Artifact GuideEU

EU ePrivacy Directive penalties and fines

Use this page to frame ePrivacy enforcement exposure without inventing an EU-wide fine ceiling: Article 15a leaves penalty rules to Member States, while EU sources define the duties and risk patterns that national authorities enforce.

Built for privacy, legal, web engineering, marketing operations, analytics, consent-platform, and product teams that need defensible evidence for cookies, tracking technologies, direct marketing, and terminal-equipment access.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 26, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 26, 2026
Overview

The ePrivacy Directive does not publish one EU-level administrative fine table comparable to the GDPR. The EU-level penalty rule is Article 15a: Member States must set penalties for infringements of national provisions adopted under the Directive, including criminal sanctions where appropriate, and ensure authorities can stop infringements and investigate. To find the actual fine exposure in a real case, start with the Member State's national transposition of the Directive, then identify the competent national authority or other body named in that law and check the current national penalty provision before assigning any amount, limitation period, or appeal route. A credible penalties-and-fines assessment therefore starts with the EU duty that was allegedly breached, then checks the relevant national transposition and enforcement route before assigning any amount, limitation period, or authority-specific procedure.

Section 1

What can be said at EU level

At EU level, the reliable statement is about the structure of enforcement, not a single maximum fine. Article 15a requires Member States to lay down penalty rules for national ePrivacy infringements and to take measures needed for implementation. It also requires competent national authorities, and where relevant other national bodies, to have powers to order cessation of infringements and obtain information needed to monitor and enforce national provisions.

Do not convert that EU-level rule into a universal fine amount. For a real matter, record the alleged breach, affected Member State or States, national implementing law, competent authority route, available remedies, and any parallel GDPR issue.

  • Use Article 15a as the EU-level anchor for penalties, cessation powers, investigative powers, and cross-border cooperation.
  • Treat national law as mandatory before naming a fine amount, criminal sanction, limitation period, appeal route, or authority.
  • Separate ePrivacy penalty exposure from GDPR exposure; the same facts can trigger both frameworks, but the legal basis for each enforcement step must be identified.
  • Avoid country tables unless each country entry is supported by a current national source.
  • Check the national transposition law and the competent national authority or other body named there before quoting the actual penalty exposure.
Sources for this answer
Directive 2002/58/EC (ePrivacy Directive)
Article 15a is the EU-level basis for Member State penalty rules, cessation powers, investigative powers, and cross-border enforcement cooperation.
European Commission ePrivacy overview
Commission material frames ePrivacy as the EU online-privacy framework being modernised rather than as a source of one current EU-wide fine table.
Section 2

Penalty triggers to test before assigning risk

The most common ePrivacy penalty assessment starts with Article 5(3): storing information on, or gaining access to information already stored in, a user's terminal equipment. EDPB guidance confirms that this is not limited to conventional browser cookies. Tracking pixels, tracked URLs, local storage, SDKs, identifiers, IoT reporting, and client-side code can all need analysis when they store or access terminal-equipment information.

Direct marketing is a separate trigger. Article 13 requires prior consent for automated calling systems, fax, and electronic mail marketing, with a limited customer-contact exception for a seller's own similar products or services where the customer receives an easy, free objection right at collection and in each message. National law determines some choices for other unsolicited communications, so a cross-border campaign needs a country-level check.

  • Inventory every cookie, pixel, tag, SDK, local-storage item, mobile identifier, and tracked link that stores or accesses terminal-equipment information.
  • Classify each item by purpose, provider, first-party or third-party role, duration, recipient access, and whether it is active before consent.
  • For marketing, separate prospecting, existing-customer soft opt-in, service messages, and suppression-list processing.
  • Escalate any hidden identifier, pre-consent firing, unclear vendor purpose, or marketing list reuse before launch.
Sources for this answer
Directive 2002/58/EC (ePrivacy Directive)
Article 13 supports the direct-marketing trigger and the limited existing-customer exception that must be checked under national implementation.
EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive
EDPB guidance supports treating pixels, tracked URLs, identifiers, local storage, and similar technologies as potential Article 5(3) scope issues.
Section 3

Evidence that reduces enforcement exposure

Good evidence does not prove there can be no penalty, but it can make the risk analysis reviewable. Keep a point-in-time record showing what technology ran, why it ran, whether consent was required, which exemption was claimed if any, what the user saw, and whether the implementation matched the record.

For consent-required technologies, the strongest evidence is technical and user-facing: no pre-consent firing, an equal and understandable refusal path, no pre-ticked opt-in boxes, accessible withdrawal after consent, clear purpose descriptions, cookie duration, third-party access information, and logs that show the consent state used by each tag or SDK.

  • Save a cookie and tracker inventory with provider, purpose, duration, domain, country scope, and consent category.
  • Keep CMP configuration exports, screenshots of each banner layer, release history, geolocation rules, and automated tag-firing tests.
  • Retain consent logs that can show opt-in, refusal, withdrawal, timestamp, policy version, banner version, and the categories affected.
  • For claimed exemptions, document why the storage or access is strictly necessary for a user-requested service or solely needed for communication transmission.
  • For marketing, keep consent capture, source of contact details, suppression-list logic, opt-out wording, and proof that each message included an easy stop mechanism.
Sources for this answer
EDPB Cookie Banner Taskforce report
The taskforce report identifies practical consent-banner defects, including missing reject options, pre-ticked boxes, misleading design, and withdrawal access.
EDPB Guidelines 05/2020 on consent
Consent guidance supports the evidence focus on free choice, clear affirmative action, informed consent, demonstrability, and easy withdrawal.
WP29 Opinion 04/2012 on Cookie Consent Exemption
The opinion supports documenting strict-necessity and communication-transmission exemptions instead of labelling analytics or advertising cookies as necessary.
Section 4

Where teams overstate or understate fines risk

Teams overstate risk when they quote a GDPR maximum as if it were the ePrivacy Directive's own EU-wide fine ceiling. Teams understate risk when they treat cookies, SDKs, local storage, or tracked URLs as harmless because the data is not obviously personal data. Article 5(3) protects terminal-equipment information and can apply regardless of whether the accessed information is personal data.

The GDPR/ePrivacy boundary is also easy to misread. EDPB interplay material explains that Member States have flexibility over the body that enforces national ePrivacy rules, while data protection authorities remain competent for GDPR processing that is not governed by an ePrivacy special rule. The practical result is a two-track analysis: national ePrivacy enforcement for the storage/access or marketing rule, and GDPR analysis for personal-data processing before or after that special rule.

  • Do not state an EU-wide ePrivacy fine maximum unless a cited source in the page supports it.
  • Do not assume legitimate interest can replace Article 5(3) consent for placing or reading consent-required cookies or similar technologies.
  • Do not treat first-party analytics as automatically exempt; document the exact national conditions if relying on an audience-measurement exemption.
  • Do not rely on banner screenshots alone; match the user interface to network tests and consent-state logs.
  • Do not merge ePrivacy and GDPR findings in a way that hides which authority, power, or legal basis is being used.
Sources for this answer
EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive
The guidelines support the warning that Article 5(3) can cover information stored or accessed on terminal equipment beyond personal data and beyond cookies.
EDPB Cookie Banner Taskforce report
The taskforce report supports the warning that legitimate interest is not the legal basis for Article 5(3) placement or reading where consent is required.
CNIL Sheet 16 on analytics for websites and applications
CNIL guidance is used only as an example that analytics exemptions are condition-based and nationally variable, not as an EU-wide rule.
Section 5

Penalty assessment checklist

Use this checklist before approving a launch, incident response, customer answer, or regulator response. It keeps the assessment inside what the EU sources support and leaves national penalty amounts to national legal review.

The output should be a short evidence pack, not a country table assembled from memory. If the file cannot identify the national source for a claimed amount or procedure, leave that fact out.

Does the EU ePrivacy Directive set one EU-wide fine amount?

No. The EU-level source requires Member States to set penalties for national ePrivacy infringements, but it does not provide one current EU-wide fine ceiling for this page to quote.

What evidence is most useful before discussing an ePrivacy fine?

Keep the national rule check, tracker inventory, consent-banner design, consent and withdrawal logs, network tests showing when tags fire, exemption rationale, and remediation history.

  • Identify the conduct: terminal-equipment storage or access, unsolicited direct marketing, traffic or location data handling, confidentiality of communications, or another ePrivacy rule.
  • Map the affected Member States and confirm that no penalty amount, competent authority, deadline, appeal route, or criminal exposure is stated without national-source support.
  • Attach the tracker inventory, CMP settings, network test, banner screenshots, consent logs, withdrawal path, and vendor-purpose record.
  • For each exemption, record the user-requested service, strict-necessity rationale, cookie duration, and why no additional non-exempt purpose is bundled.
  • For GDPR overlap, split Article 5(3) storage/access from subsequent personal-data processing, profiling, retention, data-subject rights, and security obligations.
  • Record remediation: disable pre-consent firing, add or equalize refusal controls, remove pre-ticked choices, shorten retention, update notices, stop unsupported marketing, and retest.
Sources for this answer
Directive 2002/58/EC (ePrivacy Directive)
Article 15a supports the checklist requirement to separate EU-level penalty structure from national penalty amounts and procedures.
WP29 Opinion 04/2012 on Cookie Consent Exemption
The opinion supports documenting exact exemption criteria and avoiding broad necessary-cookie claims for analytics, advertising, or multipurpose cookies.
Recommended next step

Use this penalties guide to separate EU rules, national enforcement, and GDPR overlap

Sorena can help convert this page into a cited tracker inventory, consent-evidence checklist, national-source request list, and remediation workflow for ePrivacy enforcement risk.

Research workflow
Open Research Copilot for EU ePrivacy Directive

Ask source-linked questions about Article 15a, Article 5(3), cookie enforcement evidence, GDPR overlap, and national-source gaps.

Explore next step
Talk to Sorena
Talk through implementation

Review your cookie, tracking, direct-marketing, and consent evidence before assigning penalty exposure.

Explore next step
Primary sources

References and citations

Directive 2002/58/EC (ePrivacy Directive)
eur-lex.europa.eu
Referenced sections
  • Article 15a supports the checklist requirement to separate EU-level penalty structure from national penalty amounts and procedures.
"criminal sanctions where appropriate"
EDPB Cookie Banner Taskforce report
edpb.europa.eu
Referenced sections
  • The taskforce report supports the warning that legitimate interest is not the legal basis for Article 5(3) placement or reading where consent is required.
"cannot be the legitimate interests"
EDPB Guidelines 05/2020 on consent
edpb.europa.eu
Referenced sections
  • Consent guidance supports the evidence focus on free choice, clear affirmative action, informed consent, demonstrability, and easy withdrawal.
"clear affirmative action"
EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive
edpb.europa.eu
Referenced sections
  • The guidelines support the warning that Article 5(3) can cover information stored or accessed on terminal equipment beyond personal data and beyond cookies.
"both non-personal data and personal data"
European Commission ePrivacy overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission material frames ePrivacy as the EU online-privacy framework being modernised rather than as a source of one current EU-wide fine table.
"major modernisation process"
WP29 Opinion 04/2012 on Cookie Consent Exemption
ec.europa.eu
Referenced sections
  • The opinion supports documenting exact exemption criteria and avoiding broad necessary-cookie claims for analytics, advertising, or multipurpose cookies.
"purpose and the specific implementation"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Is a reject-all button required for EU ePrivacy cookie consent?
Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.