ePrivacy Directive

ePrivacy Directive

The ePrivacy Directive (ePD), also known as the "Cookie Law," is an EU directive designed to protect people's privacy when they go online. If you're a business operating within the EU or serving customers in this region, then you must understand how the so-called "Cookie Law" affects your operations.

Here is a breakdown of everything you should know about the ePD, including who must comply with its provisions and what steps you can take to ensure compliance.

Get compliant today with PrivacyPolicies.com

Select one of our generators to create the required legal agreements for your business:

Integrate a free Cookies Notice and Cookie Consent banner to comply with the EU ePrivacy Directive and the new GDPR law regarding cookies.

What is the ePrivacy Directive?

The ePrivacy Directive is a legal instrument which addresses key privacy concerns including data protection and data security. It came into force back in 2002 and was updated in 2009 to reflect a changing online environment.

Before we move on, let's be clear about one point: An EU Directive is not the same as an EU Regulation.

  • EU Directive: A directive is a set of legal guidelines. It sets out clear goals and objectives for EU Member States to meet, and each country introduces its own laws to meet these goals. So, the laws might look a little different across Member States even if the overarching principle is the same.
  • EU Regulation: A regulation is a legally binding instrument. It's enforceable in its entirety across all Member States, and it overrides any national laws which are incompatible. An example is the GDPR.

The Aims of the ePrivacy Directive

The ePD's aims are simple. The goal is to ensure that Member States:

  • Respect the rights of individuals to keep their private life confidential, and
  • Take reasonable steps to protect personal data processed within its borders

In other words, the ePD aims to uphold Articles 7 and 8 of the Charter on Fundamental Rights:

EUR-Lex Charter on Fundamental Rights Articles 7 and 8

So, the ePrivacy Directive strikes a balance between free movement of data, and personal privacy.

Why is the ePrivacy Directive Also Called the Cookie Law?

The ePrivacy Directive got this nickname as it contains a specific clause concerning cookies and similar web tracking technologies.

A cookie is simply a piece of data. It's downloaded onto a user's device when they perform certain actions like:

  • Adding items to a shopping cart
  • Logging in to their account
  • Clicking on advertisements

Some cookies are essential. Without them, your website won't work properly. These are called essential or strictly necessary cookies.

Other cookies are non-essential because your website works without them, such as analytics or marketing cookies.

If you plan on using non-essential cookies, then you must ensure you do so in compliance with the ePrivacy Directive. We will cover what the clause says and how to comply below, but for now, just remember there's a difference between essential and non-essential cookies.

Is the ePrivacy Directive the Same as the GDPR?

No, they're different laws.

The GDPR is a regulation, for one thing, so it applies in its entirety across the EU. On the other hand, the ePrivacy Directive is a directive which is adopted into EU law.

Although both the ePD and the GDPR apply to data processing, the ePrivacy Directive also applies specifically to non-personal data processing and cookies, as we noted above.

So, the laws are not the same, although they have similar goals.

Who Must Comply With the ePrivacy Directive?

Your business should comply with the ePD if your business:

  • Processes or sells data belonging to EU citizens; or
  • Uses cookies or similar tracking tools for any purpose, and you sell goods or services to EU citizens

Meaning, if you market your products to anyone based in the EU, you should comply with the ePrivacy Directive. So, if you're bound by the GDPR, then the ePrivacy Directive also applies.

Will the ePrivacy Regulation Replace the ePrivacy Directive?

Will the ePrivacy Regulation Replace the ePrivacy Directive?

The ePrivacy Regulation is a comprehensive piece of legislation. It will replace the ePD once it's in force.

Remember, under the EU rules, a "Regulation" has direct effect across Member States. A "Directive," on the other hand, is a set of guidelines which can be introduced in different ways across Member States.

In effect then, the ePrivacy Regulation will "harmonize" existing ePrivacy laws which exist across the Member States and bring them into line with each other. Once the ePR comes into force, it will override and replace any domestic legislation which Member States introduced to implement the ePD.

It is not yet clear on what date the ePR will replace the ePD, though, so in the meantime, you should continue to follow the ePD rules.

That said, there's one exception to this, and it's the UK. Here's why.

Will the ePrivacy Regulation or ePrivacy Directive Apply in the UK?

While it hasn't been confirmed, the ePR probably won't automatically apply.

As the UK is no longer a part of the EU, there are some key differences as to which laws will have an effect in Britain compared to the European Union:

  • The GDPR will continue to be in force across the UK
  • As the UK is no longer a Member State, new Regulations are not necessarily adopted the way they are in Member States
  • The ePrivacy Regulation may not, then, automatically apply in the UK.

It's unclear whether the UK will adopt its own legislation which is similar to the ePrivacy Regulation.

How to Comply With the ePrivacy Directive

How to Comply With the ePrivacy Directive

Complying with the ePrivacy Directive means you must do four main things:

  • Review what cookies you use, and why you use them
  • Have a Privacy Policy which explains whether you use cookies, and which types of cookies you use
  • Get express consent to non-essential cookies before you place them on a person's device
  • Give people the option to reject non-essential cookies

Let's break down how to comply with each of these steps.

Review Website Cookies

First, make sure you know what cookies your website uses.

  • If you use any cookies to monitor user behavior, collect personal data, or track metrics, then you'll need to inform people that you use them. That's because these are non-essential cookies which can process personal data, and so the Cookie Law states you must get express consent before using these.
  • If your website doesn't collect any personal data through cookies or other tracking technologies, then you won't need to worry about getting consent to website cookies. You should, however, still tell people you use essential cookies. (More on that below.)

Chances are your website does use some cookies which are capable of processing personal data. So, you'll probably need to comply with all of the following steps.

Update Your Privacy Policy

A Privacy Policy sets out your policies regarding how you process personal data. In terms of cookies, your Privacy Policy should cover:

  • What cookies are
  • If you use cookies
  • What cookies you use
  • Why you use cookies
  • How users can opt out

Don't worry, you can cover all this information in just a clause or two. You don't need to provide huge amounts of detail, but rather just enough to ensure people understand what cookies are and what they are consenting to.

Here are some examples.

Clause seven of Starbucks' Privacy Policy sets out what cookies are, why the company uses them, and how users can opt out, in two fairly short paragraphs:

Starbucks Privacy Policy: Cookies, Web Beacons and Similar Technologies clause - Cookies excerpt

Nike has a clause on "COOKIES and Pixel Tags" which helpfully breaks down the categories of cookies it uses, and how someone might manage or turn off cookies they don't want:

Nike Privacy Policy: Cookies and Pixel Tags clause with manage and turn off cookies section highlighted

You can also have a separate Cookies Policy, which allows you to summarize your cookie rules in a short, user-friendly document. However, a Cookies Policy isn't always necessary, and even if you do have one, you still need to cover cookies in your Privacy Policy.

You should include a link to your Privacy Policy in obvious places around your website, such as:

  • Header or footer
  • Sidebar
  • Checkout screen

Also include a link within your Cookie Banner, which we'll cover next.

This point can't be overstated: To comply with the Cookie Law and the GDPR, you can't use non-essential cookies without getting someone's express, informed consent.

You can obtain this consent by using a pop-up banner which sets out your cookie policies.

Here's an example from Clintons as to what a cookie banner might look like:

Clintons Cookie Consent banner

Consider making your banner "obtrusive." Meaning, visitors can't use your webpage until they interact with the notice. That way, you'll know users have seen the banner and consented to your terms.

Make sure your notice contains a sentence or two about what cookies are and why you use them. The screenshot above is a good example of this.

Next, ensure that all non-essential cookies are turned "off" by default. If someone wishes to accept non-essential cookies, they can turn them on. Otherwise, there's a chance that people will accidentally accept cookies they didn't want to receive, which is contrary to the ePrivacy Directive.

Use clickable buttons or checkboxes to get consent to non-essential cookies. Here's an example from Starbucks:

Starbucks Cookie Consent banner Settings options section

Here's another example from Harvey Nichols:

Harvey  Nichols Cookie Consent banner - Manage Preferences screen

Stay on the right side of the law by always keep non-essential cookies turned off unless a visitor turns them on. Include a brief description of your non-essential cookies so people know exactly what they're consenting to.

Include a "Reject" or "Opt Out" Button

Since implied consent isn't sufficient under the EU privacy laws, you must make it easy for people to reject non-essential cookies. So, your cookie banner should include a clear "reject" or "opt out" option such as a clickable button or slider.

For example, when a UK user loads the BBC website, the cookie banner gives a clear option to accept or reject the default cookies:

BBC Cookie Consent banner with yes and no options highlighted

That said, the button doesn't need to say "Reject" or "Opt Out" or a variation of this. It simply should be obvious that someone can reject cookies.

For example, when you visit the Harvey Nichols website, the cookie banner includes the option to either "Accept" the default cookies or "Manage" the cookies used:

Harvey Nichols Cookie Consent banner with Manage and Accept buttons highlighted

Make sure it's obvious from the cookie pop-up or banner that users can reject or opt-out of non-essential cookies they don't wish to accept.

How is the ePrivacy Directive Enforced?

How is the ePrivacy Directive Enforced?

Depending on the violation, companies can be fined under either the GDPR or the ePrivacy Directive. As the ePD will eventually be replaced by the ePR, though, we'll consider how the ePD is enforced in the UK.

In the UK, the Information Commissioner's Office (ICO) can enforce the rules. Typically, punishments can include:

  • Business audits
  • Non-criminal procedures for enforcement
  • Financial penalties up to £500,000

Criminal sanctions may also be applied, depending on the severity of the breach.

A company can be found guilty of breaking both the GDPR and the ePD. In these circumstances, national organizations are encouraged to work together to find a fair remedy, to avoid a situation where companies may be fined twice.

It's likely that the ePrivacy Regulation will have its own specific enforcement provisions, which you should take the time to understand before the ePR comes into force.


The ePrivacy Directive, or "Cookie Law," is designed to protect peoples' privacy rights across EU Member States. Although the ePrivacy Regulation will eventually replace the ePD, it will still apply in the UK, so you must understand its terms and how you can comply with them.

To comply with the ePrivacy Directive, you should:

  • Review what cookies you use
  • Make sure there's a valid purpose for every cookie you use
  • Ensure your Privacy Policy contains explains what cookies you use, why you use them, and how people can reject cookies
  • Include a cookie pop-up banner on your website which gives people the option to opt-out of cookies
  • Get express, informed consent to non-essential cookies before installing them (You don't need consent for essential cookies)

You should also ensure your cookie banner contains a link to your Privacy Policy. This makes it easy for people to make an informed decision before accepting or rejecting cookies.

Your company may face penalties if you fail to comply.