Skip to main content

Directive 2002/58/EC on Privacy and Electronic Communications

The EU ePrivacy Directive (2002/58/EC) governs privacy in electronic communications, including the cookie consent rule, confidentiality of communications, and direct marketing consent. It complements the GDPR and is transposed into each member state's law.

Jurisdiction
European Union

Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, known as the ePrivacy Directive, is an EU law that protects privacy and confidentiality in electronic communications. It came into force on July 31, 2002, and was amended in 2009, when the requirement for consent to store or access information on a user's device, the so-called cookie consent rule, was strengthened. Because of that rule it is often called the cookie law.

The ePrivacy Directive complements the GDPR. Where the GDPR is a general data protection law, the ePrivacy Directive provides specific rules for the communications sector and for technologies that access user devices. As a directive, it must be transposed into the national law of each EU member state, which leads to some variation across countries.

Who It Applies To

The Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services over public communications networks in the EU. Its rules on confidentiality, traffic and location data, and security apply mainly to providers of these services. However, the cookie consent rule and the rules on unsolicited direct marketing apply much more broadly, reaching website operators, app developers, and any organization that stores or reads information on users' devices or sends electronic marketing.

Key Requirements

Providers must ensure the confidentiality of communications and related traffic data and may process traffic and location data only under defined conditions. Storing information on, or accessing information already stored in, a user's terminal equipment, such as cookies and similar trackers, generally requires the user's prior informed consent, except for strictly necessary purposes. Unsolicited electronic marketing by email, SMS, and automated calls generally requires prior consent, with a limited exception for existing customers in similar product contexts. Providers must take appropriate security measures and notify certain breaches. Consent standards are read in light of the GDPR, so consent must be freely given, specific, informed, and unambiguous.

Penalties for Non-Compliance

Because the Directive is transposed nationally, penalties are set by each member state and vary. National data protection and communications authorities enforce the rules, and fines for cookie and direct-marketing violations have been significant in several countries. In some cases, conduct that breaches both the ePrivacy rules and the GDPR can attract GDPR-level fines.

How to Comply

Obtain prior informed consent before setting non-essential cookies and trackers, and provide a genuine choice and easy withdrawal. Maintain the confidentiality of communications and process traffic and location data only as permitted. Obtain consent for electronic direct marketing and honor opt-outs and the soft opt-in limits. Apply appropriate security measures. Check the specific national transposition in each member state where you operate, since requirements differ. Watch for the long-proposed ePrivacy Regulation, which is intended to replace the Directive.