The ePrivacy Directive: the other privacy law (cookies, spam, secrecy)

Three things live here, not in the GDPR: cookie consent, the marketing opt-in for email/SMS, and the confidentiality of your communications. The “cookie law” is older than the smartphone — and still undefeated.

The ePrivacy Directive (2002/58) is the GDPR’s older sibling, covering electronic communications specifically — and taking precedence there (lex specialis). Its three pillars: (1) Device access — Art. 5(3): storing or reading anything on your device (cookies, fingerprinting, SDK identifiers) needs consent unless strictly necessary — the entire banner economy hangs on this sentence. (2) Unsolicited marketing — Art. 13: email/SMS marketing needs prior opt-in (narrow existing-customer exception), the backbone of the spam-killing sequence; cold-call rules are set nationally, opt-in in a growing list of countries. (3) Confidentiality of communications — the principle that carriers and states may not listen in without legal gates; the very battlefield of the Chat Control fight, which is legally a fight about derogations from this directive. The zombie reform: a replacement ePrivacy Regulation was proposed in 2017, deadlocked for nearly a decade, and was finally put out of its misery — with cookie-rule modernisation moved into the Digital Omnibus instead (status: What’s changing). Until that lands, this 2002 directive, as amended, still writes the rules your banner obeys. Enforcement is split nationally between DPAs and telecom regulators — for consumers, your DPA is the right first door.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority