SecurePrivacy Logo

EU ePrivacy Directive

View Law Text
Maximum Fine
Varies by state
Scope
Regional
Regulator
National DPAs
Status
Active

Need Help with EU ePrivacy Directive Compliance?

Get expert guidance on implementing ePrivacy requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The ePrivacy Directive (2002/58/EC) sets out rules for the protection of privacy in the electronic communications sector, including requirements for cookies, marketing communications, and communications confidentiality.

Key Facts

  • Effective since 2002
  • Enforced by national data protection authorities
  • Complements GDPR for electronic communications

Key Rules

Communications Confidentiality

Protection of privacy in electronic communications services.

Requirements

  • Ensure communications secrecy
  • Implement security measures
  • Control access to data
  • Protect metadata
  • Handle breaches appropriately

Examples

  • Encryption implementation
  • Access control systems
  • Security protocols
  • Breach procedures

Cookie Requirements

Rules for using cookies and similar tracking technologies.

Requirements

  • Obtain informed consent
  • Provide clear information
  • Enable user choice
  • Allow consent withdrawal
  • Document compliance

Examples

  • Cookie consent banners
  • Cookie policies
  • Preference centers
  • Consent records

Marketing Rules

Requirements for electronic marketing communications.

Requirements

  • Obtain prior consent
  • Provide opt-out mechanism
  • Include sender information
  • Honor opt-out requests
  • Maintain records

Examples

  • Consent collection forms
  • Unsubscribe mechanisms
  • Marketing databases
  • Compliance documentation

Compliance Requirements

Communications Privacy

Protection of privacy in electronic communications.

Implementation Steps

  • Implement security measures
  • Ensure confidentiality
  • Control access rights
  • Monitor communications
  • Handle data breaches

Required Documentation

  • Security policies
  • Access control logs
  • Monitoring records
  • Incident reports
  • Training materials

Direct Marketing Rules

Requirements for electronic marketing communications.

Implementation Steps

  • Obtain marketing consent
  • Maintain opt-out system
  • Verify consent status
  • Process opt-outs promptly
  • Keep consent records

Required Documentation

  • Marketing consent forms
  • Opt-out records
  • Consent database
  • Processing procedures
  • Compliance reports

Enforcement & Penalties

National Authority Enforcement

Each EU member state's data protection authority can impose penalties for violations.

Penalty Categories

Cookie Violations
Varies by member state
For non-compliance with cookie consent requirements
Marketing Violations
Up to €20M in some states
For unauthorized marketing communications
Communications Privacy
Varies by jurisdiction
For breaches of communications confidentiality

Example Cases

Google France
€100M
2020 - Cookie consent violations
Vodafone Spain
€50,000
2021 - Marketing communications without consent

Additional Measures

Authorities can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Activity Suspension
Temporary or permanent ban on specific activities
Corrective Orders
Mandatory Changes
Orders to modify practices and procedures
Public Warnings
Reputational Impact
Public disclosure of violations

Example Cases

TikTok Netherlands
Processing Ban
2021 - Ordered to modify cookie practices
Telecom Provider
Corrective Order
2022 - Required to implement consent mechanism