The ePrivacy Directive: The EU's Cookie Law Explained

When people refer to "the EU cookie law," they are usually referring to the ePrivacy Directive — specifically Article 5(3). While the GDPR gets most of the headlines, the ePrivacy Directive is the regulation that directly governs the use of cookies and similar tracking technologies. Understanding this directive, its relationship to the GDPR, and the forthcoming ePrivacy Regulation is essential for anyone responsible for cookie compliance on a European website.

What Is the ePrivacy Directive?

The ePrivacy Directive (officially Directive 2002/58/EC) was adopted on 12 July 2002 as part of the EU's telecommunications privacy framework. It was originally focused on privacy in electronic communications — covering topics like the confidentiality of communications, traffic data, spam, and caller identification.

In 2009, the directive was significantly amended by Directive 2009/136/EC (often called the "Citizens' Rights Directive"). This amendment introduced the consent requirement for cookies that we know today, replacing the previous opt-out regime with an opt-in model. Before 2009, websites only needed to inform users about cookies and give them the right to refuse. After 2009, prior consent became mandatory for all non-essential cookies.

Unlike the GDPR, which is a regulation (directly applicable in all member states), the ePrivacy Directive is a directive (each member state must transpose it into national law). This means the specific cookie rules vary from country to country, even though the underlying requirements are the same.

Article 5(3): The Cookie Consent Rule

Article 5(3) of the ePrivacy Directive is the provision that directly governs cookies. In its amended form, it states:

"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection Directive, now the GDPR], inter alia, about the purposes of the processing."

This provision establishes several key requirements:

1. Scope: It covers any storage of information on a user's device, or access to information stored on a user's device. This includes cookies, but also local storage, IndexedDB, device fingerprinting, tracking pixels, and any other technology that reads from or writes to the user's device.
2. Prior consent: Consent must be obtained before the information is stored or accessed — not after.
3. Informed consent: The user must be provided with clear and comprehensive information about the purposes of the storage or access.
4. Consent standard: The reference to the GDPR (originally the Data Protection Directive) means that the GDPR's definition and conditions for consent apply. Consent must be freely given, specific, informed, and unambiguous.

The "Strictly Necessary" Exemption

Article 5(3) includes an important exemption in its second sentence:

"This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

This exemption covers two categories of cookies that do not require consent:

1. Cookies necessary for transmitting a communication (e.g., load-balancing cookies).
2. Cookies strictly necessary to provide a service explicitly requested by the user (e.g., shopping cart cookies, authentication session cookies, user preference cookies for a service the user is actively using).

The European Data Protection Board's predecessor, the Article 29 Working Party, provided detailed guidance on which cookies qualify as strictly necessary in Opinion 04/2012. Examples include:

• Exempt (no consent required): Session cookies for user input (multi-step forms), authentication cookies, shopping cart cookies, security cookies (CSRF tokens), multimedia player session cookies, load-balancing cookies, UI customization cookies (language preference) for the current session.
• Not exempt (consent required): Analytics cookies (including Google Analytics), advertising cookies, social media sharing/tracking cookies, persistent preference cookies that last beyond the session, any third-party tracking cookies.

The critical distinction is between cookies that serve the user's explicit request and cookies that serve the website operator's interests. A language preference cookie set because the user clicked a language selector is strictly necessary. An analytics cookie set to help the website operator understand traffic is not — even though the operator considers it important.

How ePrivacy and GDPR Work Together

The relationship between the ePrivacy Directive and the GDPR is one of lex specialis (specific law) and lex generalis (general law). The ePrivacy Directive is the specific law governing privacy in electronic communications, while the GDPR is the general data protection framework.

In practical terms:

• The ePrivacy Directive governs whether you may place a cookie on a user's device. It requires consent for non-essential cookies, regardless of whether the cookie contains personal data.
• The GDPR governs what constitutes valid consent and how you may process any personal data collected through cookies. It also provides the enforcement framework, including the right to lodge complaints with DPAs and the substantial fine regime.

This means that even a cookie that does not contain personal data (for example, a randomly generated analytics identifier with no link to any other data) still requires consent under the ePrivacy Directive, because Article 5(3) applies to any storage on the user's device — not just storage of personal data.

Conversely, if you process personal data through cookies, you must comply with the full GDPR framework: lawful basis, transparency, data subject rights, data protection impact assessments, and all other obligations.

National Implementations

Because the ePrivacy Directive is a directive rather than a regulation, each EU member state has transposed it into national law with some variation. While the core requirement — consent before non-essential cookies — is consistent across all member states, there are notable differences in:

• Enforcement intensity: France (CNIL) and Italy (Garante) have been the most active in cookie enforcement, while other countries have focused their resources elsewhere.
• Specific exemptions: Some countries have adopted slightly broader or narrower interpretations of the "strictly necessary" exemption.
• Analytics cookies: Some DPAs have explored whether properly configured, privacy-preserving analytics tools (e.g., anonymized analytics with no cross-site tracking) might qualify for a legitimate interest basis. The French CNIL's exemption for audience measurement tools under specific conditions is the most notable example, though it remains controversial.
• Cookie walls: The legality of cookie walls (requiring consent to access a website) varies by jurisdiction. The Dutch DPA and the EDPB have taken a strict position against them, while the French Conseil d'Etat found them permissible under certain conditions.

The Proposed ePrivacy Regulation

The European Commission published a proposal for an ePrivacy Regulation in January 2017, intended to replace the ePrivacy Directive and align the cookie rules with the GDPR. More than nine years later, the regulation remains under negotiation, making it one of the longest-running legislative processes in EU history.

Key Changes in the Proposed Regulation

While the final text is not yet agreed upon, the proposal and subsequent Council positions have suggested several significant changes:

• Direct applicability: As a regulation rather than a directive, the ePrivacy Regulation would apply uniformly across all member states, eliminating the current fragmentation.
• Browser-based consent: Early proposals included provisions for users to set their cookie preferences at the browser level rather than responding to individual cookie banners on every website. This would dramatically simplify the user experience, though the technical and political challenges are significant.
• Expanded scope: The regulation would extend to cover over-the-top (OTT) communication services like WhatsApp and Skype, which are not covered by the current directive.
• Clearer exemptions: The regulation aims to clarify which types of cookies are exempt from consent, potentially broadening the exemption to include certain types of audience measurement.
• Metadata rules: New provisions governing the processing of communications metadata (location data, connection times) beyond what the current directive covers.
• Harmonized enforcement: The regulation would establish a consistent enforcement mechanism, likely modeled on the GDPR's one-stop-shop principle.

Current Status and Timeline

As of early 2026, the ePrivacy Regulation remains in trilogue negotiations between the European Parliament, the Council of the EU, and the European Commission. Progress has been slow due to fundamental disagreements on several points, including the browser-based consent mechanism, the scope of the "strictly necessary" exemption, and the rules for metadata processing.

The most realistic scenario is that the regulation will not be finalized before 2027 at the earliest, with an additional transition period of 12-24 months before it comes into effect. Website operators should continue to comply with the current ePrivacy Directive as transposed into their national law, supplemented by the GDPR's consent framework.

Practical Implications for Website Owners

Regardless of the regulatory uncertainty around the upcoming ePrivacy Regulation, the current rules are clear and actively enforced. Website owners should:

1. Treat the current regime as the baseline. The consent requirement for non-essential cookies is established law across the EU. Do not wait for the ePrivacy Regulation to implement compliance.
2. Block non-essential cookies before consent. This is the most technically challenging aspect of compliance, but it is non-negotiable. Your cookie consent mechanism must prevent scripts from setting cookies until the user has actively consented.
3. Apply the GDPR consent standard. When the ePrivacy Directive says "consent," it means GDPR consent: freely given, specific, informed, unambiguous, and demonstrated by a clear affirmative action.
4. Document your strictly necessary cookies. Maintain a clear record of which cookies you consider strictly necessary and why. Be prepared to justify this classification if challenged by a DPA.
5. Monitor national developments. Because the ePrivacy Directive is implemented differently in each country, stay informed about the guidance and enforcement activity of the DPAs in the countries where your users are located.
6. Prepare for the ePrivacy Regulation. While the timeline is uncertain, the direction of travel is clear: more harmonized rules, potentially broader consent mechanisms, and continued emphasis on user privacy. Building a robust consent management system now will make the transition smoother when it comes.

The ePrivacy Directive may be over two decades old, but it remains the cornerstone of cookie law in Europe. Combined with the GDPR's consent framework and the active enforcement programs of national DPAs, it creates a regulatory environment where cookie compliance is not optional — it is a legal obligation with real financial consequences for non-compliance.