ePrivacy (ePrivacy Directive)
AI-assisted content notice: this page includes AI-assisted summaries, FAQs, and glossary entries prepared for navigation purposes. Verify the underlying legal text before relying on this content.
Summary
Directive 2002/58/EC (the ePrivacy Directive) lays down rules on the processing of personal data and the protection of privacy in the electronic communications sector. It safeguards the confidentiality of communications and related traffic/location data, and sets conditions for storing or accessing information on users’ terminal equipment (e.g., cookies). It also includes provisions on unsolicited communications (direct marketing) and caller identification/directories.
Who is affected?
Providers of publicly available electronic communications services and networks, and any organisations that store or access information on end-users’ devices or engage in electronic direct marketing in the EU. It also affects website/app operators, advertisers/adtech actors, and anyone processing communications metadata within its scope.
Scope
Applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the EU, including rules on terminal equipment access (cookies) and unsolicited communications.
Key Points
- Confidentiality of communications: listening, tapping, storage or other interception/surveillance is prohibited except under limited conditions permitted by law.
- Traffic and location data must generally be erased or anonymised when no longer needed, with limited exceptions (e.g., billing, value-added services with consent).
- Storing or accessing information on a user’s terminal equipment (e.g., cookies, device identifiers) requires prior informed consent, subject to narrow exemptions (e.g., strictly necessary for a service explicitly requested by the user).
- Rules on unsolicited communications (direct marketing), including consent/opt-out requirements depending on channel and national implementation.
- Provisions on caller identification, call forwarding, and public subscriber directories (e.g., consent for inclusion and control over data).
- Lex specialis to the GDPR for matters within its scope; enforcement and details are implemented through Member State national laws.
Related Regulations
Frequently Asked Questions
Who must comply with the ePrivacy Directive?
Providers of publicly available electronic communications services and networks, website and app operators, advertisers, adtech companies, and any organisations that store or access information on users’ devices or engage in electronic direct marketing within the EU must comply.
What is the main scope of the ePrivacy Directive?
The Directive applies to the processing of personal data in connection with publicly available electronic communications services in public networks, including rules on confidentiality, cookies, and unsolicited communications.
What are the key obligations regarding cookies and similar technologies?
Organisations must obtain prior informed consent from users before storing or accessing information (such as cookies) on their devices, except where the storage or access is strictly necessary for a service explicitly requested by the user.
How does the ePrivacy Directive address unsolicited communications?
The Directive sets rules for direct marketing via electronic means, requiring consent or providing opt-out mechanisms depending on the communication channel and national law implementation.
What are the requirements for processing traffic and location data?
Traffic and location data must generally be erased or anonymised when no longer needed, except for specific purposes like billing or value-added services, which require user consent.
What penalties can be imposed for non-compliance?
Penalties are set by individual EU Member States and can include fines and other enforcement measures, depending on national law and the seriousness of the breach.
How does the ePrivacy Directive interact with the GDPR?
The ePrivacy Directive acts as a 'lex specialis' to the GDPR, meaning its provisions take precedence for matters specifically covered by the Directive, such as confidentiality of communications and cookies.
What practical steps should organisations take to comply?
Organisations should review their use of cookies and tracking technologies, update consent mechanisms, ensure proper handling of traffic/location data, and implement processes for managing direct marketing consents and opt-outs.
Are there exemptions to the consent requirement for cookies?
Yes, consent is not required for cookies that are strictly necessary to provide a service explicitly requested by the user, such as session cookies for shopping carts.
How is the ePrivacy Directive enforced?
Enforcement is carried out by national data protection authorities or other designated bodies in each Member State, based on national implementing laws.
Key Terms
- Terminal Equipment
- Devices such as computers, smartphones, or tablets used by end-users to access electronic communications services.
- Traffic Data
- Data processed for the purpose of transmitting, distributing, or exchanging electronic communications, such as time, duration, and routing information.
- Location Data
- Data indicating the geographic position of a user’s terminal equipment, processed in the context of electronic communications.
- Consent
- Freely given, specific, informed, and unambiguous indication of a user’s wishes, required before storing or accessing information on their device.
- Unsolicited Communications
- Direct marketing messages sent to users without their prior consent or without providing an opt-out, including emails, SMS, and automated calls.
- Publicly Available Electronic Communications Service
- A service provided to the public for the transmission of signals via electronic communications networks.
- Value-Added Services
- Services that require processing of traffic or location data beyond what is necessary for transmission or billing, often requiring user consent.
- Caller Identification
- A feature that displays the calling party’s number to the recipient, subject to privacy controls under the Directive.
- Public Subscriber Directory
- A directory containing personal data of subscribers, such as phone numbers, where inclusion and data use are subject to consent.
- Lex Specialis
- A legal principle meaning that a more specific law (such as the ePrivacy Directive) overrides a more general one (like the GDPR) for matters within its scope.