CookieConfig
Log inSign up
Back to Documentation

ePrivacy Directive

Cookie Law (European Union) - Directive 2002/58/EC

What is the ePrivacy Directive?

The ePrivacy Directive (officially Directive 2002/58/EC, as amended by Directive 2009/136/EC) is commonly known as the "Cookie Law." It's a European Union regulation that specifically governs the privacy of electronic communications, with particular focus on the use of cookies and similar tracking technologies on websites.

While the GDPR provides broad data protection rules, the ePrivacy Directive focuses specifically on the confidentiality of electronic communications and the use of tracking technologies. Think of it as GDPR's companion legislation for cookies and online tracking.

Key Requirements for Cookies

1. Prior Informed Consent

Before storing or accessing information on a user's device (through cookies or similar technologies), you must obtain their informed consent. This means:

  • Consent must be obtained BEFORE cookies are placed
  • Users must be clearly informed about the purpose of each cookie
  • Consent must be freely given, specific, and unambiguous
  • Pre-ticked boxes are NOT valid consent
  • Silence, inactivity, or scrolling does NOT constitute consent

2. Strictly Necessary Cookies Exception

The only exception to the consent requirement is for cookies that are "strictly necessary" for the service explicitly requested by the user. Examples include:

  • Shopping cart cookies for e-commerce sites
  • Session cookies for logged-in users
  • Load-balancing cookies for website performance
  • Security cookies for fraud prevention

Important: Analytics cookies, advertising cookies, and social media cookies are NOT considered strictly necessary and require consent.

3. Clear and Comprehensive Information

Users must receive clear and comprehensive information about:

  • What cookies will be placed on their device
  • The purpose of each cookie or cookie category
  • Who will have access to the information collected
  • How long cookies will be stored
  • How to withdraw consent

4. Easy Withdrawal of Consent

Users must be able to withdraw their consent as easily as they gave it. This means providing a clear mechanism for users to:

  • Change their cookie preferences at any time
  • Access the cookie settings without difficulty
  • See the effect of their choices immediately

ePrivacy vs GDPR: Understanding the Relationship

Both regulations apply simultaneously in the EU, and compliance with both is required:

ePrivacy Directive

  • Scope: Specifically addresses cookies and electronic communications privacy
  • Focus: Consent for storing/accessing information on devices
  • Application: Applies to all websites targeting EU users
  • Enforcement: Enforced by national data protection authorities in each EU member state

GDPR (General Data Protection Regulation)

  • Scope: Broad regulation covering all personal data processing
  • Focus: Overall data protection and privacy rights
  • Application: Applies to all organizations processing EU residents' personal data
  • Enforcement: Uniform enforcement across all EU member states

How They Work Together

In practice, you must comply with BOTH regulations when using cookies:

  • ePrivacy Directive requires consent to place cookies
  • GDPR defines what constitutes valid consent and requires you to document it
  • GDPR gives users rights over their data collected through cookies
  • Both regulations require clear information and easy opt-out mechanisms

Upcoming ePrivacy Regulation

Future Changes

The ePrivacy Directive is expected to be replaced by the ePrivacy Regulation (ePR), which will have stricter requirements and direct applicability across all EU member states (like GDPR). Expected changes include:

  • Stricter consent requirements aligned with GDPR
  • Greater enforcement powers and higher fines
  • Clearer rules for browser-level consent mechanisms
  • Expanded scope covering new tracking technologies

How CookieConfig Ensures Compliance

CookieConfig is designed to help you comply with ePrivacy Directive requirements:

Prior Consent

  • Scripts are blocked BEFORE they load until consent is obtained
  • No cookies are placed before the user makes a choice
  • All consent is opt-in (no pre-ticked boxes)

Cookie Categories

  • Clear separation between strictly necessary and other cookies
  • Granular control over Functional, Analytics, and Marketing cookies
  • Strictly necessary cookies are clearly labeled and exempt from consent requirements

Information and Transparency

  • Clear descriptions of each cookie category
  • Customizable banner text to explain your specific cookie usage
  • Link to your privacy policy from the banner

Easy Withdrawal

  • Users can access cookie preferences at any time
  • One-click changes to cookie preferences
  • Immediate effect when consent is withdrawn (scripts are blocked)

Documentation and Audit Trail

  • Complete logging of all consent decisions with timestamps
  • Visitor ID tracking for consent records
  • PDF/CSV export of consent logs for compliance audits
  • Geographic data (country/region) for each consent decision

Implementation Checklist

  1. Install CookieConfig

    Place the script tag in your website's <head> section BEFORE any tracking scripts.

  2. Configure Cookie Categories

    Review and customize the cookie categories in your dashboard to match your actual cookie usage.

  3. Update Privacy Policy

    Ensure your privacy policy includes detailed information about:

    • What cookies you use and why
    • How long cookies are stored
    • Who has access to cookie data
    • How users can control cookies
  4. Test the Banner

    Verify that:

    • The banner appears before any tracking cookies are set
    • Rejecting cookies actually blocks tracking scripts
    • Users can easily access and change preferences
  5. Regular Audits

    Periodically review your cookie usage to ensure your banner and privacy policy remain accurate.

Common Compliance Mistakes to Avoid

1. Cookie Walls

Issue: Forcing users to accept cookies to access your website (cookie walls) may not be compliant.

Solution: Provide genuine choice. Users should be able to reject non-essential cookies and still access your basic content.

2. Implied Consent

Issue: Assuming that continued browsing or scrolling constitutes consent.

Solution: Require an explicit action (clicking "Accept" or selecting preferences) for consent.

3. Pre-Ticked Boxes

Issue: Having cookie categories pre-selected or pre-ticked.

Solution: All non-essential cookies must be opt-in (unchecked by default).

4. Unclear Information

Issue: Vague or overly technical language in cookie notices.

Solution: Use clear, plain language to explain what cookies do and why you need them.

5. Difficult Opt-Out

Issue: Making it harder to reject cookies than to accept them (dark patterns).

Solution: Provide equally prominent "Accept" and "Reject" buttons.

Enforcement and Penalties

The ePrivacy Directive is enforced by national data protection authorities in each EU member state. Penalties vary by country but can be substantial:

  • France (CNIL): Up to €20 million or 4% of annual global turnover
  • Germany: Up to €300,000 for cookie violations
  • UK (ICO): Up to £500,000 for serious breaches
  • Italy: Up to €20 million or 4% of annual global turnover

Recent Enforcement Actions:

  • Google fined €90 million by CNIL (France) in 2020 for non-compliant cookies
  • Amazon fined €35 million by CNIL (France) in 2020 for cookie violations
  • Multiple European companies fined for cookie wall practices

National Implementations

Since the ePrivacy Directive is a directive (not a regulation), each EU member state has implemented it into national law with some variations:

  • France: CNIL provides detailed cookie guidance and actively enforces compliance
  • Germany: TTDSG (Telecommunications-Telemedia Data Protection Act) implements ePrivacy requirements
  • UK: PECR (Privacy and Electronic Communications Regulations) applies (even post-Brexit)
  • Spain: LSSI (Information Society Services Law) includes cookie requirements
  • Italy: Italian DPA provides specific cookie guidelines

While the core requirements are similar, it's advisable to review specific guidance from the data protection authority in countries where you have significant user bases.

Best Practices for Compliance

  1. Be Transparent: Clearly explain what cookies you use and why
  2. Keep It Simple: Use plain language, not legal jargon
  3. Respect Choices: Honor user preferences immediately and consistently
  4. Stay Updated: Monitor guidance from EU data protection authorities
  5. Document Everything: Keep records of consent and your compliance efforts
  6. Regular Reviews: Audit your cookies regularly as your website changes
  7. Test Thoroughly: Verify that cookie blocking works as expected

Legal Disclaimer

CookieConfig is a tool to help implement cookie consent requirements. However, it is not legal advice. Your specific compliance obligations depend on your business activities, location, and target markets. We recommend consulting with legal counsel familiar with ePrivacy and GDPR requirements for your specific situation.

Related Regulations and Resources