--- title: "EU ePrivacy Directive (2002/58/EC) Compliance Hub" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive" author: "Sorena AI" description: "A practical compliance hub for the EU ePrivacy Directive." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "ePrivacy Directive" - "Directive 2002/58/EC" - "ePrivacy compliance" - "cookie consent EU" - "cookie banner requirements" - "terminal equipment access Article 5(3)" - "consent exemptions strictly necessary cookies" - "communications confidentiality" - "electronic communications metadata" - "direct marketing consent Article 13" - "soft opt-in EU" - "cookies" - "cookie banner" - "consent" - "direct marketing" - "communications metadata" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy Directive (2002/58/EC) Compliance Hub A practical compliance hub for the EU ePrivacy Directive. ![EU ePrivacy Directive artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-eu-eprivacy-timeline-small.jpg?v=cheatsheets%2Fprod) *ePrivacy* *Free Resource* ## EU ePrivacy Directive Compliance Hub Scope cookies and terminal equipment access under Article 5(3), communications confidentiality and traffic or location data use cases, and direct marketing workflows under Article 13. Use the decision flow to turn product facts into a defensible consent model and evidence pack. The current legal baseline is still Directive 2002/58/EC, as amended by Directive 2009/136/EC and interpreted through national laws, GDPR consent standards, and recent EDPB enforcement positions. Treat the proposed ePrivacy Regulation only as reform context unless and until it is adopted. [Start with the checklist](/artifacts/eu/eprivacy-directive/checklist.md) ## What you can decide faster - **Terminal equipment access**: When cookies/SDKs need consent vs exemptions. - **Cookie banner UX**: What "valid consent" looks like in practice (and common failure modes). - **Direct marketing rules**: Consent, soft opt-in, and opt-out evidence you must retain. By Sorena AI | Updated Mar 2026 | No signup required ### Quick scan *ePrivacy* - **Cookies / SDKs**: Map storage/access to consent or exemptions (Article 5(3)). - **Banner UX**: Implement choice, granularity, and withdrawal with evidence. - **Marketing**: Operationalize consent, soft opt-in, and suppression lists (Article 13). Use the decision flow to pick a defensible consent model, then standardize implementation with checklists and templates. | Value | Metric | | --- | --- | | 2002 | Directive | | 2009 | Cookie update | | 2020 | Consent guide | | 2023 | Banner report | **Key highlights:** Scope checks | Consent model | Audit evidence ## Topic Guides - [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data. - [Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage. - [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control. - [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed. - [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting. - [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions). - [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design. - [ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment. - [ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX. - [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC). - [ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map](/artifacts/eu/eprivacy-directive/requirements.md): A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)). - [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality. - [ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement](/artifacts/eu/eprivacy-directive/faq.md): High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194). - [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing. - [EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes. ## Key milestones for ePrivacy *ePrivacy Timeline* Track the current legal baseline, 2002 directive, 2009 cookie amendment, GDPR-era consent guidance, and 2023 enforcement learnings, then align your banner and marketing program cadence. ## Which ePrivacy rules apply to your product and marketing *ePrivacy Decision Flow* Use the decision flow to scope cookies and device access, communications confidentiality, and direct marketing, then translate outcomes into banner design, consent evidence, and operational controls. *Next step* ## Turn EU ePrivacy Directive Compliance Hub into a cited research workflow EU ePrivacy Directive Compliance Hub should be the shared entry point for your team. Route execution into Research Copilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from EU ePrivacy Directive Compliance Hub and route the work by entity, product, team, or control owner. - Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs. - Use SSOT to keep documents, evidence, and control records in one governed system. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs for EU ePrivacy Directive Compliance Hub. - [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact. - **Download decision flow**: Share scope and consent logic internally. - **Download timeline**: Align milestones and program cadence. - [Talk through EU ePrivacy Directive Compliance Hub](/contact.md): Review your current process, evidence model, and next steps for EU ePrivacy Directive Compliance Hub. ## Decision Steps ### STEP 1: Are you processing electronic communications data, accessing terminal equipment information, offering a publicly available directory, or sending direct marketing communications to end-users in the EU? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Articles 1 to 3* - The draft Regulation material scope includes: (a) processing of electronic communications content and metadata, (b) end-users terminal equipment information, (c) offering publicly available directories, and (d) sending direct marketing communications to end-users (Article 2(1)). - The territorial scope covers the provision and use of these activities for end-users who are in the Union, and includes a representative requirement for certain non-EU entities (Article 3). - Where the relevant provider or person is not established in the Union, the Council mandate text requires designating a representative in the Union within one month from the start of activities, subject to an exception for occasional low-risk activities (Article 3(2) and (2a)). - The Council mandate text states Directive 2002/58/EC should be repealed (recital 43). - **NO** Out of Scope - **YES** Which draft ePrivacy Regulation obligations apply to your activities? ### STEP 2: Which draft ePrivacy Regulation obligations apply to your activities? - Terminal equipment: if you use processing and storage capabilities or collect information from end-users terminal equipment (Article 8). - Confidentiality and processing of communications data: if you interfere with or process electronic communications content or metadata (Articles 5 to 7, and related rules). - Communications metadata: if you process electronic communications metadata (including location data) beyond what is necessary to provide the service (Articles 6b and 6c). - Direct marketing: if you send direct marketing communications to end-users (Article 16). - Directories and line identification: if you offer publicly available directories or provide calling or connected line identification options (Articles 12 to 15). - Multiple obligations may apply simultaneously. - -> Do you use cookies or similar techniques to use processing and storage capabilities of terminal equipment or collect information from end-users terminal equipment? ### COOKIES: Do you use cookies or similar techniques to use processing and storage capabilities of terminal equipment or collect information from end-users terminal equipment? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Article 8* - This includes cookies, SDKs, web storage, tracking pixels, and similar technologies that access or store information on a device or collect device-emitted information. - The Council mandate text prohibits these activities unless one of the grounds listed in Article 8 applies, including end-user consent or specific necessity-based grounds. - WP29 Opinion 04/2012 (WP194) provides detailed analysis of strict necessity concepts under the current Directive, which can help interpret similar concepts in practice. - **NO** Do you interfere with, or as a provider process, electronic communications content or electronic communications metadata? - **YES** Is your terminal equipment access covered by a non-consent ground in Article 8? ### STEP 3: Is your terminal equipment access covered by a non-consent ground in Article 8? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Article 8* - Examples of non-consent grounds in the Council mandate text include: necessity to provide an electronic communications service; strict necessity to provide a service specifically requested by the end-user; audience measurement under conditions; maintaining or restoring security, preventing fraud, or detecting faults; and software updates under conditions (Article 8(1)). - If any purpose does not meet an Article 8 non-consent ground, you generally need end-user consent for that purpose (Article 8(1)(b)). - If you collect information emitted by terminal equipment to enable connection (for example WiFi or Bluetooth signals), Article 8(2) and its conditions may apply. - **YES** No Consent (Specific Case) - **NO** Consent Required ### CONFIDENTIALITY: Do you interfere with, or as a provider process, electronic communications content or electronic communications metadata? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Articles 5 to 7* - The Council mandate text sets a confidentiality rule for electronic communications data and prohibits interference such as listening, tapping, storing, monitoring, scanning, or other interception or surveillance, except when permitted by the Regulation (Article 5). - It includes specific grounds for providers to process electronic communications data (Article 6), content (Article 6a), and metadata (Article 6b), and rules on storage and erasure (Article 7). - **NO** Do you process electronic communications metadata (including location data) beyond what is necessary to provide the service? - **YES** Confidentiality and Communications Data Rules Apply ### TRAFFIC & LOCATION: Do you process electronic communications metadata (including location data) beyond what is necessary to provide the service? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Articles 4 and 6b* - Electronic communications metadata includes data used to trace and identify the source and destination of a communication, location data generated in the context of providing services, and the date, time, duration, and type of communication (Article 4(3)(c)). - The Council mandate text sets specific permitted grounds for processing electronic communications metadata, including network management, contract performance and billing, end-user consent, vital interests, and certain research and statistical purposes (Article 6b). - **NO** Do you use electronic communications services to send direct marketing communications to end-users? - **YES** Electronic Communications Metadata Rules Apply ### DIRECT MARKETING: Do you use electronic communications services to send direct marketing communications to end-users? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Article 16* - The Council mandate text defines direct marketing communications as advertising sent via a publicly available electronic communications service directly to one or more specific end-users, including voice-to-voice calls, automated calling systems, and electronic messages (Article 4(3)(f)). - It sets a general prohibition on sending direct marketing communications to end-users who are natural persons unless they have given prior consent, with specific rules and exceptions in Article 16. - **NO** Are you including end-user information in a publicly available directory or directory enquiry service? - **YES** Which communication medium do you use for direct marketing? ### STEP 4: Which communication medium do you use for direct marketing? - Electronic messages (email, SMS, MMS, and functionally equivalent applications) are covered by the Council mandate definition of electronic message (Article 4(3)(e)) and the Article 16 consent rule with an exception for existing customer contact details (Article 16(1) to (2)). - Direct marketing calls must present calling line identification (Article 16(3)), and Member States may allow voice-to-voice marketing calls to natural persons on an opt-out basis (Article 16(4)). - The Council mandate text also requires that direct marketing communications clearly identify the sender and provide a free and effective way to withdraw consent or object (Article 16(6)). - -> Are you sending direct marketing as an electronic message (for example email, SMS, or functionally equivalent apps)? ### EMAIL/SMS: Are you sending direct marketing as an electronic message (for example email, SMS, or functionally equivalent apps)? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Articles 4 and 16* - The Council mandate text generally prohibits direct marketing communications to end-users who are natural persons unless they have given prior consent (Article 16(1)). - It also includes an exception where contact details for electronic messages were obtained in the context of a purchase, allowing marketing of similar products or services if the end-user was given a clear and free opportunity to object at collection and in each subsequent message (Article 16(2)). - **YES** Electronic Message Marketing Requirements - **NO** Are you placing direct marketing voice-to-voice calls to end-users who are natural persons? ### TELEPHONE: Are you placing direct marketing voice-to-voice calls to end-users who are natural persons? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Article 16* - The Council mandate text requires that direct marketing calls present the calling line identification assigned to the sender (Article 16(3)). - It also allows Member States, by law, to permit direct marketing voice-to-voice calls to natural persons on an opt-out basis (Article 16(4)). - **YES** Telephone Marketing Obligations Apply - **NO** Direct Marketing Rules Do Not Apply ### DIRECTORIES: Are you including end-user information in a publicly available directory or directory enquiry service? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Article 15* - The Council mandate text defines publicly available directories and sets rules for including end-users data (Article 4(3)(d) and Article 15). - For end-users who are natural persons, providers must obtain consent to include personal data in a directory and for inclusion per category of personal data, unless Member States provide an objection-based approach (Article 15(1) and (1aa)). - End-users must be able to verify, correct, and delete directory data, and to not be included, free of charge (Article 15(3a) and (4)). - **NO** Do you offer calling or connected line identification presentation options? - **YES** Directory Obligations Apply ### LINE ID: Do you offer calling or connected line identification presentation options? *Reference: Council mandate ST 6087/21 (draft ePrivacy Regulation), Articles 12 to 14* - The Council mandate text sets options end-users must have regarding calling line identification and connected line identification where those features are offered (Article 12). - It includes emergency-related exceptions (Article 13) and rules for nuisance or malicious calls (Article 14). - **NO** Line Identification Rules Do Not Apply - **YES** Line Identification Obligations Apply ## Reference Information ### Draft ePrivacy Regulation: Key Areas - Confidentiality: electronic communications data must be confidential and interference is prohibited unless permitted by the Regulation (Article 5). - Permitted processing: providers may process electronic communications data only on the grounds set out in the Regulation, including specific rules for content and for metadata (Articles 6, 6a, 6b, 6c). - Terminal equipment: using processing and storage capabilities or collecting information from end-users terminal equipment is prohibited unless an Article 8 ground applies (Article 8). - Territorial scope: applies to end-users who are in the Union and can require a representative for certain non-EU providers and persons (Article 3). - End-user control: calling and connected line identification rules and emergency exceptions (Articles 12 to 14). - Directories and direct marketing: rules for publicly available directories and for unsolicited and direct marketing communications (Articles 15 and 16). - Restrictions and enforcement: legislative restrictions (Article 11) and administrative fines aligned with GDPR Article 83 (Article 23). ### Relationship with GDPR - The Council mandate text states the draft Regulation particularises and complements GDPR by laying down specific rules (Article 1(3)). - Many definitions and concepts are taken from GDPR (Article 4(1)). - Consent in the Council mandate text relies on GDPR consent provisions for natural persons and applies mutatis mutandis to legal persons (Article 4a). - EDPB Opinion 5/2019 discusses competence, tasks, and cooperation for enforcing ePrivacy rules alongside GDPR. ### Enforcement and Penalties - The Council mandate text provides for remedies (Article 21) and a right to compensation and liability aligned with GDPR Article 82 (Article 22). - Administrative fines follow GDPR Article 83 mutatis mutandis (Article 23(1)). - For certain infringements (including Article 8 terminal equipment rules, Article 15 directories, Article 16 direct marketing, and the representative obligation), the upper limit is up to EUR 10,000,000 or 2% of worldwide annual turnover (Article 23(2)). - For infringements of confidentiality, permitted processing, and time limits for erasure (Articles 5 to 7), the upper limit is up to EUR 20,000,000 or 4% of worldwide annual turnover (Article 23(3)). - The EDPB Cookie Banner Taskforce report discusses practical expectations around withdrawal mechanisms and banner design patterns in enforcement contexts. ### Proposed ePrivacy Regulation (Under Negotiation) - The Commission proposal date is 10 January 2017 (procedure sources in the grounding data). - The Council mandate (ST 6087/21) contains consolidated draft text and states Directive 2002/58/EC should be repealed. - The procedure file and Parliament sources in the grounding data summarize steps in the legislative process, including committee work and a Council negotiating mandate. - EDPB Statement 03/2021 calls for swift adoption and highlights the need for a coherent framework with GDPR. ### Consent Under ePrivacy and GDPR - The Council mandate text applies GDPR consent provisions to natural persons and, mutatis mutandis, to legal persons (Article 4a(1)). - EDPB Guidelines 05/2020 explain key GDPR consent requirements, including freely given, specific, informed, unambiguous consent and the ability to withdraw consent at any time. - The Council mandate text allows consent, where technically possible and feasible, to be expressed via appropriate software technical settings, and states that directly expressed end-user consent prevails over software settings (Article 4a(2) and (2aa)). - Where a provider cannot identify a data subject, the Council mandate text indicates that a technical protocol showing consent from the terminal equipment may be sufficient to demonstrate end-user consent for Article 8(1)(b) (Article 4a(2a)). - The Council mandate text includes a concept of periodic consent withdrawal reminders (no longer than 12 months) while processing continues, unless the end-user requests not to receive reminders (Article 4a(3)). - EDPB guidance on cookie walls addresses the risk that conditional access can undermine the freely given nature of consent. - The Cookie Banner Taskforce report discusses practical expectations around withdrawal mechanisms and certain banner design patterns in enforcement contexts. ### Cookie Consent Exemptions (WP29 Opinion 04/2012) - CRITERION A (sole purpose of transmission): cookies used for the sole purpose of carrying out the transmission of a communication over an electronic communications network. - CRITERION B (strictly necessary for explicitly requested service): cookies strictly necessary for a functionality explicitly requested by the user. - WP29 concludes first-party and third-party analytics cookies do not fall under CRITERION A or B, while noting first-party analytics may present limited privacy risk if safeguards are in place. - Multi-purpose cookies: if a cookie serves multiple purposes, it is exempt only if all purposes individually qualify for an exemption. - Lifespan: WP29 notes exempt cookies should expire once they are no longer needed for their purpose. ### Restrictions and Access Requests - The Council mandate text allows Union or Member State law to restrict the scope of obligations and rights in Articles 5 to 8 under conditions that align with GDPR Article 23(1) interests and proportionality requirements (Article 11(1)). - It requires providers to establish internal procedures for responding to requests for access to end-users electronic communications data based on such legislative measures, and to provide information about those procedures and requests to the competent supervisory authority on demand (Article 11(2)). - The Council mandate text also includes a permitted processing ground for providers where necessary for compliance with a legal obligation under Union or Member State law meeting proportionality conditions (Article 6(1)(d)). ### Key EDPB Guidance on ePrivacy - EDPB Opinion 5/2019 discusses how ePrivacy rules and GDPR relate, including competence, tasks, and cooperation mechanisms for enforcement. - EDPB Guidelines 05/2020 explain GDPR consent requirements used in cookie and tracking contexts. - The EDPB reply letter on cookie walls explains that conditional access can undermine freely given consent. - The EDPB Cookie Banner Taskforce report (adopted 17 January 2023) discusses common banner patterns (for example missing reject options, link design, and withdrawal usability) and highlights the need for case-by-case assessment. - EDPB Statement 03/2021 calls for swift adoption of the ePrivacy Regulation. ### Do Not Track and Browser Signals - WP29 Opinion 04/2012 discusses Do Not Track (DNT) and notes its participation in W3C standardization efforts, arguing that DNT should mean no identifiers for tracking are set or processed for tracking purposes. - The impact assessment grounding material references an EU DNT standard as a possible area for promoting standards and codes of conduct. - The Council mandate text allows consent to be expressed via appropriate software settings where technically possible and feasible, with directly expressed end-user consent prevailing over software settings (Article 4a(2) and (2aa)). ## Possible Outcomes ### [RESULT] Out of Scope Draft ePrivacy Regulation does not apply - Your activity does not fall within the Council mandate text material scope (Article 2(1)) and territorial scope (Article 3). - Examples of exclusions in the Council mandate text include: national security and defence measures, non-publicly available electronic communications services, competent authorities processing for criminal law purposes, and electronic communications data processed after receipt by the end-user concerned (Article 2(2)). - If you still process personal data, GDPR may apply. ### [RESULT] Consent Required Terminal equipment processing requires end-user consent - Obtain end-user consent when relying on the consent ground for terminal equipment processing (Article 8(1)(b)). - The Council mandate text applies GDPR consent provisions to natural persons and, mutatis mutandis, to legal persons (Article 4a). - EDPB Guidelines 05/2020 explain key GDPR consent requirements, including that withdrawal must be as easy as giving consent. - EDPB guidance on cookie walls indicates that making access to a service conditional on consent to non-essential cookies can undermine the freely given nature of consent. - For terminal equipment processing, consent may be expressed via appropriate software technical settings where technically possible and feasible (Article 4a(2)), and directly expressed end-user consent prevails over software settings (Article 4a(2aa)). ### [RESULT] No Consent (Specific Case) An Article 8 non-consent ground applies - Your terminal equipment processing fits within an Article 8 non-consent ground, such as strict necessity for a specifically requested service, audience measurement under conditions, or security and fraud prevention (Article 8). - Examples include: providing an electronic communications service; providing a specifically requested service; audience measurement under the Council mandate conditions (including certain third party processing under GDPR Articles 26 or 28); maintaining or restoring security, preventing fraud, or detecting faults; security software updates that do not change privacy settings and allow postponement; and emergency communications location (Article 8(1)). - This result only applies to the specific purposes that qualify. If you add another purpose that does not qualify, you may need end-user consent for that purpose. - If personal data is processed, GDPR may still apply. ### [RESULT] Confidentiality and Communications Data Rules Apply Confidentiality and permitted processing requirements - Treat electronic communications data as confidential and do not interfere with it unless permitted by the Regulation (Article 5). - If you are a provider, process electronic communications data only on the grounds listed in the Regulation (Articles 6, 6a, 6b, 6c). - For content processing beyond providing a service requested for purely individual use, the Council mandate text generally requires the consent of all end-users concerned (Article 6a). - Apply storage and erasure rules for content and metadata (Article 7). - Restrictions may be introduced by Union or Member State law under the conditions set out in the Regulation (Article 11). ### [RESULT] Electronic Communications Metadata Rules Apply Permitted grounds and safeguards for metadata processing - Providers may process electronic communications metadata only if an Article 6b ground applies, including network management and optimisation, contract performance and billing, fraud prevention, end-user consent, and limited research and statistical grounds with safeguards (Article 6b). - The Council mandate text sets conditions for compatible further processing of metadata, including pseudonymisation, erasure or anonymisation when no longer needed, and restrictions on profiling-type use (Article 6c). - Metadata must be erased or made anonymous when no longer needed to provide the service, subject to specific exceptions listed in the Council mandate text (Article 7). ### [RESULT] Electronic Message Marketing Requirements Consent rule with an existing-customer exception - If you rely on consent, obtain prior consent from end-users who are natural persons (Article 16(1)) and ensure withdrawal is possible and easy (Article 16(6)). - If you rely on the existing-customer exception, ensure the contact details were obtained in the context of a purchase, marketing is limited to your own similar products or services, and the end-user was given a clear and free opportunity to object at collection and in each subsequent message (Article 16(2)). - When sending any direct marketing communication, reveal identity and provide effective return addresses or numbers, make the marketing nature clear, and provide a free and effective way to object or withdraw consent (Article 16(6)). ### [RESULT] Telephone Marketing Obligations Apply Calling line identification and Member State rules - Present the calling line identification assigned to you when placing direct marketing calls (Article 16(3)). - Where applicable, comply with any Member State requirements for a specific code or prefix identifying a direct marketing call (Article 16(3a)). - If a Member State uses an opt-out regime for voice-to-voice marketing calls, ensure you do not call end-users who have expressed their objection (Article 16(4)). ### [RESULT] Direct Marketing Rules Do Not Apply No unsolicited direct marketing - You are not using electronic communications services to send direct marketing communications, so Article 16 does not apply. - If you start sending direct marketing communications later, apply the Article 16 rules and ensure recipients can object or withdraw consent free of charge. ### [RESULT] Directory Obligations Apply Consent or objection model, plus user control rights - For natural persons, obtain consent to include personal data in a directory (and per category), unless Member State law uses an objection model (Article 15(1) and (1aa)). - Inform end-users about search functions that are not based on name or number and obtain consent before enabling such search functions related to their data (Article 15(2)). - Provide legal persons with the possibility to object to data related to them being included (Article 15(3)). - Provide end-users the means to verify, correct, and delete directory data, free of charge (Article 15(3a) and (4)). ### [RESULT] Line Identification Obligations Apply End-user options and emergency exceptions - Where presentation is offered, provide end-users with options to prevent and control presentation of calling and connected line identification, and to reject incoming calls where calling line identification has been prevented (Article 12(1)). - Override elimination and certain consent settings for emergency communications as set out in the Council mandate text (Article 13). - Member States may establish more specific provisions for tracing unwanted, malicious, or nuisance calls (Article 14). ### [RESULT] Line Identification Rules Do Not Apply No calling/connected line identification services - You do not offer calling or connected line identification options, so Articles 12 to 14 do not apply to you. - If you later offer those features, implement the end-user options and emergency-related exceptions described in the Council mandate text. ## ePrivacy Timeline | Date | Event | Reference | | --- | --- | --- | | 2002-07-31 | Directive 2002/58/EC published in the Official Journal (OJ L 201) | SWD(2017) 3 reference: OJ L 201, 31.07.2002 | | 2009-01-01 | Directive 2002/58/EC modified by Directive 2009/136/EC (as referenced in sources) | SWD(2017) 3 reference | | 2012-06-07 | WP29 adopts Opinion 04/2012 (WP194) on cookie consent exemptions | WP29 Opinion 04/2012 | | 2017-01-10 | Commission proposes the ePrivacy Regulation | COM(2017) 10 final | | 2019-03-12 | EDPB adopts Opinion 5/2019 on ePrivacy Directive and GDPR interplay | EDPB Opinion 5/2019 | | 2020-05-04 | EDPB adopts Guidelines 05/2020 on GDPR consent | EDPB Guidelines 05/2020 | | 2021-02-10 | Council negotiation mandate published (ST 6087/21) | ST 6087/21 | | 2023-01-17 | EDPB Cookie Banner Taskforce report adopted | EDPB Cookie Banner Taskforce report | ## Compliance Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2002-07-12 | ePrivacy Directive 2002/58/EC adopted | ePrivacy Directive | | | 2002-07-31 | Directive 2002/58/EC published in the Official Journal (OJ L 201) | ePrivacy Directive | | | 2009-01-01 | ePrivacy Directive revised in 2009 (as referenced in sources) | ePrivacy Directive | | | 2012-06-07 | WP29 Opinion 04/2012 on cookie consent exemption adopted | WP29/EDPB Guidance | | | 2016-04-11 | Commission ePrivacy factsheet published | Commission Actions | | | 2016-07-22 | EDPS Preliminary Opinion 5/2016 on the ePrivacy review | EDPS Opinions | | | 2017-01-10 | Commission proposes the ePrivacy Regulation | Proposed Regulation | | | 2017-01-10 | Commission impact assessment issued (SWD(2017) 3 final) | Commission Actions | | | 2017-02-16 | European Parliament: committee referral announced (1st reading) | Proposed Regulation | | | 2017-04-24 | EDPS Opinion 6/2017 on the proposed ePrivacy Regulation published | EDPS Opinions | | | 2017-06-09 | Council: debate in Council (TTE) recorded in procedure file | Proposed Regulation | | | 2017-10-05 | EDPS recommendations on Parliament amendments published | EDPS Opinions | | | 2017-10-19 | European Parliament: LIBE vote and decision to open negotiations | Proposed Regulation | | | 2017-10-23 | European Parliament: committee report tabled for plenary (1st reading) | Proposed Regulation | | | 2017-12-04 | Council: TTE meeting noted in the procedure file | Proposed Regulation | | | 2018-05-18 | Commission ePrivacy factsheet updated | Commission Actions | | | 2018-05-25 | EDPB statement on the revision of the ePrivacy Regulation adopted | WP29/EDPB Guidance | | | 2019-03-12 | EDPB Opinion 5/2019 adopted (interplay between ePrivacy Directive and GDPR) | WP29/EDPB Guidance | | | 2020-05-04 | EDPB Guidelines 05/2020 on consent adopted | WP29/EDPB Guidance | | | 2020-11-19 | EDPB reply letter on cookie walls issued | WP29/EDPB Guidance | | | 2020-11-19 | EDPB statement on the ePrivacy Regulation and future supervisory role adopted | WP29/EDPB Guidance | | | 2021-02-10 | Council negotiation mandate published (ST 6087/21) | Proposed Regulation | | | 2021-03-09 | Commission ePrivacy factsheet last updated | Commission Actions | | | 2021-03-09 | EDPB Statement 03/2021 adopted | WP29/EDPB Guidance | | | 2022-08-01 | Repeal date placeholder for Directive 2002/58/EC (in Council draft) | Proposed Regulation | | | 2023-01-17 | EDPB Cookie Banner Taskforce report adopted | Enforcement & Reports | | | 2024-08-01 | Monitoring programme deadline placeholder (in Council draft) | Proposed Regulation | | **Event details:** - **2002-07-12 - ePrivacy Directive 2002/58/EC adopted**: Directive 2002/58/EC date: 12 July 2002. - **2002-07-31 - Directive 2002/58/EC published in the Official Journal (OJ L 201)**: Impact assessment timeline cites: OJ L 201, 31.07.2002, p. 37. - **2009-01-01 - ePrivacy Directive revised in 2009 (as referenced in sources)**: Legislative documents referenced in the grounding data describe the last revision of the ePrivacy Directive as occurring in 2009 (Directive 2009/136/EC is cited as the amending instrument). - **2012-06-07 - WP29 Opinion 04/2012 on cookie consent exemption adopted**: Opinion 04/2012 (WP194) adopted on 7 June 2012. - **2016-04-11 - Commission ePrivacy factsheet published**: Commission digital-strategy factsheet publication date shown: 11 April 2016. - **2016-07-22 - EDPS Preliminary Opinion 5/2016 on the ePrivacy review**: EDPS preliminary opinion on the review of the ePrivacy Directive issued on 22 July 2016. - **2017-01-10 - Commission proposes the ePrivacy Regulation**: Commission proposal date shown: 10 January 2017 (procedure files and Commission factsheet). - **2017-01-10 - Commission impact assessment issued (SWD(2017) 3 final)**: Impact assessment SWD(2017) 3 final is dated Brussels, 10 January 2017 (published alongside the ePrivacy Regulation proposal). - **2017-02-16 - European Parliament: committee referral announced (1st reading)**: Procedure file timeline lists 16 February 2017 as the committee referral announcement in Parliament. - **2017-04-24 - EDPS Opinion 6/2017 on the proposed ePrivacy Regulation published**: EDPS Opinion 6/2017 is dated 24 April 2017. - **2017-06-09 - Council: debate in Council (TTE) recorded in procedure file**: Procedure file lists a Council debate date of 9 June 2017 (Transport, Telecommunications and Energy). - **2017-10-05 - EDPS recommendations on Parliament amendments published**: EDPS recommendations document is dated 5 October 2017. - **2017-10-19 - European Parliament: LIBE vote and decision to open negotiations**: Procedure file lists 19 October 2017 as the committee vote and decision to open interinstitutional negotiations. - **2017-10-23 - European Parliament: committee report tabled for plenary (1st reading)**: Procedure file lists 23 October 2017 as the date the committee report was tabled for plenary (1st reading). - **2017-12-04 - Council: TTE meeting noted in the procedure file**: Procedure file lists a Council meeting (Transport, Telecommunications and Energy) on 4 December 2017 in the legislative process. - **2018-05-18 - Commission ePrivacy factsheet updated**: Commission ePrivacy factsheet footer shows: Updated 18 May 2018. - **2018-05-25 - EDPB statement on the revision of the ePrivacy Regulation adopted**: EDPB statement on the revision of the ePrivacy Regulation and its impact on privacy and confidentiality of communications adopted on 25 May 2018. - **2019-03-12 - EDPB Opinion 5/2019 adopted (interplay between ePrivacy Directive and GDPR)**: Opinion 5/2019 adoption date shown: 12 March 2019. - **2020-05-04 - EDPB Guidelines 05/2020 on consent adopted**: Guidelines 05/2020 adoption date shown: 4 May 2020. - **2020-11-19 - EDPB reply letter on cookie walls issued**: Reply letter on cookie walls is dated 19 November 2020. - **2020-11-19 - EDPB statement on the ePrivacy Regulation and future supervisory role adopted**: EDPB statement on the ePrivacy Regulation and the future role of supervisory authorities and the EDPB adopted on 19 November 2020. - **2021-02-10 - Council negotiation mandate published (ST 6087/21)**: Council mandate document shows Brussels date: 10 February 2021. - **2021-03-09 - Commission ePrivacy factsheet last updated**: Commission digital-strategy factsheet shows last update: 9 March 2021. - **2021-03-09 - EDPB Statement 03/2021 adopted**: EDPB Statement 03/2021 adoption date shown: 9 March 2021. - **2022-08-01 - Repeal date placeholder for Directive 2002/58/EC (in Council draft)**: Council mandate draft text includes a bracketed repeal effect date for Directive 2002/58/EC: 1 August 2022. - **2023-01-17 - EDPB Cookie Banner Taskforce report adopted**: Cookie Banner Taskforce report adoption date shown: 17 January 2023. - **2024-08-01 - Monitoring programme deadline placeholder (in Council draft)**: Council mandate draft includes a bracketed deadline: by 1 August 2024 the Commission shall establish a detailed monitoring programme for the Regulation’s effectiveness. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive