EU ePrivacy Directive
View Law TextMaximum Fine
Varies by state
Scope
Regional
Regulator
National DPAs
Status
Active
Need Help with EU ePrivacy Directive Compliance?
Get expert guidance on implementing ePrivacy requirements and ensuring ongoing compliance for your organization.
Get Expert HelpOverview
The ePrivacy Directive (2002/58/EC) sets out rules for the protection of privacy in the electronic communications sector, including requirements for cookies, marketing communications, and communications confidentiality.
Key Facts
- Effective since 2002
- Enforced by national data protection authorities
- Complements GDPR for electronic communications
Key Rules
Communications Confidentiality
Protection of privacy in electronic communications services.
Requirements
- Ensure communications secrecy
- Implement security measures
- Control access to data
- Protect metadata
- Handle breaches appropriately
Examples
- Encryption implementation
- Access control systems
- Security protocols
- Breach procedures
Marketing Rules
Requirements for electronic marketing communications.
Requirements
- Obtain prior consent
- Provide opt-out mechanism
- Include sender information
- Honor opt-out requests
- Maintain records
Examples
- Consent collection forms
- Unsubscribe mechanisms
- Marketing databases
- Compliance documentation
Compliance Requirements
Communications Privacy
Protection of privacy in electronic communications.
Implementation Steps
- Implement security measures
- Ensure confidentiality
- Control access rights
- Monitor communications
- Handle data breaches
Required Documentation
- Security policies
- Access control logs
- Monitoring records
- Incident reports
- Training materials
Direct Marketing Rules
Requirements for electronic marketing communications.
Implementation Steps
- Obtain marketing consent
- Maintain opt-out system
- Verify consent status
- Process opt-outs promptly
- Keep consent records
Required Documentation
- Marketing consent forms
- Opt-out records
- Consent database
- Processing procedures
- Compliance reports
Enforcement & Penalties
National Authority Enforcement
Each EU member state's data protection authority can impose penalties for violations.
Penalty Categories
Cookie Violations
Varies by member state
For non-compliance with cookie consent requirements
Marketing Violations
Up to €20M in some states
For unauthorized marketing communications
Communications Privacy
Varies by jurisdiction
For breaches of communications confidentiality
Example Cases
Google France
€100M
2020 - Cookie consent violations
Vodafone Spain
€50,000
2021 - Marketing communications without consent
Additional Measures
Authorities can impose various corrective measures beyond monetary penalties.
Penalty Categories
Processing Bans
Activity Suspension
Temporary or permanent ban on specific activities
Corrective Orders
Mandatory Changes
Orders to modify practices and procedures
Public Warnings
Reputational Impact
Public disclosure of violations
Example Cases
TikTok Netherlands
Processing Ban
2021 - Ordered to modify cookie practices
Telecom Provider
Corrective Order
2022 - Required to implement consent mechanism