The ePrivacy Directive governs privacy in electronic communications, establishing rules on cookies, direct marketing, traffic data, and confidentiality of communications.
Focus: Cookies, electronic communications privacy, direct marketing, traffic data, location data
Article 2 — Definitions
Article 4 — Security
Article 5 — Confidentiality of Communications
Article 5(3) — Cookies and Similar Technologies
Article 6 — Traffic Data
Article 9 — Location Data
Article 13 — Unsolicited Communications
Article 14a — Implementing Measures
Article 15 — Restrictions
GET /v1/frameworks/epd/articles → 200 OK · structured JSON · official source
The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) particularises and complements the GDPR for the electronic communications sector. It establishes rules on confidentiality of communications, processing of traffic and location data, use of cookies and similar tracking technologies, unsolicited commercial communications (spam), and calling line identification. Often called the "cookie law," it requires consent before storing or accessing information on a user's device, with limited exceptions for technically necessary operations.
The ePrivacy Directive applies to providers of publicly available electronic communications services and networks in the EU. Following CJEU rulings (particularly Planet49 and the Belgian case), it also applies to any website or app operator that places cookies or similar trackers on users' devices. Essentially, any entity operating a website, mobile app, or online service accessible to EU users that uses cookies, analytics, advertising trackers, or processes communications metadata is affected by the directive.
Article 5(3) requires prior informed consent before storing or accessing information on a user's terminal equipment (cookies, device fingerprinting, local storage). Consent must meet GDPR standards: freely given, specific, informed, and unambiguous. Only two exceptions exist: cookies strictly necessary for transmission of a communication, and cookies strictly necessary for a service explicitly requested by the user. Pre-ticked boxes and cookie walls that block access are generally non-compliant. A proposed ePrivacy Regulation to replace the directive has been in negotiation since 2017.
Law4Devs provides the full ePrivacy Directive text as structured JSON via API. Filter by topic (cookies, direct marketing, traffic data, communications confidentiality), obligation type, or affected party. Access specific provisions on consent requirements, legitimate processing grounds, and data retention rules. Cross-reference with the GDPR for consent and personal data provisions. Essential for building cookie consent management platforms or privacy compliance tools.