ePrivacy: Cookies, Consent & Electronic Communications

ePrivacy refers to the legal framework governing the privacy of electronic communications in the EU. Currently, it is based on the ePrivacy Directive (2002/58/EC), as amended in 2009. This Directive covers cookies, direct marketing, confidentiality of communications, and metadata handling.

A new ePrivacy Regulation has been in trilogue negotiations for years and is expected to eventually replace the Directive with a directly applicable EU-wide law — like GDPR replaced the Data Protection Directive.

Until the Regulation is adopted, the Directive applies — transposed differently across EU member states. This creates significant variation in enforcement across countries, making multi-national compliance complex. France (CNIL), Germany (national DPAs), and the Netherlands (AP) have all issued substantial cookie consent fines.

Any business that:

• Operates a website or app that sets cookies or similar tracking technologies on EU users' devices
• Sends marketing emails, SMS, or push notifications to EU individuals
• Provides electronic communication services (messaging, email, VoIP) to EU users
• Uses tracking pixels, fingerprinting, or behavioural analytics on EU audiences

In practice, this covers virtually every business with an online presence targeting EU users — regardless of where the company is based.

• Cookie consent: Prior, informed, freely given, and specific consent is required before placing non-essential cookies. Consent must be as easy to withdraw as it was to give. Pre-ticked boxes are invalid.
• Cookie notice: Users must be clearly informed about what cookies are set, their purpose, and their duration before giving consent.
• Direct marketing: Opt-in consent is required for direct marketing emails to individuals. Existing customer relationships allow soft opt-in for similar products only.
• Confidentiality: Electronic communications and associated metadata must remain confidential. Intercepting or monitoring communications without consent is prohibited.
• Traffic and location data: Data generated by electronic communications (call logs, location data) must be erased or anonymised once no longer needed for billing.

The proposed ePrivacy Regulation strengthens existing rules in several key ways:

• A single, directly applicable regulation — no more member state variation in transposition
• Browser and device-level consent signals — users may set preferences at the browser level rather than per-site
• Expanded scope: OTT communications (WhatsApp, Signal, Teams) will be covered
• Stricter rules on metadata processing and cross-platform tracking
• Harmonised penalties aligned with GDPR enforcement levels

Adoption timeline remains uncertain. Political agreement is expected within the current EU legislative term. Businesses should prepare for the stricter rules now.

• Cookie consent management workflow — consent collection, storage, and withdrawal documentation
• Cookie audit support — categorising cookies by purpose and necessity
• Direct marketing consent register — opt-in records, timestamp, source, and withdrawal log
• Per-country compliance mapping — covering DPA guidance across all 27 EU member states
• Regulatory alert: monitored for ePrivacy Regulation adoption news and implementing rules