What is the ePrivacy Directive?

The ePrivacy Directive is an important European privacy directive regulating cookie usage, data minimization, unsolicited emails, and more.

Learning Objectives

After reading this article you will be able to:

  • Summarize the ePrivacy Directive
  • Describe the directive's major requirements
  • Understand the directive's relationship with the upcoming ePrivacy Regulation

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is the ePrivacy Directive?

The ePrivacy Directive is a set of rules for data protection and privacy in the European Union (EU). The full official name for it is "Privacy and Electronic Communications Directive 2002/58/EC." It regulates cookie usage, email marketing, data minimization, and other aspects of data privacy. Like other EU directives, it is not a binding law in and of itself, but rather an instruction to EU member states to create their own laws that align with the directive.

The ePrivacy Directive was passed in 2002 and then amended in 2009. It will be replaced by the ePrivacy Regulation in the near future.

How does the ePrivacy Directive regulate cookies?

The ePrivacy Directive requires that a website obtain a user's consent before storing cookies in the user's browser, except for strictly necessary cookies. Users also have to be informed of the cookies' general purpose before they provide consent. This applies to both first-party cookies and third-party cookies, although users do not have to be informed about every individual cookie that will be used.

Because of the ePrivacy Directive, cookie banners appear on many websites, allowing users to opt in to cookie usage. This being one of its most obvious effects, the ePrivacy Directive is sometimes called the "cookie law."

There is an exception to the user consent requirement: any cookie that is necessary for a website or application to function properly. For example, the directive does not require user consent for a cookie that remembers a user's login. Without this cookie, users would not be able to log in and use the website.

For website owners, gaining insight into user behavior can be difficult without cookies. Several cookie-free web analytics services are available today; Cloudflare offers one such service.

What are the directive's requirements for data minimization and anonymization?

The ePrivacy Directive requires organizations to erase or anonymize data that is no longer needed, unless it has to be retained for billing purposes. In addition, the directive requires all location data to be anonymous. The location of individual users cannot be tracked in an identifiable way.

What are the ePrivacy Directive opt-in requirements?

The ePrivacy Directive specifies that people have to opt in before a company can send communications to them. This applies to not just email marketing, but also calls, texts, and any other form of electronic communication. Unsolicited emails or calls are not allowed.

Also, emails have to be from a legitimate address, and email senders must provide recipients with the option to unsubscribe ("the practice of sending electronic mail for purposes of direct marketing...without a valid address to which the recipient may send a request that such communications cease, shall be prohibited").

What else does the ePrivacy Directive cover?

The ePrivacy Directive requires security measures to protect personal data. It also prohibits surveillance of communications channels except in order to "safeguard national security," investigate criminal offenses, and other special cases. Read the full text of the original directive.

What is the ePrivacy Regulation?

The ePrivacy Regulation is another European privacy law that has been in development for several years. The scope of the regulation is still being discussed, although it will cover many of the same areas as the ePrivacy Directive.

When it goes into effect, the ePrivacy Regulation will repeal and override the ePrivacy Directive.

Does the GDPR override the ePrivacy Directive?

The General Data Protection Regulation (GDPR) is a comprehensive data privacy law that applies to EU residents' data. It went into effect in 2018. The GDPR complements the ePrivacy Directive and expands on some of its requirements, but the directive still applies. For instance, the ePrivacy Directive requires consent before cookies can be used; the GDPR adds that cookie identifiers can be considered personal data.

Does the ePrivacy Directive require data localization?

To localize data is to keep data in the same jurisdiction or region where it was collected. While many organizations today prefer to localize their data, the ePrivacy Directive does not require this practice. Cloudflare offers a bundle of services to enable companies to implement data localization, including Geo Key Manager, Keyless SSL, and Regional Services.