EU Cookie Law (ePrivacy Directive) Explained (2026)
Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, amended by 2009/136/EC) requires websites to obtain prior informed consent before placing any non-essential cookie on a visitor's device. Strictly necessary cookies are exempt. The Directive operates alongside the GDPR as lex specialis for electronic communications and terminal equipment.
The ePrivacy Directive is the EU law that specifically governs how websites use cookies and similar tracking technologies. While the GDPR commands most of the attention in privacy discussions, the ePrivacy Directive is the instrument that directly requires cookie consent banners on virtually every website accessible from Europe.
Formally known as Directive 2002/58/EC on Privacy and Electronic Communications, the law was adopted in 2002 and significantly amended in 2009 by Directive 2009/136/EC. That 2009 amendment introduced the opt-in consent requirement that transformed the online experience for hundreds of millions of users.
The landscape has shifted significantly since 2024. The long-stalled replacement regulation was formally withdrawn, and a new proposal embedded cookie rules directly into the GDPR. This guide covers the Directive's legal text, consent requirements, how it interacts with GDPR, country implementations, the withdrawn Regulation, the November 2025 Digital Omnibus proposals, enforcement, and what organizations need to do.
Quick Answer
The ePrivacy Directive requires websites to obtain user consent before placing non-essential cookies (analytics, advertising, preference cookies) on a visitor's device. Strictly necessary cookies are exempt. The GDPR sets the consent standard: it must be freely given, specific, informed, and based on a clear affirmative action. Pre-ticked boxes and "continue browsing" do not count. The law is a Directive, transposed differently by each EU member state, so penalty structures vary. A proposed Regulation to replace the Directive was formally withdrawn in February 2025. A November 2025 Digital Omnibus proposal now seeks to fold cookie rules into the GDPR through new Articles 88a and 88b, but it remains a draft pending legislative approval.
What Is the ePrivacy Directive?
The ePrivacy Directive (Directive 2002/58/EC) is an EU legislative instrument that regulates the processing of personal data and the protection of privacy in the electronic communications sector. It covers cookies and tracking, unsolicited marketing, traffic data, location data, and confidentiality of communications.
The Directive entered into force on July 31, 2002. It operated alongside the original Data Protection Directive (95/46/EC), which was replaced by the GDPR in May 2018. While the GDPR replaced the general data protection framework, the ePrivacy Directive was retained as the sector-specific rule for electronic communications.
The 2009 Amendment: Birth of Cookie Consent
The original 2002 Directive allowed cookies with a simple opt-out mechanism. Browser settings were considered sufficient protection.
Directive 2009/136/EC changed the standard from opt-out to opt-in. Article 5(3) of the amended Directive states that storing information or accessing information already stored in a user's terminal equipment is allowed only "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."
This single change triggered the wave of cookie consent banners that now appear on websites worldwide.
Article 5(3): The Core Cookie Provision
Article 5(3) of the amended Directive states:
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the data protection framework], inter alia, about the purposes of the processing."
The provision then carves out a narrow exception: "This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Because the ePrivacy Directive is a Directive rather than a Regulation, each EU member state transposed Article 5(3) into its own national law. The substance is consistent, but the penalty structures, enforcement priorities, and some procedural details vary country by country.
How the ePrivacy Directive and GDPR Interact
The ePrivacy Directive and the GDPR are separate instruments that work together but cover different ground. Confusion between the two leads to compliance mistakes.
Scope and the Lex Specialis Relationship
The GDPR is the general data protection regulation that applies to all processing of personal data. The ePrivacy Directive is a lex specialis (specific law) that applies to electronic communications and terminal equipment. Under Article 95 of the GDPR, where the ePrivacy Directive contains specific rules on a topic, those rules take precedence over the GDPR's general provisions.
In practical terms: the ePrivacy Directive governs the act of placing a cookie on a device. The GDPR governs what happens with any personal data collected through that cookie afterward.
Key Differences at a Glance
| Aspect | ePrivacy Directive | GDPR |
|---|---|---|
| Legal instrument | Directive (national transposition required) | Regulation (directly applicable) |
| Scope | Electronic communications and terminal equipment | All personal data processing |
| Cookie consent | Required for all non-essential cookies | Consent is one of six legal bases |
| Applies to | Any data stored on or accessed from a device | Only personal data |
| Enforcement | National regulators, national penalty frameworks | Supervisory authorities, harmonized GDPR fines |
Why Legitimate Interest Cannot Justify Advertising Cookies
A critical consequence of this relationship: organizations cannot rely on the GDPR's "legitimate interest" basis to set analytics or advertising cookies. Under the ePrivacy framework, consent is the only available legal basis for non-essential cookies. The ePrivacy Directive also applies to cookies that do not involve personal data at all, which the GDPR would not cover. For detailed guidance on what constitutes valid GDPR consent, see our GDPR consent requirements guide.
Cookie Categories Under the Directive
The ePrivacy Directive does not itself define cookie categories. The widely used framework comes from guidance issued by the Article 29 Working Party (now the European Data Protection Board) and national data protection authorities.
Strictly Necessary Cookies
These are exempt from the consent requirement under Article 5(3). They enable core functionality that the user explicitly requested. Examples include:
- Session cookies that maintain a logged-in state
- Shopping cart cookies that remember items during a purchase
- Security cookies that detect authentication abuse or fraud
- Load-balancing cookies that distribute traffic across servers
- Accessibility setting cookies requested by the user
The exemption is narrow. A cookie is strictly necessary only if the service would genuinely fail without it and the user specifically requested that service. A cookie that improves performance or adds convenience but is not essential does not qualify.
Functional Cookies
Functional cookies remember user choices beyond what is strictly necessary. Language preferences (when the site could function in a default language), video player settings, and font-size choices fall here. These require consent.
Analytics Cookies
Analytics cookies track user behavior for statistical purposes. Tools like Google Analytics and Adobe Analytics rely on them. They require consent. Some national regulators have created narrow exemptions for privacy-preserving, first-party analytics, but third-party analytics tools that transfer data externally consistently require consent across all EU jurisdictions.
Advertising and Tracking Cookies
These cookies build user profiles for targeted advertising, retargeting, and cross-site tracking. They include third-party cookies placed by advertising networks, social media pixels, and fingerprinting scripts. They always require explicit consent and attract the most regulatory enforcement attention. See our cookie consent laws by country guide for jurisdiction-by-jurisdiction details.
Consent Requirements
The 2009 amendment aligned cookie consent with the broader EU consent standard. The GDPR reinforced that standard through its definition of consent under Article 4(11) and conditions under Article 7. For a full breakdown, see our GDPR consent requirements article.
What Valid Consent Requires
Valid cookie consent must be:
- Freely given. Users cannot be forced to accept cookies as a condition of accessing the site.
- Specific. Consent must be requested for each purpose separately, not bundled into a single "accept all" checkbox.
- Informed. Users must receive clear information about what cookies are used, what data they collect, who receives the data, and how long the cookies persist.
- Unambiguous. Consent requires a clear affirmative action. Scrolling, continuing to browse, or pre-ticked checkboxes do not constitute valid consent.
- Withdrawable. Users must be able to withdraw consent as easily as they gave it.
The Planet49 Ruling
The Court of Justice of the EU (CJEU) clarified the consent standard in Case C-673/17 (Planet49), decided on October 1, 2019. The court ruled:
- Pre-ticked checkboxes do not constitute valid consent for cookies.
- Consent must be active and specific, not passive.
- Users must be informed of the duration of cookie operation and whether third parties have access to the cookies.
- The requirement applies whether or not the cookie data constitutes personal data.
This ruling eliminated remaining ambiguity about the opt-in standard.
Reject Must Be as Easy as Accept
Following the EDPB's Cookie Banner Taskforce report (published January 2023), multiple national data protection authorities now require that refusing cookies be no more difficult than accepting them. A single-click "Accept all" button on the first layer of a banner must be paired with an equally prominent "Reject all" button. Hiding the reject option behind a "manage preferences" link on a second layer is, in most member states, non-compliant.
"Consent or Pay" Cookie Walls
A cookie wall blocks website access unless the user consents to all cookies. A variant, "consent or pay," allows users to avoid tracking by subscribing to a paid service instead. Both remain contested under EU law.
The EDPB's April 2024 Opinion on "Consent or Pay"
In Opinion 08/2024 issued on April 17, 2024, the EDPB found that "in most cases" large online platforms offering only a "pay or consent to behavioral advertising" model do not produce freely given consent. The opinion states that users should be offered an equivalent alternative that does not require payment of a fee and does not involve behavioral advertising.
The European Commission followed this in April 2025 with a formal decision finding Meta in non-compliance with the Digital Markets Act on the same facts, holding that Meta's paid subscription offered no genuine equivalent alternative free service and that fees were set high enough to leave users no meaningful choice.
Smaller Sites and Publishers
The EDPB opinion targets "large online platforms." National authorities have reached different conclusions about whether smaller news sites and publishers can operate consent-or-pay models. The Dutch Autoriteit Persoonsgegevens permits cookie walls in some circumstances when equivalent content is accessible elsewhere. France's CNIL requires that rejecting consent be as easy as accepting it but has not categorically banned all paywall-based consent models for publishers. This question remains unresolved at the EU-wide level.
EDPB Cookie Banner Taskforce
The EDPB established a cookie banner taskforce in September 2021 in response to a wave of complaints from the non-governmental organization noyb (None of Your Business) targeting 422 websites for unlawful consent banners. The taskforce comprised 21 EU and EEA supervisory authorities.
Its January 2023 report established several common positions across participating authorities:
- The absence of a "reject all" option at the same level as "accept all" is a breach of EU law.
- Deceptive design (dark patterns) that visually steers users toward consent is non-compliant.
- Consent must be withdrawable at any time, as easily as it was given.
- Information about cookies must be provided on the first layer of the banner, not only in a policy accessible through a link.
Following the report, national DPAs conducted enforcement sweeps and imposed fines on organizations whose banners failed these standards.
Country-by-Country Implementation
Because the ePrivacy Directive is a Directive, each member state transposed it into national law. Key variations:
France
France implements the Directive through Article 82 of the Loi Informatique et Libertes. The CNIL is among the most active cookie enforcement authorities in Europe. In December 2021 the CNIL fined Google €150 million and Facebook €60 million for making cookie rejection harder than acceptance. In September 2025 the CNIL fined Google €325 million for advertising cookie violations involving invalid consent mechanisms. The CNIL requires a reject button that is as prominent as the accept button and allows a limited exemption for first-party, aggregated audience measurement cookies under strict conditions.
Germany
Germany implemented cookie consent rules through the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG). The BfDI and state-level data protection authorities enforce them. The Bundesgerichtshof (Federal Court of Justice) adopted the CJEU's Planet49 standard in its October 2020 decision. Maximum penalty under the TDDDG is €300,000, though GDPR fines apply when personal data is involved.
Ireland
Ireland implemented the Directive through S.I. No. 336 of 2011. The Data Protection Commission (DPC) enforces these rules. Because major technology companies headquartered in Ireland are subject to DPC oversight, Irish enforcement decisions carry outsized influence across the EU.
Italy
Italy's Garante per la protezione dei dati personali issued updated cookie guidelines in June 2021 requiring a visible reject button on the first banner layer. Italy also requires a cookie policy separate from the general privacy policy.
Spain
Spain transposed the Directive through Ley 34/2002 (LSSI). The AEPD has imposed fines on Vueling Airlines and Vodafone Spain for cookie violations, and clarified maximum retention periods for analytics cookies.
Netherlands
The Netherlands implemented the Directive through the Telecommunicatiewet. In April 2025 the Autoriteit Persoonsgegevens issued compliance warnings to 50 organizations for misleading cookie banners or unlawful tracking. The Dutch authority's position on cookie walls (permitting them in some circumstances where equivalent content is available elsewhere) diverges from the stricter EDPB interpretation.
Belgium
Belgium's data protection authority (APD) issued a landmark decision in February 2022 finding that the IAB Europe Transparency and Consent Framework (TCF) violated the GDPR. The CJEU upheld the core finding in November 2023, disrupting the programmatic advertising industry's most widely used consent mechanism.
The Withdrawn ePrivacy Regulation
The European Commission proposed an ePrivacy Regulation in January 2017 to replace the aging Directive with a directly applicable, uniform EU-wide rule. Unlike a directive, a regulation would have eliminated the implementation patchwork entirely.
Why a Regulation Was Proposed
The Commission identified several problems with the Directive:
- Fragmented national implementations creating compliance complexity
- Outdated technology references (the 2002 text predates smartphones and modern tracking)
- Inconsistent enforcement across member states
- The need to align with GDPR's updated data protection framework
- "Cookie consent fatigue" caused by poorly designed consent mechanisms
What the Draft Would Have Changed
The proposed ePrivacy Regulation would have applied directly in all member states, extended scope to over-the-top communications (WhatsApp, Signal, Messenger), introduced browser-based consent as a valid mechanism, aligned penalties with the GDPR framework (up to 4% of global turnover), and regulated metadata more comprehensively.
Formal Withdrawal: February 2025
After eight years of stalled negotiations, the European Commission formally withdrew the proposed ePrivacy Regulation in its 2025 Work Programme, published on February 11, 2025. The Commission stated that "no agreement is expected from the co-legislators" and that "the proposal is outdated in view of some recent legislation in both the technological and the legislative landscape."
The existing ePrivacy Directive and its national transpositions remain fully in force. The withdrawal means no new ePrivacy Regulation is coming through the 2017 proposal. However, rather than simply abandoning modernization of cookie rules, the Commission pursued a different legislative path through the Digital Omnibus.
The November 2025 Digital Omnibus: Cookie Rules Enter the GDPR
On November 19, 2025, the European Commission adopted a package of proposed amendments to the EU's digital rulebook, published as the Digital Omnibus. The package amends the GDPR, the ePrivacy Directive, the Data Act, and several other instruments simultaneously.
The Core Proposal: Articles 88a and 88b
The Digital Omnibus proposes two new articles in the GDPR that would absorb the cookie consent function currently performed by Article 5(3) of the ePrivacy Directive.
Article 88a would govern cookie and tracking consent within the GDPR framework. Key elements:
- Cookie consent must remain granular, specific, and obtained before cookies are set.
- A data subject must be able to refuse consent "in an easy and intelligible manner with a single-click button or equivalent means."
- Where a user has refused consent, the controller may not request consent again for the same purpose for at least six months.
- The ePrivacy Directive's strictly necessary exemption is preserved.
Article 88b would regulate how consent, refusal, and objection signals are technically expressed. It would require:
- Online interfaces to accept and respect automated, machine-readable consent signals from browsers and operating systems.
- Browser providers (other than SMEs) to enable the technical infrastructure for such signals.
- A 24-month implementation timeline for browser-signal compliance, longer than the six-month timeline proposed for Article 88a.
What This Means in Practice
If adopted, the Digital Omnibus changes would mean that a user could configure their browser once to reject tracking across all websites, and websites would be legally required to honor that signal. Cookie banners would not disappear entirely under the proposal but would become less necessary as machine-readable signals take effect.
The EDPB and the European Data Protection Supervisor (EDPS) published a joint statement in 2026 broadly supporting the simplification goals while raising concerns about some provisions and the speed of the legislative timeline.
Current Status
The Digital Omnibus is a Commission proposal, not law. It entered the ordinary legislative procedure on November 19, 2025, and must be reviewed and approved by both the European Parliament and the Council of the EU. Analysts expect negotiations to run through mid-to-late 2026 at the earliest, and the proposal may change substantially during that process. The existing ePrivacy Directive and GDPR remain the operative law until any replacement enters into force.
Enforcement and Penalties
Because the ePrivacy Directive is transposed through national laws, maximum penalties vary. In practice, most regulators use GDPR fine structures (up to €20 million or 4% of global annual turnover) when cookies involve personal data processing.
Major Enforcement Actions (2021 to 2026)
| Year | Regulator | Target | Amount | Issue |
|---|---|---|---|---|
| 2021 | CNIL (France) | €150M | Cookie rejection harder than acceptance | |
| 2021 | CNIL (France) | €60M | Cookie rejection harder than acceptance | |
| 2022 | APD (Belgium) | IAB Europe | Finding of GDPR violation | TCF consent framework invalid |
| 2023 | CJEU | IAB Europe TCF | Core violation upheld | TCF personal data breach confirmed |
| 2025 | AP (Netherlands) | 50 organizations | Compliance warnings | Misleading banners, tracking without consent |
| 2025 | CNIL (France) | €325M | Advertising cookie consent violations | |
| 2025 | CNIL (France) | Shein | €150M | Cookie violations |
Enforcement Trends
Enforcement has intensified across Europe since 2021. Several patterns stand out:
- Design parity is required. The reject option must be as prominent and accessible as the accept option. Asymmetric button designs, smaller fonts, and gray-out effects on the reject button are treated as dark patterns.
- First-layer reject button. France, Italy, Belgium, and several other jurisdictions now explicitly require a "Reject all" option on the initial banner, not only behind a settings link.
- Coordinated sweeps. The EDPB coordinates Coordinated Enforcement Framework (CEF) actions where multiple national DPAs simultaneously audit the same sector.
- Advertising cookies drive fines. The largest monetary penalties have consistently involved third-party advertising and tracking cookies placed without valid consent.
Practical Compliance Steps
Organizations with websites accessible from the EU should take the following steps.
Audit First
Run a cookie scan on your website, including all third-party scripts. Document every cookie's name, purpose, retention period, and data recipient. Classify each as strictly necessary, functional, analytics, or advertising.
Build a Compliant Banner
Display a consent banner before any non-essential cookies are set. The banner must:
- Block non-essential cookies until the user makes a choice (prior consent, not post-hoc notice)
- Offer granular category options
- Present accept and reject buttons with equal visual prominence on the first layer
- Avoid pre-ticked checkboxes for any category
- Provide clear, plain-language explanations of each cookie category
Maintain Ongoing Records
Store consent records (what the user chose, when, and which version of the banner was shown). Provide an accessible mechanism to withdraw consent at any time. Re-audit cookies regularly, as third-party scripts often add new cookies without notice.
This is general legal information, not legal advice. Compliance requirements depend on the specific jurisdictions your website serves, the types of cookies used, and the nature of the data collected. Consult a data protection attorney for advice specific to your situation.
Frequently Asked Questions
What is the ePrivacy Directive and how does it relate to GDPR?
The ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) is the EU law that governs cookies, tracking technologies, and electronic communications. It operates as a lex specialis alongside the GDPR: the Directive controls the act of placing cookies on a device, while the GDPR governs how the personal data collected through those cookies is processed. Where both laws apply, the ePrivacy Directive's specific rules take precedence. The GDPR sets the consent standard that the ePrivacy Directive's cookie consent requirement must meet.
Was the ePrivacy Regulation withdrawn?
Yes. The European Commission formally withdrew the proposed ePrivacy Regulation in its 2025 Work Programme, published on February 11, 2025. The Commission stated that no agreement was expected from the co-legislators and that the proposal was outdated given recent digital legislation. The existing ePrivacy Directive remains fully in force. A new approach to updating cookie rules was introduced through the November 2025 Digital Omnibus, which proposes folding cookie consent rules into the GDPR rather than replacing the Directive with a separate regulation.
What does the November 2025 Digital Omnibus propose for cookies?
The Digital Omnibus, published November 19, 2025, proposes two new GDPR articles. Article 88a would require single-click reject options equal in prominence to accept, prohibit repeat consent requests for six months after a refusal, and preserve the strictly necessary exemption. Article 88b would require websites to honor machine-readable browser-level consent signals, allowing users to set privacy preferences once in their browser rather than clicking through individual cookie banners. The proposal is still subject to European Parliament and Council approval and is not yet law.
Which cookies are exempt from the consent requirement?
Only two categories are exempt under Article 5(3). First, cookies used solely for transmitting a communication over a network (technical routing). Second, cookies strictly necessary for providing a service the user explicitly requested, such as authentication cookies, shopping cart cookies, and security cookies. Analytics, advertising, and most functional cookies all require consent. Some national regulators, notably France's CNIL, allow a narrow exemption for privacy-preserving, first-party-only audience measurement tools under strict conditions.
Are pre-ticked cookie consent checkboxes legal in the EU?
No. The CJEU ruled in Case C-673/17 (Planet49) in October 2019 that pre-ticked checkboxes do not constitute valid consent for cookies. Consent must involve a clear affirmative action. Scrolling or continuing to browse the site also does not count as valid consent. This applies regardless of whether the cookie data constitutes personal data.
Are 'consent or pay' cookie walls legal?
It depends on the context. The EDPB issued Opinion 08/2024 in April 2024 finding that 'in most cases' large online platforms cannot use a consent-or-pay model because users lack a genuine free choice. The European Commission reached the same conclusion regarding Meta in April 2025. However, the opinion primarily targets large platforms, and national authorities have not uniformly prohibited all consent-or-pay models for smaller publishers. The Dutch DPA permits some cookie walls when equivalent content is accessible elsewhere. The question remains unsettled at the EU-wide level.
What penalties can a website face for cookie law violations?
Penalties vary by country. France has imposed fines of €325 million (Google, 2025) and €150 million (Google, 2021) using GDPR penalty provisions. Spain can fine up to €300,000 under the LSSI, or apply GDPR fines when personal data is involved. Germany's TDDDG maximum is €300,000, with GDPR fines available for personal-data violations. In practice, most regulators use the GDPR framework of up to €20 million or 4% of global annual turnover when cookies involve personal data processing.
Do analytics cookies like Google Analytics require consent?
Under the ePrivacy Directive, analytics cookies generally require consent. However, some national regulators have softened this for first-party analytics. France's CNIL allows an exemption for first-party audience measurement cookies under strict conditions: the data must be aggregated, not shared with third parties, and limited in retention. Third-party tools like Google Analytics that transfer data externally consistently require consent across all EU jurisdictions.
How often must websites re-request cookie consent?
The ePrivacy Directive does not specify a re-consent interval. National guidance varies. The CNIL recommends re-requesting consent every six months. Other authorities suggest 12-month intervals. The Digital Omnibus proposal, if adopted, would prohibit re-requesting consent for a purpose the user already refused for at least six months. Organizations should also re-request consent whenever they add new cookie categories or change processing purposes.
Sources and References
- Directive 2002/58/EC on Privacy and Electronic Communications (ePrivacy Directive)(eur-lex.europa.eu).gov
- Directive 2009/136/EC Amending the ePrivacy Directive (Cookie Amendment)(eur-lex.europa.eu).gov
- CJEU Case C-673/17 (Planet49) — Cookie Consent Standard(curia.europa.eu).gov
- Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemptions(ec.europa.eu).gov
- EDPB Guidelines 05/2020 on Consent under the GDPR(edpb.europa.eu).gov
- Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR)(eur-lex.europa.eu).gov
- European Commission Work Programme 2025 — ePrivacy Regulation Withdrawal(commission.europa.eu).gov
- EU Digital Package — European Commission (Digital Omnibus)(digital-strategy.ec.europa.eu).gov
- EDPB Report of the Cookie Banner Taskforce (January 2023)(edpb.europa.eu).gov
- EDPB and EDPS Statement on the Digital Omnibus (2026)(edpb.europa.eu).gov
- CNIL — Cookies and Other Tracking Devices Guidelines(cnil.fr).gov
- Italy Garante Cookie Guidelines (2021)(garanteprivacy.it).gov
- Spain LSSI (Ley 34/2002) — Law on Information Society Services(boe.es).gov
- Germany BfDI — Federal Commissioner for Data Protection(bfdi.bund.de).gov
- Ireland S.I. No. 336/2011 — Electronic Communications Regulations(irishstatutebook.ie).gov
- Netherlands Telecommunicatiewet(wetten.overheid.nl).gov
- France Loi Informatique et Libertes — Article 82(legifrance.gouv.fr).gov