ePrivacy Directive - EU Cookie Law & Consent Requirements

Back to Regulations Guide

Key Facts

Effective Date

May 25, 2011

Enacted

July 12, 2002

Enforcing Authority

Varies by member state — national DPA, telecom regulator, or both

Consent Model

Opt-in

Applies To

Any entity storing or accessing information on terminal equipment of EU/EEA users

Overview

The ePrivacy Directive is the EU's cookie-specific law, providing the direct legal basis for requiring consent before placing cookies and similar tracking technologies on users' devices. While the GDPR defines what valid consent looks like, Article 5(3) of the ePrivacy Directive is what actually requires that consent for cookies.

What This Means for Your Website

You need prior consent before storing or accessing any information on a visitor's device — this includes cookies, local storage, tracking pixels, and device fingerprinting
Only two narrow exceptions exist: cookies strictly necessary for network transmission, and cookies strictly necessary for a service the user explicitly requested
Analytics cookies are NOT exempt — they require consent under the ePrivacy Directive
Each EU member state has transposed the Directive differently, so specific rules vary by country
Consent must meet GDPR standards: freely given, specific, informed, and unambiguous

Key Requirements

The Directive covers all forms of information storage and access on terminal equipment, not just HTTP cookies. The EDPB has confirmed that tracking pixels, URL tracking parameters, JavaScript processing, and device fingerprinting all fall under Article 5(3). Each member state enforces penalties independently — there is no harmonized penalty structure. The proposed ePrivacy Regulation that would have replaced this Directive was formally withdrawn in July 2025.

How ConsentStack Handles This

ConsentStack blocks all non-essential cookies and tracking technologies by default for EU/EEA visitors, satisfying Article 5(3) requirements. The platform handles the varying national implementations automatically, applying the strictest applicable standard for each visitor's location.

Penalties

Not harmonized; each member state sets own penalties (must be effective, proportionate, and dissuasive)

Key Requirements

Prior informed consent before placing any non-essential cookie or tracking technology
Only two exceptions: transmission necessity and explicitly requested service
Clear and comprehensive information required before consent
Consent must meet GDPR standards since May 2018
Covers all terminal equipment including browsers, mobile devices, IoT, and smart TVs

Notable Provisions

Proposed ePrivacy Regulation was formally withdrawn July 2025
EDPB confirmed tracking pixels, URL tracking, and device fingerprinting fall under Art. 5(3)
Must be transposed into national law, creating implementation differences across member states

Related Regulations (30)

FDPAFrance

France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.

TDDDGGermany

Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

SI 336/2011Ireland

Ireland implements the ePrivacy Directive through SI 336/2011. The DPC is the lead supervisory authority for major tech companies headquartered in Ireland including Meta, Google, Apple, and Microsoft. Uniquely, cookie consent is limited to 6 months and must then be refreshed.

Italian Privacy CodeItaly

Italy implements the ePrivacy Directive through Article 122 of the Privacy Code with detailed Garante cookie guidelines effective January 2022. Only technically necessary cookies may load by default. Scrolling is not valid consent, and closing a banner with "X" closes it without granting consent.

Dutch Telecom ActNetherlands

The Netherlands implements the ePrivacy Directive through Article 11.7a of the Telecommunications Act. The AP launched a major enforcement sweep in April 2025, warning 50 organizations for misleading cookie banners or placing tracking cookies without consent. Cookie walls are not permitted.

LSSISpain

Spain implements the ePrivacy Directive through Article 22 of the LSSI. Cookie violations are classified as slight offenses with EUR 30,000 fines per URL, but multiple URLs multiply penalties. AEPD allows consent-exempt analytics under privacy-friendly configurations, similar to CNIL.

Portuguese ePrivacy LawPortugal

Portugal implements the ePrivacy Directive through Law 41/2004, with a distinctive tiered penalty structure distinguishing between large companies, SMEs, and natural persons. The CNPD issued 90 fines totaling EUR 559,950 in 2023, demonstrating active enforcement.

Norwegian E-Com ActNorway

Norway's January 2025 amendment to Ekomloven marked a major shift from tolerating passive consent to strict opt-in. Pre-ticked boxes and browser settings are now explicitly invalid. Accept and reject options must have equal prominence. Datatilsynet sanctioned 6 websites for tracking pixel violations.

Belgian E-Communications ActBelgium

Belgium enforces strict cookie consent with one of the EU's most active DPAs. Cookie walls are prohibited, and a Reject all button must appear on the first layer with equal prominence to Accept all. Dark patterns in cookie banners are actively enforced against.

Polish Telecommunications LawPoland

Poland implements the ePrivacy Directive through Articles 173-174 of the Telecommunications Law. While Article 173(2) technically permits consent via browser settings, PUODO recommends active consent. Since 2019, Article 174 requires cookie consent to meet full GDPR standards.

Danish Cookie OrderDenmark

Denmark implements the ePrivacy Directive through the Cookie Order (Cookiebekendtgørelsen), administered by the Danish Business Authority. Cookie consent is a declared 2026 enforcement priority for Datatilsynet, which will examine whether Danish websites give users a genuine choice.

LEKSweden

Sweden implements the ePrivacy Directive through Chapter 9 Section 28 of LEK. In April 2025, IMY issued a landmark reprimand against Aller Media for dark patterns in cookie banners. Less than 25% of Swedish users accept cookies, reflecting strong privacy awareness.

Finnish ISCFinland

Finland implements the ePrivacy Directive through Section 205 of the Information Society Code with notably strict interpretations. Browser settings are explicitly insufficient for consent, and legitimate interest is not a valid legal basis for cookies — stricter than many EU countries.

TKG 2021Austria

Austria implements EU cookie consent through Section 165(3) of TKG 2021, requiring opt-in consent for all non-essential cookies. A split enforcement model assigns TKG cookie violations to the Fernmeldebüro and GDPR aspects to the DSB. Cookie-specific fines are capped at EUR 50,000.

Luxembourg E-Communications ActLuxembourg

Luxembourg implements the ePrivacy Directive through the Act of 30 May 2005. The CNPD requires both I accept all and I refuse all on the first layer of cookie banners. Consent validity is limited to a maximum of 12 months, making Luxembourg one of the few countries with an explicit expiration period.

Greek ePrivacy LawGreece

Greece implements the ePrivacy Directive through Law 3471/2006. The HDPA issued detailed Recommendation 1/2020 with best and worst practice guidance for cookie management. Scrolling is not valid consent, and information must cover purpose, duration, controller identity, and data recipients for each cookie separately.

Hungarian E-Communications ActHungary

Hungary implements the ePrivacy Directive through Section 155 of Act C of 2003. NAIH actively enforces cookie requirements with a focus on dark patterns and equal accessibility of consent options. Reject All must be equally accessible as Accept All in cookie banners.

ZEKCroatia

Croatia's ZEK implements the ePrivacy Directive with specific cookie provisions. AZOP has been actively enforcing cookie requirements, imposing fines on companies for inadequate consent mechanisms including unclear purpose descriptions and processing data before obtaining consent.

Czech ECACzech Republic

The Czech Republic shifted from implied consent via browser settings to full opt-in consent on January 1, 2022. Section 89(3) now requires GDPR-compliant prior consent before storing cookies. The UOOU began imposing fines on non-compliant websites in 2023.

Romanian ePrivacy LawRomania

Romania has historically been one of the more permissive EU countries on cookies, but ANSPDCP tightened enforcement in 2025-2026 with multiple fines for installing non-essential cookies without consent. Browser settings were previously considered potentially sufficient but this interpretation is no longer viable.

Estonian ECAEstonia

Estonia transposes the ePrivacy Directive through the Electronic Communications Act, requiring prior voluntary consent for supplementary cookies. The AKI categorizes cookies into essential and supplementary types, with comprehensive information requirements including cookie duration and third-party access.

Bulgarian ECABulgaria

Bulgaria transposes the ePrivacy Directive through two laws: the Electronic Commerce Act and the Electronic Communications Act. The CPDP has been increasingly active in enforcement, though national cookie penalties remain modest compared to GDPR maximums.

L.112(I)/2004Cyprus

Cyprus implements the ePrivacy Directive through Section 14 of L.112(I)/2004. The Commissioner for Personal Data Protection has conducted active cookie inspections since June 2021, with a strict stance that analytics cookies require prior consent. Penalties can reach EUR 200,000.

Latvian LISSLatvia

Latvia implements the ePrivacy Directive through the Law on Information Society Services (LISS), requiring express prior consent before placing cookies. A 2021 DVI audit of 29 websites found all 26 major e-merchants in violation of cookie requirements.

Lithuanian LOECLithuania

Lithuania implements the ePrivacy Directive through the Law on Electronic Communications. Cookie-specific penalties under national law are notably low (EUR 150-1,150), though GDPR fines apply when personal data is involved. The VDAI has published recommendations with samples of correct and incorrect consent practices.

S.L. 586.01Malta

Malta implements the ePrivacy Directive through S.L. 586.01, regulating cookie storage and access on user devices. Cookie walls are prohibited, and the fine structure includes both per-violation and per-day-of-continuation penalties, creating strong incentives for prompt compliance.

Slovak ECASlovakia

Slovakia replaced its previous Electronic Communications Act with Act 452/2021, effective February 2022. The Act requires active opt-in consent before cookies may be placed — data collection cannot begin until the user gives active consent meeting GDPR standards.

ZEKom-2Slovenia

Slovenia was the last EU member state to adopt GDPR implementing legislation, with ZVOP-2 entering into force on January 26, 2023. ZEKom-2 implements the ePrivacy Directive. The national maximum fine of EUR 40,000 is the lowest in the EU, though GDPR-level fines can now be imposed through ZVOP-2.

Icelandic DPAIceland

Iceland implements the GDPR through Act 90/2018 as part of its EEA obligations. Cookies can only be used with informed consent, except where strictly necessary. Iceland's penalty cap at 2% of turnover (versus the EU's 4%) reflects its EEA rather than EU membership. Daily penalty fines are available for ongoing non-compliance.

Liechtenstein DSGLiechtenstein

Liechtenstein implements the GDPR through its Data Protection Act 2018 and the ePrivacy Directive through the Communications Act (KomG). While the DSG is fully GDPR-aligned, the KomG has not been fully updated for the 2009 ePrivacy amendments, creating a potential gap in cookie-specific requirements.

Other Europe Regulations

GDPREuropean Union + EEA

The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.

PECRUnited Kingdom

PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.

UK GDPRUnited Kingdom

The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.

FDPAFrance

TDDDGGermany

SI 336/2011Ireland

Frequently Asked Questions

What is the ePrivacy Directive?

The ePrivacy Directive (Directive 2002/58/EC) is the EU law that specifically requires consent before placing cookies and tracking technologies on users' devices. It works alongside the GDPR, which defines the consent standard.

Does the ePrivacy Directive only cover cookies?

No. Article 5(3) covers any storage or access of information on terminal equipment, including local storage, tracking pixels, device fingerprinting, and URL tracking parameters.

Is the ePrivacy Directive being replaced?

The proposed ePrivacy Regulation was formally withdrawn in July 2025. The existing Directive remains in force, with limited amendments expected through the Digital Omnibus package.

Are analytics cookies exempt under the ePrivacy Directive?

No. Analytics cookies require consent under Article 5(3). Some national implementations like France offer narrow exemptions for privacy-friendly analytics, but the Directive itself does not exempt analytics.

Stay compliant with ePrivacy Directive

ConsentStack helps you implement Opt-in consent for European Union + EEA automatically.

Get started free