EU ePrivacy Directive Compliance

Start each review with a short inventory of the service, technology, data flow, user action, and Member State footprint. The Directive applies in the electronic communications sector and contains specific rules for communications confidentiality, traffic data, location data, terminal-equipment access, directories, and unsolicited communications.

For product and web teams, the most common trigger is Article 5(3): storing information or gaining access to information already stored in a subscriber's or user's terminal equipment. That trigger is broader than browser cookies. EDPB technical guidance treats the relevant elements as information, terminal equipment, a public communications-network context, and storage or access.

Article 5 requires Member States to ensure confidentiality of communications and related traffic data through national legislation. A compliance review should therefore cover listening, tapping, storage, interception, surveillance, technical transmission storage, supplier access, logging, debugging, and incident-response tooling that can expose communications or related traffic data.

For terminal equipment, do not ask only whether a browser cookie exists. The EDPB guidance covers storage and access separately, and explains that information may be personal or non-personal, stored by the user, manufacturer, software, sensor, or another party. The compliance question is whether the service stores or gains access to information in protected terminal equipment and whether consent or a narrow necessity exemption applies.

If Article 5(3) applies, consent is the default route unless the operation is solely for transmitting a communication or is strictly necessary to provide an information society service explicitly requested by the user. The exemption analysis should be purpose-by-purpose, because a multipurpose cookie or SDK loses the exemption when one purpose is tracking, advertising, or another non-exempt use.

Where consent is required, GDPR consent conditions matter for ePrivacy compliance: consent must be freely given, specific, informed, and unambiguous, and withdrawal must be available. The Cookie Banner Taskforce report also flags practical risks such as no reject option, pre-ticked boxes, deceptive button presentation, legitimate-interest confusion for cookie access, inaccurate essential-cookie classification, and hard-to-find withdrawal controls.

Do not reduce ePrivacy compliance to cookies. Article 13 covers unsolicited direct marketing by automated calling systems, fax, and electronic mail, and it includes a limited existing-customer route for marketing similar products or services where contact details were obtained in a sale and the customer is clearly and distinctly offered a free, easy objection at collection and in each message.

Traffic data and location data need their own review. Traffic data should be erased or anonymized when no longer needed for transmission, subject to listed exceptions. Marketing of electronic communications services, value-added services, and location data other than traffic data generally require consent or anonymization, with information about data types, purposes, duration, and withdrawal.

The ePrivacy Directive is implemented through national law, and enforcement structures can differ by Member State. Keep a source-linked EU-level assessment, then attach country-specific legal checks only when the grounding source or local counsel supports them. Do not invent country penalties, regulator positions, or national exemptions from a generic EU rule.

The Cookie Banner Taskforce report warns that its positions are not a standalone green light and must be combined with national transposition laws and competent-authority guidance. It also states that the GDPR one-stop-shop mechanism does not apply to issues falling under the ePrivacy Directive, while subsequent personal-data processing may still be assessed under the GDPR.