--- title: "ePrivacy Directive Enforcement (Cookies + Marketing)" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/enforcement-and-fines" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/enforcement-and-fines" author: "Sorena AI" description: "An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "ePrivacy Directive enforcement" - "cookie banner enforcement EU" - "ePrivacy cookie consent enforcement" - "no reject button cookie banner" - "cookie wall ePrivacy" - "consent withdrawal as easy as giving" - "CMP configuration evidence" - "ePrivacy Directive fines enforcement" - "cookie banner enforcement" - "consent UX" - "CMP configuration" - "evidence pack" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ePrivacy Directive Enforcement (Cookies + Marketing) An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX. *Deep Dive* *EU* ## EU ePrivacy Directive Enforcement How regulators assess cookie banners, consent UX, and evidence. Focus: enforcement triggers, investigation readiness, and an evidence pack you can export fast. ePrivacy enforcement is rarely about legal theory in isolation. It is about observable outcomes: did your site/app place or read trackers without valid consent (or without a valid exemption)? Did users have a real reject option? Can users withdraw as easily as they consented? And can you prove it with repeatable evidence (CMP configuration exports, logs, and tests)? This page shows how enforcement typically works and how to be investigation-ready. ## Who enforces the ePrivacy Directive (and why enforcement is fragmented) The ePrivacy Directive is implemented through national laws. Enforcement competence is therefore national and can involve different bodies depending on the Member State (e.g., telecom regulators, DPAs, or other authorities). EDPB guidance emphasizes that the Directive explicitly allows more than one national body to be competent and requires Member States to provide effective enforcement powers (cessation orders, investigative powers, cross-border cooperation). - Expect enforcement to be market-specific: the same banner pattern can be assessed differently across Member States. - Build a single evidence pack, but add country overlays (local guidance, language, and implementation nuances). - Plan for cross-border cooperation expectations for widespread services. *Recommended next step* *Placement: after the enforcement section* ## Use EU ePrivacy Directive Enforcement as a cited research workflow Research Copilot can take EU ePrivacy Directive Enforcement from understanding exposure and enforcement with cited answers to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for EU ePrivacy Directive Enforcement](/solutions/research-copilot.md): Start from EU ePrivacy Directive Enforcement and answer scope, timing, and interpretation questions with cited outputs. - [Talk through EU ePrivacy Directive](/contact.md): Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Enforcement. ## What triggers enforcement in cookie banner cases (common denominator positions) The EDPB Cookie Banner Taskforce report reflects the shared interpretation used to handle cookie-banner complaints across multiple authorities (with national requirements still applying). Treat it as an enforcement-oriented checklist for banner UX, consent validity, and withdrawal. - No consent-by-default: consent-requiring cookies/trackers must not be set before consent is expressed by a positive action. - No "accept only" pattern: a majority of authorities considered missing reject/refuse options (on any layer that offers consent) not in line with valid consent requirements. - No confusing "double refusal" patterns: users should not have to refuse multiple times due to mixed ePrivacy and GDPR framing in deeper layers. - No legitimate interest for placement/reading: the legal basis for the placement/reading under Article 5(3) cannot be legitimate interests. - Withdrawal needs to be easy and accessible (e.g., persistent link/icon to reopen choices), assessed case-by-case. ## Investigation-ready evidence pack (what you should export in < 48 hours) Enforcement becomes painful when teams cannot prove what happened in production. Build evidence that is attributable, versioned, and reproducible. Design your proof so it answers: what was deployed, what users saw, what choices were available, and what trackers actually fired. - Tracker inventory and decision table: purpose, exemption rationale, vendors, and markets. - CMP/banner configuration export: purposes, vendors, default states, geo rules, and UI variants. - Consent log schema: timestamp, locale, user choice per purpose/vendor, banner version, and proof of withdrawal. - Tag manager and SDK enforcement evidence: pre-consent blocking rules and post-consent activation mapping. - Automated tests: screenshots/flows verifying "reject all", "save preferences", and "withdraw" paths. ## How to respond to a complaint or regulator inquiry (fast, consistent, and calm) Treat enforcement response like an incident: intake -> triage -> evidence export -> remediation -> follow-up. Your goal is controlled, explainable change rather than rushed edits. If the allegation is about cookie banners, validate production behavior with real network traces and device tests (not only CMP screenshots). - Freeze the deployed config (export CMP + tag manager settings and store them with a timestamp). - Reproduce key flows with fresh devices/browsers and capture trace evidence (what fired pre-consent vs post-consent). - Document root cause and remediate with a measured release (include regression tests). - Update your decision table and evidence index; communicate changes internally and to vendors. ## Primary sources - [Directive 2002/58/EC (ePrivacy Directive) - consolidated text (EUR-Lex)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219&ref=sorena.io) - National implementation and enforcement framework (including Article 15a). - [EDPB Report - Cookie Banner Taskforce (Jan 2023)](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Common denominator enforcement positions used when handling cookie-banner complaints. - [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Competence and enforcement where GDPR and national ePrivacy law intersect. - [EDPB Guidelines 05/2020 on consent under GDPR](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent validity conditions used when assessing ePrivacy consent references. - [WP29 Opinion 04/2012 on Cookie Consent Exemption (WP194)](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Practical test for Article 5(3) exemptions (transmission / strictly necessary). ## Related Topic Guides - [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data. - [Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage. - [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control. - [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed. - [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting. - [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions). - [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design. - [ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment. - [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC). - [ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map](/artifacts/eu/eprivacy-directive/requirements.md): A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)). - [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality. - [ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement](/artifacts/eu/eprivacy-directive/faq.md): High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194). - [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing. - [EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/enforcement-and-fines