPR framework. First adopted in 2002 and amended in 2009 to introduce the now-infamous cookie consent requirement, it governs how electronic communications providers and website operators handle user data, communications metadata, and device access.
Under the directive, storing or accessing information on a user's device requires the user's prior informed consent, with limited exceptions for strictly necessary cookies. This consent must meet the GDPR standard: it must be freely given, specific, informed, and unambiguous. The directive also requires confidentiality of communications content and traffic data, restricts the processing of location data, and mandates opt-in consent for direct marketing emails and messages.
The proposed ePrivacy Regulation was meant to modernise these rules for the smartphone era. Published in January 2017, it would extend the scope to cover over-the-top messaging services like WhatsApp and Signal, introduce browser-based consent mechanisms to reduce cookie banner fatigue, and harmonise penalties across all Member States. Instead, it became one of the longest-stalled legislative proposals in EU history.
The trilogue negotiations, which began in 2021, have failed to resolve fundamental disagreements: the ad-tech industry wants flexible metadata processing rules and acceptance of cookie walls; privacy advocates want strict consent requirements and strong encryption protections; and Member State governments want to preserve national data retention powers for law enforcement. As of April 2026, multiple Council presidencies have attempted and failed to broker a compromise.
Compare the current directive (in force) with the proposed regulation (stalled). Click to switch.
| ASPECT | DIRECTIVE 2002/58/EC | PROPOSED REGULATION |
|---|---|---|
| Legal instrument | Directive -- requires national transposition by each Member State, leading to divergent implementations. | Regulation -- directly applicable in all Member States, replacing 27 different national laws with one uniform text. |
| Scope of "electronic communications" | Covers traditional telecom providers (ISPs, phone companies). Over-the-top (OTT) services like WhatsApp and Signal are generally excluded. | Extends to all electronic communications services including OTT messaging, VoIP, email, and IoT machine-to-machine communications. |
| Cookie consent mechanism | Requires informed consent for non-essential cookies. Implementation varies wildly -- some Member States allow implied consent, others require explicit opt-in. | Proposes browser-level consent settings as legally valid. Users could set preferences once rather than clicking banners on every site. Cookie walls would be restricted. |
| Metadata processing | Traffic data must be erased or anonymised when no longer needed. Location data requires explicit consent. Retention allowed only for billing purposes. | Allows metadata processing for "compatible purposes" with broader permitted uses including network security, fraud prevention, and anonymised statistics without consent. |
| Enforcement & penalties | Penalties set by each Member State -- ranges from EUR 10,000 in some countries to unlimited in others. Fragmented enforcement. | Aligned with GDPR: up to EUR 20 million or 4% of global annual turnover. Enforced by national data protection authorities with EDPB coordination. |
| Direct marketing | Opt-in required for email/SMS marketing. Soft opt-in exception for existing customers. Business-to-business rules vary by Member State. | Maintains opt-in for individuals. Proposes extending soft opt-in. B2B marketing rules would be harmonised. Caller ID display mandatory for marketing calls. |
| Communication confidentiality | Prohibits interception or surveillance of communications without consent. Exceptions for lawful interception by authorities. | Strengthens confidentiality rules to cover content, metadata, and even device data. Extends protection to machine-to-machine communications. |
| Wifi tracking & device fingerprinting | Not explicitly addressed. Applied by analogy through national transposition and EDPB guidance. | Explicitly covers wifi tracking, Bluetooth beacons, and device fingerprinting. Requires consent for all terminal equipment access beyond cookies. |
The most consequential court decisions and enforcement actions shaping cookie consent law.
Pre-ticked checkboxes do not constitute valid consent for cookies. Consent must be given by a clear affirmative act. Information about cookie duration and third-party access must be provided before consent.
Eliminated the practice of pre-selected cookie consent across the EU. Forced complete redesign of consent interfaces for millions of websites. Confirmed that the GDPR consent standard applies to ePrivacy cookie consent.
EU law precludes national legislation imposing general and indiscriminate retention of traffic and location data on electronic communications providers.
Invalidated blanket data retention laws across multiple Member States. Forced governments to adopt targeted retention regimes. Continues to generate follow-up litigation as Member States attempt workarounds.
General metadata retention is permitted only to safeguard national security when facing a serious threat. For fighting serious crime, only targeted retention based on objective criteria is allowed. IP address retention may be permitted for online crime.
Established a three-tier framework for data retention: general retention for national security only, targeted retention for serious crime, and IP retention for online offences. Reshaped law enforcement data access across the EU.
Google fined EUR 150M and Facebook fined EUR 60M because their cookie banners offered a single button to "accept all" but required multiple clicks to refuse cookies, making rejection unreasonably difficult.
Established the "equal prominence" principle: refusing cookies must be as easy as accepting them. Triggered a global redesign of cookie consent interfaces. Other DPAs across Europe adopted the same position.
Meta could not rely on "contractual necessity" as a legal basis for processing personal data for personalised advertising on Facebook. Such processing requires freely given consent.
Eliminated the contractual necessity loophole for ad-tech. Companies can no longer bundle consent for advertising into their terms of service. Meta subsequently introduced a paid ad-free subscription option in the EU.
Italian DPA rules that websites cannot deny access to content (cookie walls) unless they offer a genuine free alternative. Pay-or-consent models must meet strict fairness criteria.
Added regulatory pressure against the emerging "pay or consent" model. Raised questions about whether large platforms can charge for privacy as an alternative to consent.
The ePrivacy Directive is lex specialis to the GDPR. Where both apply, ePrivacy rules take precedence -- but GDPR fills gaps and provides the consent standard.
Article 5(3) of the ePrivacy Directive requires consent before storing or accessing information on a user's device (cookies, tracking pixels, fingerprinting scripts).
Article 6 GDPR defines what constitutes valid consent. Article 7 sets conditions. The GDPR consent standard applies to ePrivacy cookie consent.
ePrivacy is lex specialis: it governs when consent is needed (the trigger). GDPR governs how consent must be obtained (the standard). Both must be satisfied simultaneously.
Article 13 requires prior consent for electronic marketing messages (email, SMS, automated calls). Soft opt-in exception for existing customers.
Allows direct marketing under legitimate interest (Recital 47). But processing for marketing purposes requires a lawful basis and must respect data subject rights.
For electronic marketing, ePrivacy consent rules take precedence. For postal marketing or profiling for marketing purposes, GDPR rules apply. The "soft opt-in" exception only applies to existing customers for similar products.
Articles 6 and 9 restrict processing of traffic data and location data. Must be erased or anonymised after the communication session.
Applies to any personal data processing. Requires lawful basis, purpose limitation, and data minimisation. Provides data subject rights.
ePrivacy provides specific, stricter rules for metadata from electronic communications. Where ePrivacy is silent, GDPR fills gaps. DPAs increasingly apply both frameworks together.
Under the directive, penalties are set nationally. Some Member States have low maximum fines (EUR 50,000-100,000). Enforcement is inconsistent.
Up to EUR 20M or 4% of global turnover. Coordinated enforcement via EDPB. One-stop-shop mechanism for cross-border cases.
In practice, DPAs often cite both frameworks. Cookie violations are frequently penalised under GDPR fining powers even though the underlying obligation comes from ePrivacy. The proposed regulation would align penalties.
Applies to providers of publicly available electronic communications services in the EU. Limited extraterritorial reach.
Applies to any controller/processor targeting EU residents, regardless of establishment. Broad extraterritorial effect.
A website outside the EU targeting EU users must comply with both: GDPR for personal data processing, and ePrivacy (as nationally transposed) for cookie placement and electronic marketing.
Interactive self-assessment. Check each item your organisation has implemented.
The directive is transposed differently in each Member State. Here are the key differences that matter.
After nine years, the proposed ePrivacy Regulation remains in trilogue. The Polish Presidency (January 2026) announced an intention to present a revised compromise text, but fundamental disagreements persist on cookie consent models, metadata retention for law enforcement, and the treatment of encrypted communications. Industry and privacy groups remain polarised.
Research shows 90%+ of users click "accept all" without reading, undermining the purpose of consent. EDPB and national DPAs are exploring alternatives: browser-level signals (Global Privacy Control), ADPC (Advanced Data Protection Control), and centralized consent registries. The Commission's Digital Fairness Act consultation included questions on consent fatigue.
Meta's "pay or consent" model for Facebook and Instagram drew EDPB opposition in April 2024. The Board ruled that large platforms cannot generally condition service access on consent to tracking, and charging for privacy does not make consent "free." Several national DPAs have opened investigations.
The Belgian Market Court upheld the DPA's finding that IAB Europe's Transparency & Consent Framework violates GDPR. The TC String is personal data, and IAB Europe is a joint controller. This threatens the technical infrastructure underlying most online advertising consent flows across Europe.
The CJEU continues to refine its data retention jurisprudence. Member States have attempted "quick freeze" legislation and other workarounds, but the court consistently holds that general, indiscriminate retention of traffic and location data is incompatible with EU fundamental rights. Several national retention laws remain in limbo.
The Commission's Digital Fairness Act consultation addressed dark patterns in cookie consent interfaces. Proposals include requiring standardised consent interfaces and banning manipulative design patterns that steer users toward "accept all." This could supplement ePrivacy rules regardless of whether the regulation is adopted.
Select your company type for tailored compliance guidance and risk assessment.