EU ePrivacy Directive deadlines and compliance calendar

Record these dates as legal-history anchors, not as new implementation deadlines. They explain which version of the ePrivacy baseline a cookie, terminal-equipment, or direct-marketing control is being mapped against.

Do not add a future ePrivacy Regulation effective date unless the cited source actually supports one. The Commission proposed an ePrivacy Regulation on 10 January 2017, but the grounding materials treat it as a legislative proposal rather than a replacement date for current operating controls.

Run this review whenever a website, app, SDK, tag manager, analytics configuration, advertising pixel, local-storage feature, connected-device flow, or user-agent identifier changes. Article 5(3) is triggered by storing information or gaining access to information already stored in a subscriber's or user's terminal equipment, not only by traditional browser cookies.

The review record should classify each technology as consent-required, strictly necessary for the user-requested service, necessary only for transmission, or blocked pending legal review. Keep the technical test tied to actual storage or access operations, not vendor labels.

Review consent banners and consent logs at each banner redesign, CMP configuration change, new purpose/vendor launch, regional rollout, or complaint. The calendar item should prove that consent-required storage or access is off by default and that the user's choice is captured with enough context to demonstrate consent quality.

The banner check should cover both ePrivacy placement or reading of cookies and any later GDPR-governed processing that follows from the storage or access event. Do not rely on the GDPR one-stop-shop mechanism for issues that fall only under the ePrivacy Directive.

Schedule a direct-marketing check before every new email, SMS, automated-calling, fax, or similar electronic-marketing program, and repeat it when countries, message types, lead sources, or customer-relationship assumptions change. Article 13 distinguishes prior consent for certain channels, a limited existing-customer electronic-mail path for similar products or services, and Member State choices for other direct-marketing communications.

Because the Directive is implemented through national law, the calendar should not treat a single EU-wide banner or marketing setting as final. Regional owners should maintain a country-by-country note for cookie placement, analytics exemptions, enforcement authority guidance, direct-marketing opt-in or opt-out rules, and legal-person protections.

The calendar should be short enough for operating teams to maintain, but it must preserve the reason a control was approved. Each row should link a source, a control owner, the affected countries, and the evidence that shows the current product or marketing behavior matches the rule.

Reopen a row when a source changes, a national authority updates guidance, a vendor changes its technology, a new tracking method appears, a consent interface changes, or a marketing program expands into a new country or channel.