EU Cookie Law (ePrivacy Directive) Explained (2026)
The ePrivacy Directive is the EU law that specifically governs how websites and online services use cookies and similar tracking technologies. While the GDPR gets most of the attention in privacy discussions, the ePrivacy Directive is the legal instrument that directly requires cookie consent banners on virtually every website accessible from Europe.
Formally known as Directive 2002/58/EC on Privacy and Electronic Communications, the law was originally adopted in 2002 and significantly amended in 2009 by Directive 2009/136/EC. That 2009 amendment introduced the consent requirement for cookies that transformed the internet browsing experience for hundreds of millions of users.
Understanding this Directive is essential for any website operator with European visitors. This guide covers the legal text, cookie categories, consent requirements, exemptions, how the Directive interacts with the GDPR, implementation differences between EU countries, and the long-delayed ePrivacy Regulation that may eventually replace it.
What Is the ePrivacy Directive?
The ePrivacy Directive (formally Directive 2002/58/EC) is an EU legislative instrument that regulates the processing of personal data and the protection of privacy in the electronic communications sector. It covers a range of issues beyond cookies, including unsolicited marketing communications, traffic data, location data, and confidentiality of communications.
The Directive entered into force on July 31, 2002, as a companion to the broader Data Protection Directive (95/46/EC), which was later replaced by the GDPR in May 2018. While the GDPR replaced the general data protection framework, the ePrivacy Directive was left in place as the sector-specific rule for electronic communications.
The 2009 Amendment: Birth of Cookie Consent
The original 2002 Directive allowed cookies to be placed with a simple opt-out mechanism. Users could block cookies through browser settings, and that was considered sufficient.
Directive 2009/136/EC changed the legal standard from opt-out to opt-in. Article 5(3) of the amended Directive states that storing information or gaining access to information already stored in a user's terminal equipment is only allowed "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."
This single change triggered the wave of cookie consent banners that now appear on websites worldwide.
Article 5(3): The Core Cookie Provision
The operative legal text in Article 5(3) of the amended Directive reads:
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the data protection framework], inter alia, about the purposes of the processing."
The provision then carves out an exception: "This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
How the ePrivacy Directive Differs from the GDPR
The ePrivacy Directive and the GDPR are separate legal instruments that work together but cover different ground. Confusion between the two is common and leads to compliance mistakes.
Scope and Relationship
The GDPR is the general data protection regulation that applies to all processing of personal data, regardless of the technology used. The ePrivacy Directive is a lex specialis (specific law) that applies specifically to electronic communications and terminal equipment. Under Article 95 of the GDPR, where the ePrivacy Directive contains specific rules on a topic, those rules take precedence over the GDPR's general provisions.
In practical terms, the ePrivacy Directive governs the act of placing a cookie on a device. The GDPR governs what happens with the personal data collected through that cookie afterward.
Key Differences
| Aspect | ePrivacy Directive | GDPR |
|---|---|---|
| Legal instrument | Directive (requires national transposition) | Regulation (directly applicable) |
| Scope | Electronic communications and terminal equipment | All personal data processing |
| Cookie consent | Required for all non-essential cookies | Consent is one of six legal bases |
| Applies to | Any data stored on or read from a device (personal or not) | Only personal data |
| Enforcement | National regulators with national penalty frameworks | Supervisory authorities with harmonized GDPR fines |
| Legal basis for cookies | Consent or "strictly necessary" exemption | Six legal bases (consent, legitimate interest, etc.) |
Why This Matters for Cookies
A critical distinction: the ePrivacy Directive applies to all cookies, not only those that process personal data. Even a cookie that stores a non-personal preference (like a language setting that does not identify the user) technically falls under Article 5(3) if it is not strictly necessary. The GDPR, by contrast, only applies when personal data is involved.
This means organizations cannot rely on the GDPR's "legitimate interest" basis to justify analytics or advertising cookies. Under the ePrivacy framework, consent is the only legal basis available for non-essential cookies.
Cookie Categories Under the Directive
The ePrivacy Directive does not itself define cookie categories. The categorization framework used across the EU comes from guidance issued by the Article 29 Working Party (now the European Data Protection Board) and national data protection authorities. Four categories are widely recognized.
Strictly Necessary Cookies
These cookies are exempt from the consent requirement under Article 5(3). They enable core functionality that the user explicitly requested. Examples include:
- Session cookies that maintain a logged-in state
- Shopping cart cookies that remember items during a purchase
- Security cookies that detect authentication abuse or fraud
- Load-balancing cookies that distribute traffic across servers
- User interface customization cookies for accessibility settings requested by the user
The exemption is narrow. A cookie is strictly necessary only if the service would not function without it and the user specifically requested that service. A cookie that improves performance or adds convenience but is not essential does not qualify.
Functional Cookies
Functional cookies remember user choices that go beyond what is strictly necessary. Language preferences (when a site could function in a default language), video player settings, and font size choices fall into this category. These require consent under the Directive.
Analytics Cookies
Analytics cookies track user behavior for statistical purposes. Tools like Google Analytics, Matomo, and Adobe Analytics rely on these cookies. They require consent under the ePrivacy Directive, though some national implementations have created limited exemptions for privacy-preserving, first-party analytics.
The French data protection authority (CNIL) has been particularly detailed in its guidance on analytics cookies, distinguishing between first-party analytics tools with limited data sharing and third-party analytics that transfer data to external platforms.
Advertising and Tracking Cookies
These cookies build user profiles for targeted advertising, retargeting, and cross-site tracking. They include third-party cookies placed by advertising networks, social media tracking pixels, and fingerprinting scripts. Advertising cookies always require explicit consent, and regulators have consistently identified this category as the highest privacy risk.
Consent Requirements
The 2009 amendment aligned cookie consent with the broader EU consent standard. The GDPR later strengthened this standard in its definition of consent under Article 4(11) and conditions under Article 7.
What Valid Consent Requires
Valid cookie consent under the ePrivacy Directive, as interpreted through the GDPR's consent standard, must be:
- Freely given: Users cannot be forced to accept cookies as a condition of accessing the site (though "cookie walls" remain contentious; see below)
- Specific: Consent must be requested for each purpose separately, not bundled into a single "accept all" checkbox
- Informed: Users must receive clear information about what cookies are used, what data they collect, who receives the data, and how long the cookies persist
- Unambiguous: Consent requires a clear affirmative action. Scrolling, continuing to browse, or pre-ticked checkboxes do not constitute valid consent
- Withdrawable: Users must be able to withdraw consent as easily as they gave it
The Planet49 Ruling
The Court of Justice of the EU (CJEU) clarified the consent standard in Case C-673/17 (Planet49), decided on October 1, 2019. The court ruled that:
- Pre-ticked checkboxes do not constitute valid consent for cookies
- Consent must be active and specific, not passive
- Users must be informed of the duration of cookie operation and whether third parties have access to the cookies
- The requirement applies regardless of whether the cookie data constitutes personal data
This ruling eliminated any remaining ambiguity about the opt-in standard for cookie consent.
Cookie Walls: An Unresolved Issue
A "cookie wall" blocks access to a website unless the user consents to all cookies. Whether cookie walls are lawful remains debated across the EU. The European Data Protection Board (EDPB) stated in its guidelines on consent that "access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls)."
However, the Dutch data protection authority (AP) permits cookie walls under certain conditions, and the French Conseil d'Etat declined to prohibit them outright. National courts have reached different conclusions, leaving this question without a harmonized EU-wide answer as of 2026.
Exemptions from Consent
Article 5(3) provides two narrow exemptions where cookies may be placed without consent.
Transmission Exemption
Cookies used "for the sole purpose of carrying out the transmission of a communication over an electronic communications network" are exempt. This covers technical routing cookies used by network infrastructure, not by website operators.
Strictly Necessary Exemption
Cookies that are "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service" are exempt. The Article 29 Working Party's Opinion 04/2012 provided detailed analysis of which cookies qualify:
Exempt (no consent needed):
- User input cookies (session IDs for forms, shopping carts)
- Authentication cookies
- User-centric security cookies (detecting repeated failed login attempts)
- Multimedia player session cookies
- Load-balancing session cookies
- UI customization cookies (limited to session or with clear user request)
Not exempt (consent required):
- Social media plugin cookies
- Third-party advertising cookies
- First-party analytics cookies (though some national regulators have softened this)
- Persistent preference cookies beyond the immediate session
Country-by-Country Implementation Differences
Because the ePrivacy Directive is a directive rather than a regulation, each EU member state transposed it into national law. This created a patchwork of different implementation approaches, penalty structures, and enforcement priorities.
France
France implemented the Directive through Article 82 of the Loi Informatique et Libertes. The CNIL is among the most active cookie enforcement authorities in Europe. In December 2021, the CNIL fined Google 150 million euros and Facebook 60 million euros for making it difficult for users to reject cookies. The CNIL requires that refusing cookies be as easy as accepting them. It allows a limited exemption for audience measurement cookies under strict conditions (first-party only, aggregated data, limited retention).
Germany
Germany transposed the cookie consent requirement through the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG), which replaced the earlier Telemediengesetz provisions in 2021. The Bundesbeauftragte fur den Datenschutz (BfDI) and state-level data protection authorities enforce cookie rules. German courts have been strict about cookie consent, with the Bundesgerichtshof (Federal Court of Justice) adopting the CJEU's Planet49 standard in its October 2020 decision.
Ireland
Ireland implemented the Directive through S.I. No. 336 of 2011, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. The Data Protection Commission (DPC) enforces these rules. Due to Ireland's role as the EU headquarters for major tech companies (Google, Meta, Apple, Microsoft), Irish enforcement decisions on cookies and tracking carry outsized influence across the bloc.
Italy
Italy's implementation is through the Codice in Materia di Protezione dei Dati Personali (Legislative Decree 196/2003), as amended. The Garante per la protezione dei dati personali issued updated cookie guidelines in June 2021 requiring that consent banners include a visible reject button on the first layer. Italy also requires a cookie policy that is separate from the general privacy policy.
Spain
Spain transposed the Directive through Ley 34/2002 (LSSI). The AEPD enforces cookie compliance as part of its broader data protection mandate. Spain has imposed significant fines for cookie violations, including penalties against Vueling Airlines and Vodafone Spain.
Netherlands
The Netherlands implemented the Directive through the Telecommunicatiewet. The Autoriteit Persoonsgegevens (AP) takes a notably different position on cookie walls, finding them permissible when users have a genuine alternative to access equivalent content elsewhere. This diverges from the EDPB's stricter interpretation.
Belgium
Belgium's Loi du 13 juin 2005 relative aux communications electroniques transposed the Directive. The Autorite de protection des donnees (APD) issued a landmark decision in February 2022 against IAB Europe's Transparency and Consent Framework (TCF), finding that the TCF's cookie consent mechanism itself violated the GDPR. This decision, upheld in part by the CJEU in November 2023, sent shockwaves through the online advertising industry.
The ePrivacy Regulation: A Replacement in Limbo
The European Commission proposed the ePrivacy Regulation in January 2017 to replace the aging Directive. Unlike a directive, a regulation would apply directly and uniformly across all member states, eliminating the implementation patchwork.
Why a Regulation Was Proposed
The Commission identified several problems with the existing Directive:
- Fragmented national implementations creating compliance complexity
- Outdated technology references (the 2002 text predates smartphones and modern tracking)
- Inconsistent enforcement across member states
- Need for alignment with the GDPR's updated data protection framework
- "Cookie consent fatigue" among users caused by poorly designed consent mechanisms
What the Draft Regulation Would Change
The proposed ePrivacy Regulation would:
- Apply directly in all member states without national transposition
- Extend the scope to cover over-the-top (OTT) communications services (WhatsApp, Signal, Messenger)
- Introduce browser-based consent settings as a valid consent mechanism, potentially reducing banner fatigue
- Strengthen the strictly necessary exemption to clearly cover first-party analytics under certain conditions
- Align penalties with the GDPR framework (up to 20 million euros or 4% of global turnover)
- Regulate metadata (location data, communication timestamps) with stronger protections
Current Status (March 2026)
As of March 2026, the ePrivacy Regulation remains stuck in trilogue negotiations between the European Parliament, the Council of the EU, and the European Commission. The Council adopted its negotiating position in February 2021, but fundamental disagreements persist on several issues:
- The scope of the "legitimate interest" exception for processing communications metadata
- Whether cookie walls should be explicitly permitted or prohibited
- How to handle browser-based consent mechanisms
- The treatment of business-to-business communications
- Transition periods for existing data processing practices
The European Commission has not withdrawn the proposal, but no timeline for adoption is publicly set. Industry observers note that each new European Parliament session resets parts of the negotiation. The Directive remains in force until a replacement is adopted.
Enforcement and Penalties
Because the ePrivacy Directive is transposed through national laws, penalties vary significantly across member states.
Penalty Ranges by Country
| Country | Maximum Cookie Fine | Notable Enforcement |
|---|---|---|
| France | 2% of global turnover or 150 million euros (GDPR basis used) | Google: 150M euros, Facebook: 60M euros (2021) |
| Germany | 300,000 euros (TDDDG) or GDPR fines for personal data | Strict court precedents |
| Italy | GDPR fines (up to 20M euros or 4% turnover) | Garante active on banner design |
| Spain | 300,000 euros (LSSI) or GDPR fines | Vodafone, Vueling fined |
| Ireland | 250,000 euros (S.I. 336/2011) or GDPR fines | DPC handles Big Tech cases |
| Belgium | GDPR fines | IAB Europe TCF decision (2022) |
In practice, many regulators use the GDPR's fine structure (up to 20 million euros or 4% of global annual turnover) when cookies involve personal data processing, which most advertising and analytics cookies do.
Enforcement Trends
Cookie enforcement has intensified across Europe since 2020. Several trends stand out:
- Design matters: Regulators increasingly examine whether consent interfaces are designed to nudge users toward "accept all" through dark patterns, deceptive button placement, or asymmetric design
- Reject must be equal to accept: Multiple authorities now require that rejecting cookies be no more difficult than accepting them
- First-layer reject button: Italy and France explicitly require a reject option on the initial banner layer, not hidden behind a "manage settings" link
- Audit sweeps: National authorities conduct coordinated "sweeps" of popular websites, checking cookie compliance across sectors
Practical Compliance Guide
Organizations operating websites accessible from the EU should take these steps to comply with the ePrivacy Directive.
Before Placing Cookies
- Audit all cookies on your website, including third-party scripts that set cookies
- Classify each cookie as strictly necessary, functional, analytics, or advertising
- Document the purpose, retention period, and data recipients for each cookie
- Remove or replace unnecessary cookies where possible
Implementing Consent
- Display a cookie banner before any non-essential cookies are placed
- Block non-essential cookies until the user makes a choice (prior consent)
- Offer granular options allowing users to accept or reject cookies by category
- Make rejecting as easy as accepting with equal button prominence
- Never use pre-ticked checkboxes for any cookie category
- Store consent records as evidence of valid consent
Ongoing Obligations
- Provide a cookie policy listing all cookies, their purposes, durations, and third-party recipients
- Allow consent withdrawal through a persistent link or button accessible from every page
- Re-request consent periodically (CNIL recommends every 6 months; other authorities suggest 12 months)
- Re-audit cookies regularly as third-party scripts may add new cookies without notice
This is general legal information, not legal advice. Cookie law compliance requirements depend on the specific jurisdictions your website serves, the types of cookies used, and the nature of the data collected. Consult a data protection attorney for advice specific to your situation.
Sources and References
Sources and References
- Directive 2002/58/EC on Privacy and Electronic Communications(eur-lex.europa.eu).gov
- Directive 2009/136/EC (Cookie Amendment)(eur-lex.europa.eu).gov
- CJEU Case C-673/17 (Planet49)(curia.europa.eu).gov
- Article 29 Working Party Opinion 04/2012(ec.europa.eu).gov
- EDPB Guidelines 05/2020 on Consent(edpb.europa.eu).gov
- GDPR Regulation 2016/679(eur-lex.europa.eu).gov
- Proposed ePrivacy Regulation COM(2017) 10(eur-lex.europa.eu).gov
- CNIL Cookie Guidelines(cnil.fr).gov
- Italy Garante Cookie Guidelines(garanteprivacy.it).gov
- Spain LSSI (Ley 34/2002)(boe.es).gov
- Germany BfDI(bfdi.bund.de).gov
- Ireland S.I. No. 336/2011(irishstatutebook.ie).gov
- Netherlands Telecommunicatiewet(wetten.overheid.nl).gov
- France Loi Informatique et Libertes Art. 82(legifrance.gouv.fr).gov