ePrivacy and Cookie Compliance

The ePrivacy Directive is a separate EU legal framework from GDPR that regulates electronic communications privacy, including cookies and similar tracking technologies. While GDPR covers general personal data processing, ePrivacy specifically addresses cookies, marketing communications, and metadata in electronic communications. Both apply simultaneously to most tech company websites and apps.

This page covers what ePrivacy requires for cookie compliance, the active enforcement landscape, and the pending ePrivacy Regulation that may replace the directive.

How ePrivacy and GDPR interact

ePrivacy Directive 2002/58/EC (as amended) is implemented through national laws in each EU member state. The directive sets specific requirements for cookies and similar tracking technologies, marketing communications by electronic means, and metadata in electronic communications.

GDPR applies to personal data processed through cookies and similar technologies. ePrivacy applies to the act of placing or reading cookies and similar technologies on a user's device.

In practice, both apply to most cookie use. ePrivacy generally governs the consent requirement for placing cookies. GDPR governs the broader processing of personal data collected through cookies.

For website operators, the practical effect is that cookie banners must comply with both frameworks.

Cookie consent requirements

Under ePrivacy, placing or reading cookies on a user's device requires informed consent, except for cookies that are:

  • Strictly necessary for the provision of a service explicitly requested by the user.

  • Used solely for the purpose of transmitting electronic communications.

  • Cookies that fall outside the strictly necessary exception (analytics, advertising, marketing, personalization, social sharing, content delivery network optimization where not strictly necessary) require consent before being placed.

  • Consent under ePrivacy aligns with GDPR consent standards: freely given, specific, informed, and unambiguous. This means:

  • Pre-ticked boxes are not valid consent.

  • Continued browsing or implicit consent is not valid consent.

  • Consent must be obtained before non-essential cookies are placed.

  • Withdrawal of consent must be as easy as giving consent.

  • Granular consent is required for distinct purposes (analytics, marketing, advertising should be separable choices).

Common cookie banner failures

CNIL and other supervisory authorities have been actively enforcing cookie compliance. Common failures result in fines:

  • Reject all hidden in a second-layer menu while Accept all is prominent. Common pattern subject to fines. The reject option must be as easy as the accept option.

  • Pre-ticked boxes for non-essential cookies. Defaulting consent to on is not valid.

  • Implied consent through continued browsing. Some banners say "by continuing to use this site you consent to cookies." This is not valid consent.

  • Cookies placed before consent. Some banners load cookies on page load and then display the consent banner. Cookies must not be placed until consent is obtained for non-essential cookies.

  • Asymmetric size or color. Making Accept buttons visually prominent and Reject buttons less prominent creates dark pattern issues.

  • Cookie walls that condition site access on consent. The EDPB and several supervisory authorities have ruled cookie walls typically invalid.

  • Withdrawal harder than granting consent. Many banners make it easy to accept but require navigation to user settings to withdraw. Withdrawal must be equally easy.

  • Granularity inadequacy. Lumping all non-essential cookies into a single accept/reject choice rather than allowing separate choices by purpose.

Recent enforcement

The French CNIL has been particularly active on cookie compliance with multiple high-profile fines. Google, Facebook, Amazon, Microsoft, and TikTok have all been fined for cookie banner failures in France over recent years.

The Italian Garante, German DPAs, and others have followed with their own enforcement actions.

Patterns: dark patterns penalized, lack of equivalent reject options penalized, cookies before consent penalized.

Average French CNIL cookie fines for in-scope companies have ranged from 20,000 EUR to 90 million EUR depending on company size and severity.

The pending ePrivacy Regulation

The ePrivacy Regulation has been pending since 2017 as a proposed replacement for the directive. As of 2026, the Regulation has still not been adopted despite multiple drafts.

If adopted, the ePrivacy Regulation would:

  • Apply directly across EU member states (rather than through national implementations).

  • Update cookie consent rules and may permit alternative mechanisms in some cases.

  • Cover newer technologies including IoT and machine-to-machine communications.

  • Tighten rules on metadata in electronic communications.

The timeline for adoption remains uncertain. Most companies continue to plan compliance based on the existing ePrivacy Directive plus national implementations.

Practical cookie compliance

Conduct a cookie audit. Identify all cookies and tracking technologies on your site, categorize by purpose, and identify whether each is strictly necessary or requires consent.

Implement a compliant Consent Management Platform. Common CMPs include OneTrust, Usercentrics, Cookiebot, Termly, Iubenda, Didomi, Sourcepoint. Many offer free tiers for small sites.

Configure the CMP correctly. Reject all and Accept all should be equally prominent. Cookies should not load until consent is granted. Granular consent by purpose should be available.

Block third-party cookies until consent. The CMP should prevent third-party cookies (analytics, advertising, social) from loading until consent is granted.

Maintain a consent log. Document the time, IP, browser fingerprint, and choice for each consent given. Retain for audit purposes.

Provide easy withdrawal. A persistent cookie preference link should be available for users to update their choices.

Update cookie notice content. Cookie notice should explain each category of cookies, the purposes, third parties, retention, and rights.

Review periodically. Cookies change as you add tools, plugins, and features. Periodic review is required.

US considerations

The CCPA and similar US state laws have related but different cookie requirements:

  • CCPA generally permits cookies but requires disclosure and opt-out for sale or sharing of personal information (which can include cookie-based data).

  • Cookie banners on US-facing sites typically include a "Do Not Sell or Share My Personal Information" link.

  • The Global Privacy Control signal must be honored under California regulations.

  • Multi-jurisdictional cookie banners typically detect user location and present jurisdiction-appropriate consent flows.

How Engage Compliance helps

Cookie compliance is included in our DPO services for any client with EU customer-facing websites or apps. Specific work includes:

  • Cookie audit and categorization.

  • CMP selection and implementation guidance.

  • Cookie banner design review against ePrivacy and GDPR requirements.

  • Multi-jurisdictional banner design (EU plus US).

  • Cookie notice drafting.

  • Periodic cookie compliance review.

  • Response to supervisory authority cookie inquiries.

Get started

If you have cookie compliance questions or need a cookie audit, book a consultation.