Everything about the ePrivacy Directive — cookie consent, communications confidentiality, and direct marketing rules.
The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) particularises and complements the GDPR for the electronic communications sector. It establishes rules on confidentiality of communications, processing of traffic and location data, use of cookies and similar tracking technologies, and unsolicited commercial communications. Article 5(3) requires prior informed consent before storing or accessing information on a user's device — the famous "cookie consent" rule. A proposed ePrivacy Regulation to replace the directive has been in negotiation since 2017.
Providers of publicly available electronic communications services and networks in the EU. Also applies to any website or app operator that places cookies or similar trackers on users' devices — essentially any digital service accessible to EU users.
Article 2
Article 4
Article 5
Article 5(3)
Article 6
Article 9
Article 13
Article 14a
Article 15
Cookie consent enforcement
1 Oct 2020CJEU Planet49 ruling confirmed that pre-ticked cookie boxes are not valid consent.
Determined by Member States. CNIL (France) has imposed fines up to €300M for cookie violations. ICO (UK) can fine up to £500,000 under current legislation.
Article 5(3) of the ePrivacy Directive is the legal basis for cookie consent banners across the web.
Law4Devs provides the full ePrivacy Directive as structured JSON. Filter by topic, obligation type, or affected party. Cross-reference with GDPR.
GET /v1/frameworks/epd/articles → 200 OK · structured JSON · official EUR-Lex source
The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) particularises and complements the GDPR for the electronic communications sector. It establishes rules on confidentiality of communications, processing of traffic and location data, use of cookies and similar tracking technologies, unsolicited commercial communications (spam), and calling line identification. Often called the "cookie law," it requires consent before storing or accessing information on a user's device, with limited exceptions for technically necessary operations.
The ePrivacy Directive applies to providers of publicly available electronic communications services and networks in the EU. Following CJEU rulings (particularly Planet49 and the Belgian case), it also applies to any website or app operator that places cookies or similar trackers on users' devices. Essentially, any entity operating a website, mobile app, or online service accessible to EU users that uses cookies, analytics, advertising trackers, or processes communications metadata is affected by the directive.
Article 5(3) requires prior informed consent before storing or accessing information on a user's terminal equipment (cookies, device fingerprinting, local storage). Consent must meet GDPR standards: freely given, specific, informed, and unambiguous. Only two exceptions exist: cookies strictly necessary for transmission of a communication, and cookies strictly necessary for a service explicitly requested by the user. Pre-ticked boxes and cookie walls that block access are generally non-compliant. A proposed ePrivacy Regulation to replace the directive has been in negotiation since 2017.
Law4Devs provides the full ePrivacy Directive text as structured JSON via API. Filter by topic (cookies, direct marketing, traffic data, communications confidentiality), obligation type, or affected party. Access specific provisions on consent requirements, legitimate processing grounds, and data retention rules. Cross-reference with the GDPR for consent and personal data provisions. Essential for building cookie consent management platforms or privacy compliance tools.
All articles, recitals, and amendments — queryable, filterable, and always up to date.