ExplainerEU

EU ePrivacy Directive vs GDPR

Which law applies, when, and how to document the split.

Use the two-layer model: placement/reading and communications confidentiality (ePrivacy), subsequent processing (GDPR).

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

Teams get stuck because cookies, ads, and analytics happen in one user journey but sit in a multi-layer legal model. The practical approach endorsed in EDPB guidance: ePrivacy national law governs the placement/reading of information on the device (Article 5(3)) and communications confidentiality; GDPR governs subsequent processing of personal data derived from that access. This page turns that principle into scenarios and concrete documentation patterns.

Section 1

The two-layer model (the easiest way to stay consistent)

Layer A (ePrivacy): placement/reading and communications confidentiality. This is where cookie banner UX and consent/exemption decisions live.

Layer B (GDPR): what you do with data after placement/reading - profiling, measurement, ad selection, sharing, retention, rights, transfers.

  • If a tracker is set/read: assess ePrivacy first (consent vs exemption).
  • If the tracker produces or enables personal data processing: assess GDPR lawful basis and transparency for that subsequent processing.
  • Keep choices aligned: the user should not "reject" trackers but still be profiled downstream due to engineering gaps.
Section 2

Common scenarios: which rules bite where?

Use this as a mental model for product, legal, and engineering reviews. The scenarios are phrased like real backlog tickets.

  • Analytics cookie: ePrivacy decides if consent is needed to place/read; GDPR decides lawful basis and transparency for analytics processing.
  • Advertising pixel: ePrivacy governs placement/reading; GDPR governs profiling/targeting and sharing.
  • Device fingerprinting technique: ePrivacy-style device access logic applies; GDPR applies to resulting personal data processing.
  • Email marketing: ePrivacy Article 13 governs consent/soft opt-in and opt-out requirements; GDPR governs personal data processing aspects and records.
  • Communications metadata: ePrivacy confidentiality constraints apply; GDPR applies to subsequent processing and retention justification.
Section 3

The three mistakes that create enforcement risk

Most "ePrivacy vs GDPR" failures are not legal nuance; they are mismatches between UI, system behavior, and documentation.

  • Using legitimate interests for placement/reading under Article 5(3): EDPB positions indicate this is not the basis for placement/reading.
  • Banner says "manage choices" but does not offer a real reject option (or hides it): a majority view treated this as invalid consent.
  • Engineering mismatch: tags/SDKs still fire before consent due to tag manager misconfiguration or asynchronous loads.
Section 4

Documentation that survives audits (what to write down, and where)

Make the split explicit in your internal documentation and your external notices. Don't force one policy to do two different jobs.

A good evidence set demonstrates consistent user choice handling across both layers.

  • Tracker decision table (ePrivacy): consent vs exemption per tracker, per market, with rationale and approvals.
  • Processing register (GDPR): purposes, lawful basis, recipients, retention, transfers, DPIA/LIAs where relevant.
  • CMP and tag manager mapping: choices -> runtime behavior -> downstream systems (analytics, ads, CDP).
  • Consent logs + withdrawal logs: link the banner version to the processing purposes in effect at the time.
Recommended next step

Use EU ePrivacy Directive vs GDPR as a cited research workflow

Research Copilot can take EU ePrivacy Directive vs GDPR from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU ePrivacy Directive vs GDPR

Start from EU ePrivacy Directive vs GDPR and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU ePrivacy Directive

Review your current process, evidence gaps, and next steps for EU ePrivacy Directive vs GDPR.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation
An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata
A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)
A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits
A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map
A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence
A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.