---
title: ePrivacy Directive — definition | RGM® Glossary
url: https://realgrowthmatters.com/glossary/eprivacy-directive/
updated: 2026-06-10
source_html: https://realgrowthmatters.com/glossary/eprivacy-directive/
---

# ePrivacy Directive

e·Pri·va·cynoun (law)

The law the cookie banner answers to — consent before anything is stored or read, GDPR's older and narrower sibling.

Term
:   ePrivacy Directive

Is
:   The EU's e-communications privacy law

Known as
:   The cookie law (2009 amendment)

Pairs with
:   GDPR, which defines the consent

## Forms & parts of speech

ePrivacy · noun

The cookie-consent law.

"GDPR gets the blame, but the **ePrivacy Directive** is why the banner must ask before the cookie is set."

## Definition in plain terms

The ePrivacy Directive is the EU law governing privacy in electronic communications — confidentiality of communications, unsolicited messages, and, famously, the rule that earned it the nickname 'cookie law': storing information on a user's device, or accessing information already there, requires informed consent unless strictly necessary for a service the user requested. Enacted in 2002 and amended to add the consent rule in 2009, it is why the banner asks BEFORE the cookie is set — a fact popularly misattributed to GDPR.

## The mechanics

The division of labor with GDPR confuses everyone and matters operationally: ePrivacy supplies the consent-before-storage rule (and it covers any device storage or access — cookies, localStorage, fingerprinting techniques, SDK identifiers — the technology-neutral phrasing ages well); GDPR defines what valid consent IS (freely given, specific, informed, unambiguous — the standard that killed pre-ticked boxes in the CJEU's Planet49 judgment) and governs the personal-data processing that follows. The 'strictly necessary' exemption draws the practical line: session carts, security, and load balancing need no consent; analytics, advertising, and personalization storage do — which is exactly the architecture every CONSENT-MANAGEMENT-PLATFORM implements and CONSENT-MODE-V2 signals downstream. Enforcement runs through national regulators applying their transpositions (CNIL's nine-figure fines against major platforms were ePrivacy actions), and the long-promised ePrivacy Regulation — drafted to replace the directive and harmonize the patchwork — spent so many years stalled in Brussels that the directive's 2009 text still governs the 2020s web. For marketers the practical summary: the banner's ask-first behavior, the exemption boundaries, and the no-tracking-before-consent rule all live here, with GDPR supplying the consent quality bar and the processing rules afterward.

## When it matters

The ePrivacy Directive matters to anyone with EU traffic — it is the legal floor under every cookie banner, tag-firing rule, and consent-gated pixel this glossary's measurement entries assume. It matters analytically at the exemption line (what may run pre-consent) and at audit time, when 'tags firing before consent' is the finding regulators reach for first. The discipline is architectural: nothing non-essential stored or read before consent, the CMP as enforcement rather than decoration, and the directive read alongside GDPR — one law for the asking, one for the answer's quality. (General information, not legal advice.)

**Worked example.** An EU-market fashion retailer passes a GDPR review - lawful bases mapped, DSARs handled - and still fails its first ePrivacy-grade technical audit: the tag manager fires analytics and ad pixels on page load, before the banner ever renders, because consent had been implemented as a record-keeping exercise rather than a gate. The remediation is architectural: a consent-first tag order (nothing non-essential stores or reads pre-consent), the strictly-necessary exemption documented cookie by cookie, the CMP wired as the enforcement layer feeding Consent Mode signals downstream, and the banner rebuilt to the Planet49 standard - no pre-ticked anything, reject as easy as accept. Measured traffic dips 18% at the flip; modeled conversions recover the reporting; and the next audit reads clean in the place the first one failed - the milliseconds before consent, where the directive actually lives.

**Failure modes to watch.** Tags firing before the banner answers; consent implemented as records instead of gates; the strictly-necessary exemption stretched over analytics and ads; pre-ticked boxes surviving Planet49 in legacy flows; and ePrivacy compliance assumed because GDPR work was done — sibling laws, different questions.

## Synonyms & antonyms

### Synonyms

ePrivacy Directivecookie lawDirective 2002/58

### Antonyms

GDPR (the consent standard)ePrivacy Regulation (stalled successor)

## Origin & history

Directive 2002/58/EC governed electronic-communications privacy from 2002, and its 2009 amendment added the consent-before-storage rule that named it the cookie law; the replacement ePrivacy Regulation has been stalled in EU process since 2017, leaving the directive — and its national transpositions — running the modern web's banners.

Etymology: [source](https://en.wikipedia.org/wiki/EPrivacy_Directive).

## Usage trends

Search interest for this term over the last five years:

[View interest-over-time on Google Trends →](https://trends.google.com/trends/explore?q=eprivacy&date=today%205-y)

## Common questions

What is the ePrivacy Directive?
:   The EU's electronic-communications privacy law — confidentiality, unsolicited messages, and the consent-before-storage rule (2009 amendment) that made it 'the cookie law.'

How do ePrivacy and GDPR fit together?
:   ePrivacy requires consent before storing or accessing anything on a device; GDPR defines what valid consent is and governs the processing afterward — the asking and the answer's quality.

What can run before consent?
:   Only the strictly necessary — session carts, security, load balancing; analytics, advertising, and personalization storage wait for the banner's yes.

## Related tools & calculators

- tool[CAC calculator](/tools/cac-calculator/)
- tool[LTV:CAC calculator](/tools/ltv-to-cac-ratio-calculator/)

## Resources & people to follow

- reference[Wikipedia — ePrivacy Directive](https://en.wikipedia.org/wiki/EPrivacy_Directive)
- referenceCJEU Planet49 judgment on consent standards
- referenceRGM analysis — the audit lives in the milliseconds before consent; the CMP is a gate, not a guestbook

Curated, non-competitor resources verified per term.

## Related training

- module[Performance marketing](/training/performance-marketing-foundations/)

## Disciplines

Areas of marketing where eprivacy directive is a core concern:

[Performance marketing](/training/performance-marketing-foundations/)[Growth strategy](/training/growth-marketing-foundations/)

## Read next

## Related terms

[GDPR](/glossary/gdpr/)[Consent management platform](/glossary/consent-management-platform-cmp/)[Consent Mode v2](/glossary/consent-mode-v2/)[Cookie](/glossary/cookie/)[Third-party cookie](/glossary/third-party-cookie/)

## Sources

1. trends[Google Trends — "eprivacy"](https://trends.google.com/trends/explore?q=eprivacy&date=today%205-y)
