Growth Marketing Glossary

ePrivacy Directive

e·Pri·va·cynoun (law)

The law the cookie banner answers to — consent before anything is stored or read, GDPR's older and narrower sibling.

ePrivacy2002/2009the actual 'cookie law'consent BEFORE storage/accessconfidentiality of communicationsGDPR's older, narrower siblingthe directive every cookie banner answers to
Schematic — consent before the cookie
Term
ePrivacy Directive
Is
The EU's e-communications privacy law
Known as
The cookie law (2009 amendment)
Pairs with
GDPR, which defines the consent

Forms & parts of speech

ePrivacy · noun
The cookie-consent law.
"GDPR gets the blame, but the ePrivacy Directive is why the banner must ask before the cookie is set."

Definition in plain terms

The ePrivacy Directive is the EU law governing privacy in electronic communications — confidentiality of communications, unsolicited messages, and, famously, the rule that earned it the nickname 'cookie law': storing information on a user's device, or accessing information already there, requires informed consent unless strictly necessary for a service the user requested. Enacted in 2002 and amended to add the consent rule in 2009, it is why the banner asks BEFORE the cookie is set — a fact popularly misattributed to GDPR.

The mechanics

The division of labor with GDPR confuses everyone and matters operationally: ePrivacy supplies the consent-before-storage rule (and it covers any device storage or access — cookies, localStorage, fingerprinting techniques, SDK identifiers — the technology-neutral phrasing ages well); GDPR defines what valid consent IS (freely given, specific, informed, unambiguous — the standard that killed pre-ticked boxes in the CJEU's Planet49 judgment) and governs the personal-data processing that follows. The 'strictly necessary' exemption draws the practical line: session carts, security, and load balancing need no consent; analytics, advertising, and personalization storage do — which is exactly the architecture every CONSENT-MANAGEMENT-PLATFORM implements and CONSENT-MODE-V2 signals downstream. Enforcement runs through national regulators applying their transpositions (CNIL's nine-figure fines against major platforms were ePrivacy actions), and the long-promised ePrivacy Regulation — drafted to replace the directive and harmonize the patchwork — spent so many years stalled in Brussels that the directive's 2009 text still governs the 2020s web. For marketers the practical summary: the banner's ask-first behavior, the exemption boundaries, and the no-tracking-before-consent rule all live here, with GDPR supplying the consent quality bar and the processing rules afterward.

When it matters

The ePrivacy Directive matters to anyone with EU traffic — it is the legal floor under every cookie banner, tag-firing rule, and consent-gated pixel this glossary's measurement entries assume. It matters analytically at the exemption line (what may run pre-consent) and at audit time, when 'tags firing before consent' is the finding regulators reach for first. The discipline is architectural: nothing non-essential stored or read before consent, the CMP as enforcement rather than decoration, and the directive read alongside GDPR — one law for the asking, one for the answer's quality. (General information, not legal advice.)

Worked example. An EU-market fashion retailer passes a GDPR review - lawful bases mapped, DSARs handled - and still fails its first ePrivacy-grade technical audit: the tag manager fires analytics and ad pixels on page load, before the banner ever renders, because consent had been implemented as a record-keeping exercise rather than a gate. The remediation is architectural: a consent-first tag order (nothing non-essential stores or reads pre-consent), the strictly-necessary exemption documented cookie by cookie, the CMP wired as the enforcement layer feeding Consent Mode signals downstream, and the banner rebuilt to the Planet49 standard - no pre-ticked anything, reject as easy as accept. Measured traffic dips 18% at the flip; modeled conversions recover the reporting; and the next audit reads clean in the place the first one failed - the milliseconds before consent, where the directive actually lives.
Failure modes to watch. Tags firing before the banner answers; consent implemented as records instead of gates; the strictly-necessary exemption stretched over analytics and ads; pre-ticked boxes surviving Planet49 in legacy flows; and ePrivacy compliance assumed because GDPR work was done — sibling laws, different questions.

Synonyms & antonyms

Synonyms

ePrivacy Directivecookie lawDirective 2002/58

Antonyms

GDPR (the consent standard)ePrivacy Regulation (stalled successor)

Origin & history

Directive 2002/58/EC governed electronic-communications privacy from 2002, and its 2009 amendment added the consent-before-storage rule that named it the cookie law; the replacement ePrivacy Regulation has been stalled in EU process since 2017, leaving the directive — and its national transpositions — running the modern web's banners.

Etymology: source.

Usage trends

Search interest for this term over the last five years:

View interest-over-time on Google Trends →

Common questions

What is the ePrivacy Directive?
The EU's electronic-communications privacy law — confidentiality, unsolicited messages, and the consent-before-storage rule (2009 amendment) that made it 'the cookie law.'
How do ePrivacy and GDPR fit together?
ePrivacy requires consent before storing or accessing anything on a device; GDPR defines what valid consent is and governs the processing afterward — the asking and the answer's quality.
What can run before consent?
Only the strictly necessary — session carts, security, load balancing; analytics, advertising, and personalization storage wait for the banner's yes.

Related tools & calculators

Resources & people to follow

Curated, non-competitor resources verified per term.

Related training

Disciplines

Areas of marketing where eprivacy directive is a core concern:

Sources

  1. trendsGoogle Trends — "eprivacy"