Artifact GuideEU

ePrivacy Directive vs GDPR Cookies, communications, consent, and evidence

Use this comparison to separate ePrivacy duties for communications, terminal equipment, and unsolicited marketing from GDPR duties for personal-data processing.

Grounded in the ePrivacy Directive, EDPB Opinion 5/2019 on ePrivacy/GDPR interplay, EDPB Article 5(3) technical-scope guidance, EDPB consent guidance, and Commission ePrivacy/GDPR material.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The ePrivacy Directive and GDPR often apply to the same product journey, but they answer different questions. ePrivacy is the more specific rule for confidentiality of electronic communications, terminal-equipment storage or access, traffic and location data, and unsolicited communications. GDPR continues to govern personal-data processing that is not covered by an ePrivacy special rule, including transparency, rights, accountability, security, and later use of data obtained through cookies or similar technologies.

Side-by-side comparison

ePrivacy Directive vs GDPR: where each rule controls

Use these rows to decide whether the fact pattern is governed by an ePrivacy special rule, GDPR, or both in sequence.

Review all sources
First framework
ePrivacy Directive

Specific rules for electronic communications confidentiality, terminal-equipment storage or access, traffic and location data, and unsolicited communications, implemented through Member State law.

Second framework
GDPR

General EU personal-data framework for controllers and processors, covering lawful basis, transparency, rights, accountability, security, transfers, and enforcement where personal data is processed.

Comparison row 1

Scope boundary

ePrivacy Directive

Protects privacy and confidentiality in the electronic communications sector, including communications, traffic data, location data, terminal-equipment information, directories, and unsolicited communications.

Directive 2002/58/EC (ePrivacy Directive)Sources 1
GDPR

Protects natural persons with regard to personal-data processing and free movement of personal data, regardless of the communications technology used.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

A cookie, pixel, SDK, email campaign, or messaging service can need an ePrivacy analysis even before the GDPR personal-data analysis is complete.

European Commission ePrivacy factsheetSources 1
Comparison row 2

Covered actors

ePrivacy Directive

Where ePrivacy contains a special rule for the operation, that rule takes precedence for the specific storage, access, traffic-data, location-data, or marketing act.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
GDPR

GDPR still applies to personal-data processing not specifically governed by ePrivacy, including later profiling, analytics, data-subject rights, notices, security, retention, and transfers.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
Operational implication

Do not ask which law wins for the whole product. Ask which operation is covered by a special ePrivacy rule and which related processing remains under GDPR.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
Comparison row 3

Trigger

ePrivacy Directive

Article 5(3) controls storing information or gaining access to information already stored in a subscriber's or user's terminal equipment, unless the access is transmission-only or strictly necessary for a service explicitly requested by the user.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
GDPR

GDPR controls processing of personal data generated or obtained from that storage or access, such as analytics profiles, advertising segments, account matching, enrichment, sharing, retention, or transfers.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
Operational implication

A compliant cookie banner is not the full GDPR answer. Keep a tracker inventory and consent log for ePrivacy, then a lawful-basis and accountability record for downstream personal-data processing.

Directive 2002/58/EC (ePrivacy Directive)Sources 1
Comparison row 4

Core obligations

ePrivacy Directive

Requires confidentiality of communications and related traffic data in the electronic communications sector, with specific rules for permitted processing and restrictions.

Directive 2002/58/EC (ePrivacy Directive)Sources 1
GDPR

Requires lawful, fair, transparent, secure, and accountable processing when communications content, traffic data, location data, or customer records are personal data.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

For messaging, calling, telecom, or communications metadata features, test confidentiality and traffic/location-data rules before relying on a general GDPR processing assessment.

European Commission ePrivacy factsheetSources 1
Comparison row 5

Evidence record

ePrivacy Directive

Useful ePrivacy evidence includes tracker and SDK inventories, Article 5(3) classification, exemption analysis, consent screens, CMP settings, consent logs, withdrawal tests, marketing opt-in or soft-opt-in records, and national-rule notes.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1Directive 2002/58/EC (ePrivacy Directive)Sources 2
GDPR

Useful GDPR evidence includes ROPA entries, lawful-basis records, privacy notices, DPIAs or risk assessments where needed, processor terms, security measures, retention records, DSAR logs, breach records, and transfer files.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Use one linked evidence register if helpful, but tag each artifact by the operation and legal source it proves. Shared evidence should not blur the ePrivacy/GDPR boundary.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
Comparison row 6

Timing and deadlines

ePrivacy Directive

Article 13 requires prior consent for automated calling systems, fax, and electronic mail direct marketing, with a customer soft-opt-in for a seller's own similar products or services where free and easy objection is offered at collection and in each message.

Directive 2002/58/EC (ePrivacy Directive)Sources 1
GDPR

GDPR still governs personal-data processing behind the campaign, including lawful basis for contact data, transparency, suppression records, segmentation, profiling, processor use, retention, and rights handling.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Keep two records: the ePrivacy marketing-permission or soft-opt-in facts, and the GDPR processing record for the CRM, audience, suppression, and profiling workflow.

EDPB Guidelines 05/2020 on consent under GDPRSources 1
Comparison row 7

Enforcement

ePrivacy Directive

ePrivacy duties are enforced through national laws transposing the Directive. The competent authority and penalty route depend on Member State implementation and the specific ePrivacy rule.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
GDPR

GDPR is enforced through data-protection supervisory authorities using GDPR powers, cooperation and consistency mechanisms, corrective powers, and administrative fines.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Do not invent EU-wide ePrivacy fines or country rules. Record the national transposition and authority checked whenever a concrete country answer is needed.

EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1
Comparison row 8

Overlap and reuse

ePrivacy Directive

When ePrivacy requires consent, the consent must satisfy GDPR consent conditions; a user must receive clear information and have a real, specific, informed, unambiguous choice.

EDPB Guidelines 05/2020 on consent under GDPRSources 1
GDPR

GDPR defines consent and adds proof, withdrawal, granularity, transparency, and conditionality constraints; consent is not valid if it is bundled or forced in a way that removes real choice.

EDPB Guidelines 05/2020 on consent under GDPRSources 1
Operational implication

For banners and marketing forms, preserve the exact user-facing copy, purposes, buttons, vendor choices, timing, consent state, refusal state, withdrawal path, and version history.

EDPB Guidelines 05/2020 on consent under GDPRSources 1
Comparison row 9

Practical decision rule

ePrivacy Directive

Protects privacy and confidentiality in the electronic communications sector, including communications, traffic data, location data, terminal-equipment information, directories, and unsolicited communications.

Directive 2002/58/EC (ePrivacy Directive)Sources 1
GDPR

Protects natural persons with regard to personal-data processing and free movement of personal data, regardless of the communications technology used.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

A cookie, pixel, SDK, email campaign, or messaging service can need an ePrivacy analysis even before the GDPR personal-data analysis is complete.

European Commission ePrivacy factsheetSources 1
Practical decision rule

How should teams decide which framework controls?

  • Identify the exact operation: communications confidentiality, terminal-equipment storage/access, traffic data, location data, direct marketing, or downstream personal-data processing.
  • Apply the ePrivacy special rule first where one exists, including Article 5(3), Article 6, Article 9, or Article 13 as relevant.
  • Apply GDPR to personal-data processing not specifically covered by that ePrivacy rule, including later analytics, profiling, sharing, retention, rights, security, transfers, and accountability.
  • Keep national ePrivacy implementation caveats visible; do not state country penalties or authority powers unless the national source has been checked.
EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplaySources 1Directive 2002/58/EC (ePrivacy Directive)Sources 2Regulation (EU) 2016/679 (GDPR)Sources 3
Section 1

The short rule: start with the operation, not the label

For cookies, pixels, SDKs, device identifiers, local storage, connected-device reporting, email marketing, and communications metadata, first ask whether the operation is specifically regulated by national law transposing the ePrivacy Directive. If yes, that special rule sets the ePrivacy answer for that operation.

Then ask whether the same facts include personal-data processing before, after, or around the ePrivacy step. If they do, GDPR still has to be tested for the parts not specifically governed by ePrivacy.

  • Do not treat GDPR legitimate interests as a substitute for ePrivacy consent where Article 5(3), traffic-data, location-data, or direct-marketing rules require consent.
  • Do not stop at ePrivacy consent if the data is later profiled, enriched, shared, retained, transferred, or used for analytics or advertising; those later processing steps need a GDPR analysis.
  • Keep the evidence split by operation: terminal-equipment access, communications-service activity, direct marketing, and downstream personal-data processing.
Sources for this answer
EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay
Supports the lex specialis rule: ePrivacy special provisions take precedence only for the specific operations they regulate, while GDPR continues to apply elsewhere.
Directive 2002/58/EC (ePrivacy Directive)
Primary ePrivacy Directive text for confidentiality, terminal equipment, traffic and location data, and unsolicited communications.
Section 2

What ePrivacy adds that GDPR does not supersede

The ePrivacy Directive is not just a cookie annex to GDPR. It protects communications confidentiality and terminal equipment even where the information is not personal data. EDPB Article 5(3) guidance explains that the covered object is information, not only personal data, and that storage and access are separate technical notions.

That matters for engineering review. A tracker, pixel, SDK, connected-car report, local-processing design, or identifier read can be in ePrivacy scope before a team knows whether the resulting data identifies a person under GDPR.

  • Classify the technical act: storing information, gaining access to stored information, transmitting a communication, processing traffic data, processing location data, or sending unsolicited communications.
  • Record the device or endpoint involved, such as browser, app, phone, connected TV, connected car, wearable, or other terminal equipment.
  • Separate the ePrivacy exemption test from the GDPR lawful-basis test; the Article 5(3) exceptions are transmission-only access and access strictly necessary for a service explicitly requested by the user.
Sources for this answer
EDPB Guidelines 2/2023 on the technical scope of Article 5(3)
Explains the Article 5(3) criteria: information, terminal equipment, electronic communications context, and storage or access.
European Commission ePrivacy factsheet
Commission material contrasts GDPR's personal-data focus with ePrivacy protection for communications confidentiality and devices.
Section 4

Enforcement and evidence depend on national implementation

The ePrivacy Directive is implemented through Member State law. EDPB Opinion 5/2019 states that Member States must appoint one or more authorities to supervise compliance with national ePrivacy rules, and that data-protection authorities can directly enforce ePrivacy only where national law gives them that competence.

Avoid making EU-wide penalty claims on this page. The source-linked comparison is that GDPR has its own supervisory-authority framework, while ePrivacy enforcement and penalties depend on the national transposition and competent authority for the specific rule.

  • For ePrivacy evidence, record the national rule checked, the competent authority assumption, and the operation covered by that rule.
  • For GDPR evidence, record the controller or processor role, GDPR obligation, supervisory-authority route, and any cross-border cooperation relevance.
  • Where the same conduct is investigated under both frameworks, keep a linked timeline so factual findings can be reused without pretending the legal powers are identical.
Sources for this answer
EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay
Supports the national-law caveat, ePrivacy authority competence limits, and continued GDPR competence for processing not covered by an ePrivacy special rule.
Regulation (EU) 2016/679 (GDPR)
Primary GDPR text for personal-data processing, accountability, supervisory authorities, cooperation, corrective powers, and administrative fines.
Recommended next step

Use this comparison to split cookie, marketing, communications, and GDPR work

Sorena can turn the comparison on this page into cited scope decisions, consent checks, tracker evidence, marketing review records, and GDPR accountability tasks.

Research workflow
Open Research Copilot for ePrivacy

Ask source-linked questions about Article 5(3), consent, direct marketing, ePrivacy/GDPR overlap, and evidence records using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your cookie, SDK, marketing, or communications workflow against the ePrivacy/GDPR split.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Primary source for GDPR processing duties after the ePrivacy scoping step.
"personal data"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Is a reject-all button required for EU ePrivacy cookie consent?
Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.