Need to learn more about the ePrivacy Directive, the EU cookie law?

The ePrivacy Directive (ePD) applies to the European Economic Area (EEA), which includes the EU member states as well as Iceland, Liechtenstein and Norway. It does not apply in the United Kingdom. The entities that this "cookie law" applies to include:

• companies that engage in electronic/digital direct marketing, which can include emails, SMS, phone calls, and other communications
• companies or developers that create websites or software that use cookies or tracking technologies
• companies or people that operate websites or software that are responsible to ensure their services are compliant
• providers of electronic communications services, which include:
• Internet Service Providers (ISPs)
• Voice over Internet Protocol (VoIP) providers
• messenger apps and similar service providers
• phone service providers
• Internet of Things (IoT) providers
• public directory providers, e.g. email or telephone

If your business does any of the following for people in the EU, you need to comply with the ePrivacy Directive. This will become even more important when the ePrivacy Regulation, the law based on the ePD, comes into force.

• provide electronic communications services
• process communications data
• access information from devices
• offer publicly available directories
• send direct marketing communications

Yes. The ePrivacy Directive (officially Privacy and Electronic Communications Directive 2002/58/EC) was passed earlier, in 2002. The GDPR came into effect in 2018. While often called the "cookie law", it is not technically a law. It is a set of instructions to EU member states (and those processing data of EU residents), rather than a binding law. It is intended to direct EU member states in creating their own laws that align with the Directive. The ePrivacy Directive will be replaced by the ePrivacy Regulation, which will be a binding law. This is expected in 2023, with a 24-month transition period.

The "EU cookie law" or "ePD" as it's often called, regulates the use of cookies on websites, email marketing, data minimization, and other aspects of data privacy. Its focus is the protection of electronic communications content and metadata. These are not categorized the same as "personal data", which the GDPR focuses on protecting, though they can contain personal data. All electronic communications data falls under the scope of the ePrivacy Directive. If electronic communications data that is collected and processed also includes personal data, it falls under the scope of the GDPR as well as the ePD.

The GDPR is a binding law that covers all EU member states and its residents, and in addition to the functions that the ePrivacy Directive covers, the GDPR provides principles to govern data collection and processing, as well as regulate data privacy more broadly, and is not limited to just electronic communications or data.

The ePrivacy Directive requires obtaining GDPR-compliant consent for data collection and processing from cookie usage on websites. This can be accomplished with a consent management solution like a cookie banner.

The exceptions to this requirement are if the cookies are solely used to transmit communications over an electronic communications network, or are strictly necessary to provide an information society service that the subscriber or user has explicity requested. Some excluded functions requiring cookies could include authentication, shopping carts, security (with duration limits), social media plugins or UI customization.

To achieve ePrivacy Directive (or GDPR) compliance, companies must:

• obtain users' valid consent before any cookies, except strictly necessary ones, are used
• provide specific, accurate information about the cookies used, what data they track, and their purposes, before consent is obtained
• securely document and store user consent
• enable users to access your website (or other service) even if they refuse to allow the use of some or all cookies that are not strictly necessary
• enable users to change or withdraw their consent as easily as it is to give it

Installing a Consent Management Platform (CMP) like Cookiebot CMP is easy and setup is user-friendly. It enables companies to provide data privacy information and obtain and store valid consent from users. The CMP will also scan websites to determine what cookies and tracking technologies are in use, and block their usage until user consent for them is obtained, thus helping with privacy compliance. With Geolocation features, the CMP can customize messaging and functions based on where the user is located, to enable specific compliance with the ePrivacy Directive, for example. Thanks to automated consent management, the CMP will also stay up to date with the legal landscape and technology to help maintain compliance.

The ePrivacy Directive focuses on companies' responsibilities in processing electronic communications data, so does not cover consumers' rights specifically. However, this cookie law works in tandem with the GDPR, so the rights of consumers/EU residents as described in that regulation are the important ones.

Learn more about consumers' rights and the GDPR.

The ePrivacy Directive is not a law, so authorities cannot levy penalties under it. However, under the draft ePrivacy Regulation that will replace it, the fines are in line with those set for GDPR violations:

• up to 2% of annual worldwide turnover or up to €10 million, whichever is greater, for less serious violations
• up to 4% of annual worldwide turnover, or up to €20 million, whichever is greater, for more serious violations

The country-based Data Protection Authorities (DPAs) in EU member countries will impose these fines. There will also be non-financial penalties possible, which can include actions like limiting or stopping data collection.

Not quite. The ePrivacy Directive was passed in 2002 and amended in 2009. It is a directive, so instructions for EU countries and those providing electronic communications to EU residents about protecting electronic communications-related content and metadata. It is not a law under which consumers are legally protected or violators can be penalized.

The ePrivacy Regulation (ePR) will be a law, expected to come into effect in 2023, which takes all the information and instructions of the ePD and makes them into binding law. Data privacy violations relating to electronic communications will be legally governed by it. The plan is for there to be a 24-month transition period after the ePR comes into effect.

Both the ePD and ePR are meant to complement the GDPR.

Not necessarily, but one can include the other. Protection of electronic communications content and metadata (electronic communications data) is the focus of the ePrivacy Directive. There are types of electronic communications data that do not meet the definition of personal data (can identify an individual). However, some electronic communications data can include personal data, i.e. if the data individually or in aggregate can identify a person. This can include obvious information like names, ID numbers, phone numbers or email addresses, but also IP addresses, browser cookie information, or sensitive personal details like gender, religious beliefs, political affiliation or medical information.

If electronic communications data includes personal data, it also falls under the scope of the GDPR.

We cannot provide legal advice, and recommend consulting qualified legal counsel regarding your specific business and data processing situation.

Overall, it is important to know what regulations you need to comply with. Your responsibilities may differ under the ePrivacy Directive compared to the GDPR or the privacy laws in the United States, for example.

However, in addition to legal requirements, being transparent with users about data collection and use, as well as requesting and respecting their consent choices creates great user experiences, which build trust with your company and help develop higher engagement and longer-term relationships.

For companies doing business in multiple regions or countries, it is entirely possible that you may need to comply with multiple regulations. Companies that are already compliant with the EU's GDPR often need to do only minimal work to comply with the ePrivacy Directive, or some other laws, due to its scope and requirements and the fact that the two are meant to complement each other. However, we cannot provide legal advice and recommend consulting qualified legal counsel regarding your specific business and data processing situation.

A consent management solution like the Cookiebot CMP can enable you to present different options to users in different countries, using geolocation functions. This can enable you to supply the correct privacy information and obtain consent correctly to comply with different regulations.

We cannot provide legal advice or guarantee privacy compliance with any regulation, and recommend consulting qualified legal counsel regarding your specific business and data processing situation. However, knowing which regulations you need to comply with is important, and what their requirements are regarding consumer rights, notification, consent, and data use. Also knowing what cookies and other tracking technologies are in use on your website is important to ensure correct consent can be obtained.

Ensuring consent is obtained correctly is important, and that users are clearly informed about their consent choices. Dark patterns and other elements to nudge or trick users into consenting should not be used.

Additionally, ensure that only as much data as is necessary is collected and processed only for the purposes communicated. Ensure data is kept accurate and only stored for as long as it is needed to fulfill the processing purpose. Maintain the required standards of security and privacy, and ensure processes are in place to uphold accountability.

A consent management platform (CMP) can help you not only obtain and store consent correctly, but can also help you ensure that you provide and maintain accurate and up to date information about data processing services in use (e.g. cookies).

That doesn't have to happen, though we cannot make guarantees on the performance of individual CMP implementations. There are many ways to optimize your consent management platform (CMP) to increase consent rates and data flow. Having a great user interface that matches your corporate branding, has clear messaging and user-friendly functionality is important. Making it easy for users to understand your data processing and make consent choices is also very valuable.

The Cookiebot CMP also has tools like analytics to help you analyze the CMP's performance and optimize it to maximize data capture. It should also be noted that many premium advertisers are increasingly insisting on proof of consent before doing business with companies, so not obtaining correct consent can affect ad revenues.

The Free plan does not include the following Premium plan standard features:

• customize banner
• customize declaration
• multiple languages
• data export
• geolocation
• Cross-domain Consent Sharing
• consent statistics
• internal domain alias for development, test and staging

Check out our Plans & Pricing page to get more information or do a full comparison.

We don’t have any contracts for Cookiebot CMP and there are no hidden fees or long-term commitments. You can cancel your subscription at any time.

It depends on your business needs and the number of domains and subpages you have.

Check out our Plans & Pricing page to get more information for your company's specific needs.

Yes, at any time you can cancel your free trial or your plan if you previously signed up. You can do this via your "My account" page. Downgrade or cancel actions take effect at the end of your current billing period.