The ePrivacy Directive (Directive 2002/58/EC) is the EU law that governs privacy in electronic communications. Its Article 5(3) rule, not GDPR, is the actual legal basis for cookie consent banners. It works alongside GDPR, which sets the standard for what valid consent means.
Below: what the directive covers beyond cookies, the 2002 law and its 2009 cookie amendment, why Article 5(3) earned the "cookie law" nickname. Also covered: how it differs from GDPR, and what happened to the ePrivacy Regulation meant to replace it.
What Is the ePrivacy Directive?
The ePrivacy Directive, formally the Directive on privacy and electronic communications, requires prior consent before a website stores or accesses non-essential cookies on a device.
Its full official name is the "Directive on privacy and electronic communications," adopted by the European Parliament and Council on 12 July 2002. Its common names, the "EU Cookie Law," "ePD," and "Cookie Directive," all point to the same law.
It governs both telecom operators and any website or app that runs electronic communications with EU users. That reach is why the EU cookie law nickname stuck, even though the directive covers more than cookies.
What Does the ePrivacy Directive Cover?
The ePrivacy Directive covers four areas of electronic communications privacy, not just cookies.
- Confidentiality of communications: interception, tapping, or surveillance of calls, emails, and messages is prohibited without consent, except for narrow law-enforcement and national-security exceptions.
- Cookies and similar tracking technologies: websites need consent to store or access information on a visitor's device, covered by Article 5(3).
- Unsolicited direct marketing: commercial emails, SMS, and automated calls require prior opt-in consent, not an opt-out option.
- Data breach notification: telecom operators and internet service providers must notify authorities and affected subscribers of security breaches.
The directive also requires providers to erase or anonymize traffic and location data once the communication no longer needs it, unless billing requires it. Most website compliance work touches only two of these four areas: the cookie rule and the marketing opt-in rule.
When Was the ePrivacy Directive Passed? The 2002 Law and the 2009 Cookie Amendment
The European Parliament and Council adopted the ePrivacy Directive on 12 July 2002. They amended it on 25 November 2009 through Directive 2009/136/EC, the change that turned cookie handling into an opt-in requirement.
Before 2009, the directive let websites use cookies by default and simply required disclosure. The 2009 amendment, informally called the "Cookie Directive" or the Citizens' Rights Directive, rewrote Article 5(3). It now requires prior, informed consent before storing or accessing information on a device, with narrow exceptions for strictly necessary cookies.
That single change is why cookie consent banners with an accept-or-reject choice became standard across EU websites. Most member states transposed the amendment into national law around 2011 and 2012.
Why Is It Called the "EU Cookie Law"? Article 5(3) Explained
Article 5(3) says a website may only store or access information on a device if the user got clear information and gave consent. An exception applies when that storage or access is strictly necessary to deliver a service the user explicitly requested.
That single sentence is the entire legal basis for the accept-or-reject cookie banner. The European Data Protection Board's Guidelines 2/2023 on the technical scope of Article 5(3) confirm the rule is technology neutral.
It reaches far beyond traditional HTTP cookies. Local storage, tracking pixels and web beacons, URL tracking parameters, and device fingerprinting all count as covered technologies.
Two categories of storage or access skip the consent requirement. The first is technical storage needed to carry out the transmission of a communication over a network. The second is storage strictly necessary to provide a service the user explicitly requested, such as remembering shopping cart items or a login session.
Analytics, advertising, and social-media tracking technologies do not qualify for either exception, so they always need consent.
| Storage or access type | Consent required? |
|---|---|
| Session or login cookie the user's action triggered | No, strictly necessary |
| Shopping cart or load-balancing cookie | No, strictly necessary |
| Analytics cookie or pixel | Yes |
| Advertising or social-media tracking cookie | Yes |
Where Article 5(3) requires consent, that consent has to meet what valid cookie consent requires under GDPR's standard. It must be freely given, specific, and informed. The user has to give it through a clear affirmative action, such as clicking "Accept."
ePrivacy Directive vs GDPR: What's the Difference?
The GDPR is the general data-protection law for the EU. The ePrivacy Directive is the specialized law for electronic communications, so for cookies the ePrivacy rule takes precedence over GDPR.
That relationship has a name: lex specialis. Article 95 and recital 173 of the GDPR confirm it: the GDPR adds no extra obligations where the ePrivacy Directive already sets specific rules. Cookie consent is exactly that case.
The ePrivacy Directive requires consent before non-essential cookies load. The GDPR then supplies the definition of what counts as valid consent. Neither law replaces the other. They operate in a lex specialis and lex generalis relationship, part of how these data privacy laws fit together.
| Dimension | ePrivacy Directive | GDPR |
|---|---|---|
| What it governs | Electronic communications, including data that is not personal | All processing of personal data |
| Cookie consent | Requires the consent before non-essential cookies load | Defines what counts as valid consent |
| Legal instrument | Directive, transposed into 27 national laws | Regulation, directly applicable EU-wide |
The ePrivacy Directive also applies regardless of whether a cookie processes personal data, which is broader than the GDPR's scope. A cookie that stores only an anonymous session identifier still needs consent under Article 5(3), even though it may fall outside GDPR's personal-data definition entirely.
What Happened to the ePrivacy Regulation?
The European Commission proposed an ePrivacy Regulation on 10 January 2017 to replace the directive and close the national-transposition gaps. The Commission then formally withdrew the proposal in 2025, so the 2002 directive, as amended in 2009, remains the law in force.
The Commission first signaled the withdrawal in its February 2025 work programme, citing years without a foreseeable agreement among member states and industry. It then formally approved the withdrawal at its meeting on 16 July 2025 and published it in the Official Journal on 6 October 2025. The European Parliament's legislative tracker records the file as withdrawn, and no direct successor regulation has been adopted.
A regulation, unlike a directive, would have applied uniformly across every member state without national transposition. That would have ended the current patchwork of 27 separate national cookie laws. The patchwork still exists.
The closest thing to a successor is the Digital Omnibus Package, which the Commission unveiled on 19 November 2025. Rather than reviving a standalone ePrivacy Regulation, it proposes folding the Article 5(3) cookie-consent rule directly into the GDPR. It also adds a requirement for browser-level, machine-readable consent signals.
This is a proposal moving through EU trilogue negotiations, not enacted law. The earliest realistic adoption window is the third quarter of 2026.
How Consently Helps You Meet ePrivacy and Cookie Consent Rules
Consently gives you the opt-in cookie consent banner, automatic scanning, and blocking that Article 5(3) requires. You collect and record consent before non-essential cookies load, not after.
The directive requires prior, informed consent before storing non-essential cookies on a visitor's device. Consently's GDPR opt-in Cookie Consent Banner shows that consent request the moment an EU visitor lands on your site. The banner is styled to match your brand instead of the default look competitors ship.
Two features do the technical work behind that banner. Automatic Cookie Scanning finds every cookie, tracker, and script on your site, including ones you did not know were firing.
Cookie Auto-Blocking then holds every non-essential cookie, script, and iframe until the visitor consents. That is exactly what Article 5(3) demands, not a banner that displays while trackers already run in the background.
Consent logs keep a timestamped record of each visitor's choice as audit proof if a regulator or client ever asks.
Consently's GDPR cookie consent solution helps you meet Article 5(3) without hiring a developer to build it. Try Consently Free to see the opt-in banner, scanner, and consent logs running on your own site.
FAQs
Is the ePrivacy Directive still in force?
Yes. It has been in force since 2002 and remains the operative EU cookie-consent law in 2026. The proposed ePrivacy Regulation that would have replaced it was withdrawn by the European Commission in 2025.
Who does the ePrivacy Directive apply to?
It applies to organizations established in EU member states that provide electronic communications services or place cookies on user devices. Through national transposition laws and GDPR's own territorial reach, it also applies in practice to any site targeting or serving EU and EEA users.
Does the ePrivacy Directive apply to websites outside the EU?
Yes, in practice. If your site targets or is accessed by EU or EEA users, you are expected to meet the cookie-consent rule. Equivalent national laws like the UK's PECR mirror the same requirement outside the EU itself. You can make your website compliant with an opt-in banner regardless of where your business is based.
Is the ePrivacy Directive the same as the cookie law?
Yes. "EU Cookie Law" and "Cookie Directive" are both nicknames for Directive 2002/58/EC, specifically its Article 5(3) cookie-consent rule.
Does the ePrivacy Directive only apply to cookies?
No. Article 5(3) is technology neutral and covers any storing of or access to information on a device, including local storage, tracking pixels, and device fingerprinting. The directive also has separate rules on confidentiality, spam, and data breach notification.
Has the ePrivacy Regulation replaced the ePrivacy Directive?
No. The European Commission withdrew the ePrivacy Regulation proposal in 2025, and no replacement has been adopted. The Digital Omnibus Package proposes folding the cookie-consent rule into the GDPR instead, but that proposal is still under negotiation.

