The ePrivacy Directive: Everything You Need to Know to Ensure Your Business Is Compliant

Article at a glance: The ePrivacy Directive is the European legislation governing privacy and electronic communications. Adopted on July 12, 2002, and amended in 2009, it regulates cookies, commercial marketing via email and SMS, and the confidentiality of communications. In France, it is implemented byArticle 82 of the Data Protection Act andArticle L.34-5 of the CPCE. It complements the GDPR remains fully applicable through 2026, as the proposed ePrivacy Regulation has been abandoned. Dipeeo supports GDPR ePrivacy and GDPR compliance through a dedicated legal expert and an intuitive, AI-powered platform.

Summary: 1. ePrivacy Directive: Definition, Origin, and Objectives 2. Who is subject to the ePrivacy Directive? 3. What data and uses are governed by the ePrivacy Directive? 4. What are the risks of non-compliance with the ePrivacy Directive ( CNIL (National Commission for Information Technology and Civil Liberties) penalties)? 5. ePrivacy Directive and GDPR What Are the Differences and How Do They Complement Each Other? 6. ePrivacy Compliance: The 4 Key Steps for Businesses 7. How Dipeeo supports businesses in their ePrivacy compliance FAQ

---

Introduction – The ePrivacy Directive: The Other Pillar of Data Protection

When we talk about data protection, we immediately think of GDPR. However, alongside it is another piece of legislation that is just as essential for European organizations: the ePrivacy Directive. Adopted on July 12, 2002, it entered into force on July 31, 2002; it was to be implemented in Member States by October 31, 2003, at the latest. It was subsequently amended by [Directive 2009/136/EC](https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32009L0136), which entered into force on December 19, 2009.

Its rationale: to supplement the GDPR regulating a very specific area—that of electronic communications. While the GDPR general principles for data protection andthe use of personal information, the ePrivacy Directive sets out specific rules for cookies, email prospecting the confidentiality of communications. Both texts apply cumulatively.

---

1. ePrivacy Directive: Definition, Origin, and Objectives

1.1 Why was the ePrivacy Directive adopted?

In the early 2000s, the rapid growth of digital technologies (the internet, mobile phones, email) gave rise to new privacy risks that existing laws did not adequately address. Directive 95/46/EC on data protection did not address the specific characteristics of electronic communications in detail.

The Privacy Directive, officially Directive 2002/58/EC on “Privacy and Electronic Communications,” was therefore adopted to fill this gap. It is part of the European “Telecom Package” and repeals the former Directive 97/66/EC. This new directive marks a turning point in European digital regulation.

1.2 Why people often (incorrectly) refer to the “Cookie Directive”

The ePrivacy Directive is often referred to as the “Cookie Directive” in everyday language. This is an oversimplification: while it does indeed regulate cookies and other trackers (Article 5(3)), its scope is much broader. It also covers:

• the confidentiality of communications;
• traffic and location data;
• direct marketing via email, text message, or fax;
• subscriber directories.

The term “Cookie Directive” has become widely recognized among the general public because the requirement to consent to cookies is the most visible provision encountered on a daily basis online.

1.3 The specific role of the ePrivacy Directive in the European ecosystem

Within the European data ecosystem, the ePrivacy Directive serves as lex specialis: for all matters relating to electronic communications, its rules take precedence, as confirmed by the CJEU in its Inteligo Media ruling of November 13, 2025.

---

2. Who is subject to the "Privacy and Electronic Communications" Directive?

2.1 Which companies are subject to European requirements?

The scope of the ePrivacy Directive is very broad. It covers:

• website and blog publishers (whether they run a showcase website or an e-commerce site );
• mobile apps;
• online platforms (e-commerce, marketplaces, SaaS);
• communication service providers (messaging, email);
• advertisers and advertising agencies that place trackers;
• any company engaged in electronic marketing, whether B2C or B2B.

2.2 Which services and channels are covered?

The ePrivacy Directive applies to a wide range of channels:

• websites and their tracking technologies (cookies, pixels, fingerprinting);
• mobile apps (SDKs, advertising identifiers);
• marketing emails and newsletters;
• marketing SMS and MMS;
• automated calling systems and fax machines;
• the Internet of Things (smartwatches, home automation devices).

2.3 Geographic Scope: European Union and non-EU entities targeting European users

The text of the ePrivacy Directive does not contain an extraterritoriality mechanism as explicit as that set forth inArticle 3 of GDPR. However, in practice, the CNIL (National Commission for Information Technology and Civil Liberties) on several occasions sanctioned foreign entities (such as Google or Shein) under Article 82 of the Data Protection Act, provided that their website targeted users located in France, regardless of the region where the company is based.

---

3. What data and uses are covered by the ePrivacy Directive?

3.1 Electronic communications data

The ePrivacy Directive protects the confidentiality of communications: it prohibits the monitoring, interception, or storage of communications without the user’s consent, except in cases provided for by law. This includes the content of messages, as well as traffic data (who communicates with whom, when, and for how long) and location data, Data retention which is strictly regulated.

3.2 Access to the user terminal

This is one of the cornerstones of the directive. Article 5(3) requires users’ consent before anyinformation is read from or written to their device (computer, smartphone, tablet, or connected device). This rule applies regardless of the type of network used, including in intranet or offline environments.

3.3 Cookies, trackers, and types of cookies involved

Article 82 of the French Data Protection Act (French transposition) covers the various types of cookies and trackers that may be placed on a website:

• traditional HTTP cookies;
• third-party cookies (advertising, analytics, social media);
• tracking pixels;
• device fingerprinting;
• technical identifiers (serial numbers, MAC addresses, IDFV, etc.).

3.4 Relevant marketing, analytical, and technical uses

Not all uses require consent. According to the [**recommendation** of the CNIL (National Commission for Information Technology and Civil Liberties)](https://www.CNIL (National Commission for Information Technology and Civil Liberties).CNIL (National Commission for Information Technology and Civil Liberties)-publie-des-lignes-directrices-modificatives-et-sa-recommandation) regarding cookies and trackers, are exempt under strict conditions:

• cookies that are strictly necessary for the service to function (shopping cart, authentication);
• audience measurement cookies strictly limited to anonymous statistics;
• language preferences.

Conversely, all advertising cookies require prior consent: targeted advertising, retargeting, social media buttons, data sharing with partners, and content personalization for commercial purposes. Data subjects must be able to give informed consent before any cookies are placed.

---

4. What are the risks of non-compliance with the ePrivacy Directive?

4.1 Penalties

In France, penalties are imposed by the CNIL (National Commission for Information Technology and Civil Liberties) national implementing legislation. Fines can be very heavy: according to CNIL (National Commission for Information Technology and Civil Liberties) case law, they can reach several hundred million euros for serious violations, reflecting the fact that the legislation is now fully operational.

4.2 Examples of sanctions imposed

In recent years, there has been a surge in "ePrivacy" penalties:

• Shein: €150 million (CNIL (National Commission for Information Technology and Civil Liberties)) for non-compliance with applicable cookie regulations;
• Google: €325 million (CNIL (National Commission for Information Technology and Civil Liberties)) for displaying ads in Gmail without consent and placing trackers without valid consent (link to the penalty);
• Vanity Fair: €750,000 (CNIL (National Commission for Information Technology and Civil Liberties), November 20, 2025) because the “Reject All” button did not actually block cookies;
• Brico Privé: €500,000 fine for unsolicited marketing;
• Nestor: €20,000 for B2B prospecting unrelated to Data recipient business.

4.3 Reputational Risks

Beyond the financial penalty, these sanctions are systematically published and widely reported. For a company, the impact on its reputation and customer trust can be significant, particularly among clients about data security and privacy.

4.4 Business Impacts

Non-compliance can also block bids (particularly in the public and regulated sectors), delay fundraising efforts (due to investor concerns about compliance), or jeopardize Partnerships . Conversely, compliance becomes a powerful business asset.

---

5. The ePrivacy Directive and GDPR How Do They Differ and Complement Each Other?

5.1 Comparison Table

Criterion	ePrivacy Directive	GDPR
Type of text	Directive (2002/58/EC)	Regulation (EU) 2016/679
Year of adoption	2002 (amended in 2009)	2016 (effective since 2018)
Scope	Electronic communications (cookies, marketing, privacy)	All personal data
Application	Through national laws (Article 82 of the LIL, Article L.34-5 of the CPCE in France)	Available in all states
Primary legal basis	Prior consent (with some exceptions)	Six legal bases (consent, contract, legitimate interest, etc.)
Human Rights	Privacy, Opt-Out from Marketing	Access ([**Article 15**](https://gdpr-info.eu/art-15-gdpr/)), correction, erasure, portability…
Control authority	CNIL (National Commission for Information Technology and Civil Liberties)	CNIL (National Commission for Information Technology and Civil Liberties) and the EDPS at the European level)
Sanctions	Up to several hundred million euros through the CNIL (National Commission for Information Technology and Civil Liberties)	Up to €20 million or 4% of global revenue

5.2 Why the ePrivacy Directive Isn't Being Phased Out Along with the GDPR

Many companies mistakenly believe that the GDPR replaced the ePrivacy Directive. This is not true. According to several specialized sources, the draft ePrivacy Regulation launched in 2017—following a European public consultation —was dropped from the European Commission’s 2025 work program.

Directive 2002/58/EC therefore remains fully applicable. It supplements the GDPR for the matters it specifically covers (cookies, electronic marketing), its rules take precedence over those of GDPR, as confirmed by the CJEU in the [Inteligo Media judgment of November 13, 2025](CNIL (National Commission for Information Technology and Civil Liberties)-and-cookies-how-are-fines-set/).

---

6. ePrivacy Compliance: The 4 Key Steps for Businesses

Step 1 – Identify the affected uses

Step 1: Identify all the areas where your business is likely to fall under the scope of the ePrivacy Directive. This includes your website, mobile apps, email campaigns, SMS marketing, registration forms, and third-party integrations (CRM, marketing automation, analytics, advertising), among others. All of these areas must be identified in order to prepare for the implementation of a compliant system.

Step 2 – Audit cookies and trackers

Conduct a comprehensive technical audit of your website and applications:

• a complete list of registered tracers;
• Purpose each tracer;
• identification of tracers requiring consent and those that are exempt;
• Verification of the cookie banner (presence of a "Reject All" button on the same level as "Accept All");
• verifying that your website actually respects the user’s choice (the Vanity Fair case serves as a reminder that the “Reject All” button must actually block cookies).

The goal is to implement a consent management platform (CMP) that complies with the requirements of the CNIL (National Commission for Information Technology and Civil Liberties).

Step 3 – Overseeing digital prospecting

For your email marketing campaigns:

• In B2C, obtain clear and specific prior consent (a checkbox that is not pre-checked);
• In B2B contexts, ensure that the subject line of the message is relevant to Data recipient professional activities Data recipient
• provide the option to unsubscribe via a simple, free link in every message;
• clearly state the sender's identity;
• keep a record of the consent.

Step 4 – Document and demonstrate compliance

Compliance cannot be assumed; it must be demonstrated. It is essential to:

• document your compliance efforts in the record of processing activities;
• retain evidence of consent (timestamped logs, screenshots of forms);
• update the privacy policy;
• train the marketing and IT teams in the day-to-day management of cookies and lead generation.

---

7. How Dipeeo helps companies ensure ePrivacy compliance

7.1 Legal expertise tailored to your ePrivacy needs

The ePrivacy Directive is not a static document: its interpretation is constantly evolving, shaped by decisions from the CNIL (National Commission for Information Technology and Civil Liberties), rulings from the CJEU, and new European guidelines. However, this is first and foremost a matter of law—a dynamic and complex field that only specialized legal professionals or former attorneys are capable of interpreting rigorously and then translating into concrete obligations for your business.

This is precisely what Dipeeo promises: a specialised legal expert e.g dedicated e.gwho manages all aspects of your GDPR, ePrivacy, and AI Act compliance on a daily basis. As your CNIL (National Commission for Information Technology and Civil Liberties) external DPO registered with the CNIL (National Commission for Information Technology and Civil Liberties) , we handle your compliance from start to finish and fully assume this Accountability you, covering all applicable laws.

7.2 Our Support: An All-in-One Solution for Full Compliance

It all starts with an analysis of your practices: cookies and trackers used on your website, marketing and analytics tools, lead generation campaigns, use of collected data, processors, forms, CRM systems, and more—all through a quick and intuitive questionnaire. This helps you identify the connections between your various data processing activities and the resulting obligations.

Following this initial audit, Dipeeo handles your compliance from start to finish:

• A dedicated legal expert or e.g will provide unlimited answers to all your questions regarding ePrivacy and GDPR
• Your legal documents are custom-drafted: cookie policies, legal notices, sales prospecting guidelines, data processing records, internal procedures, and more;
• A SaaS platform centralizes all your compliance efforts and makes it easier for your teams to track progress;
• A public trust center makes it easy for you to demonstrate your compliance to prospects, clients partners.

This gives you access to centralized legal, technical, and operational resources all in one place.

7.3 What Dipeeo Actually Does to Ensure Your ePrivacy Compliance

✔️ Audit of your cookies, trackers, analytics tools, and marketing practices

✔️ A prioritized action plan to reduce your risk of non-compliance

✔️ Drafting all of your ePrivacy and GDPR documents GDPR

✔️ Review of your consent mechanisms and the display of your cookie banners

✔️ Support for your marketing, CRM, email marketing, and advertising processors

✔️ Support in the event of an inspection by CNIL (National Commission for Information Technology and Civil Liberties), a complaint, or an incident related to marketing or cookies

Our belief: Compliance isn’t a burden—it’s your best business ally.

---

FAQ – Everything You Need to Know About the ePrivacy Directive

---

Conclusion: Why the ePrivacy Directive Is a Long-Term Strategic Issue

The ePrivacy Directive is not a thing of the past. More than 23 years after its adoption, it remains fully applicable and serves as the legal basis for some of CNIL (National Commission for Information Technology and Civil Liberties) high-profile penalties. In 2025–2026, fines imposed solely on the basis of Article 82 of the LIL exceeded a cumulative total of half a billion euros.

With the ePrivacy Regulation having been scrapped, the 2002 Directive remains the guiding principle for businesses regarding cookies, user browsing, and marketing campaigns. Far from being a minor technical issue, compliance with it is now a strategic priority: it protects your business from penalties, safeguards your clients relationships clients enhances your commercial appeal.

Would you like to assess your compliance with the ePrivacy Directive? Talk to a Dipeeo expert and get a free initial assessment.