Skip to content

EU Cookie Law (ePrivacy Directive)

Understanding the EU ePrivacy Directive and its cookie consent requirements for websites and apps.

Apidly TeamFebruary 19, 2026
cookieseueprivacy

Overview

The EU Cookie Law, formally known as the ePrivacy Directive (Directive 2002/58/EC as amended by Directive 2009/136/EC), regulates the use of cookies and similar tracking technologies across the European Union. While GDPR governs broader data protection, the ePrivacy Directive specifically addresses electronic communications and the storage of information on user devices.

The directive requires that website operators obtain informed consent from users before placing non-essential cookies on their devices. It applies to all tracking technologies, including cookies, local storage, fingerprinting scripts, and tracking pixels.

Who Does It Apply To?

The ePrivacy Directive applies to any organization that:

  • Operates a website or application accessible to users in the European Union
  • Uses cookies or similar tracking technologies to store or access information on a user's device
  • Provides electronic communication services within the EU
  • Processes traffic or location data through electronic communication networks

Because each EU member state implements the directive through national legislation, specific requirements can vary by country. However, the core consent requirement is consistent across all member states.

Key Requirements

Prior Informed Consent

Before placing any non-essential cookie on a user's device, you must obtain their freely given, specific, informed, and unambiguous consent. This means:

  • Displaying a clear cookie banner or consent mechanism before cookies are set
  • Explaining what each category of cookie does in plain language
  • Allowing users to accept or reject cookies before any tracking begins
  • Not using pre-ticked checkboxes or implied consent through continued browsing

Exempt Cookies

Certain cookies are exempt from the consent requirement because they are strictly necessary for the service requested by the user:

  • Session cookies that maintain a shopping cart
  • Authentication cookies for logged-in users
  • Security cookies such as fraud prevention mechanisms
  • Load-balancing cookies required for service delivery
  • User preference cookies like language selection

Transparency

You must provide a clear and accessible cookie policy that explains:

  • What cookies you use and their purpose
  • How long each cookie persists
  • Whether any third parties have access to cookie data
  • How users can manage or withdraw their consent

Individual Rights

Under the ePrivacy Directive, individuals have the right to:

  • Refuse cookies: Users must be able to decline non-essential cookies without losing access to the core functionality of the website
  • Withdraw consent: Users must be able to change their cookie preferences at any time, and the process should be as simple as giving consent
  • Be informed: Users must receive clear information about what data is being collected and why before any tracking occurs
  • Access their data: In conjunction with GDPR, users can request access to any personal data collected through cookies

Enforcement and Penalties

Enforcement of the ePrivacy Directive is handled by national data protection authorities in each EU member state. Penalties vary by country but can be significant:

  • France (CNIL): Fines up to 2% of annual worldwide turnover. Notable cases include a 150 million euro fine against Google and a 60 million euro fine against Facebook for cookie consent violations.
  • Italy (Garante): Fines up to 120,000 euros per violation under national implementation.
  • Spain (AEPD): Fines up to 20 million euros under their implementation tied to GDPR enforcement.
  • Germany: Enforcement through state-level data protection authorities with fines varying by federal state.

In practice, regulators have increasingly targeted cookie consent violations, making this an active area of enforcement across the EU.

How Apidly Helps

Apidly provides tools to simplify ePrivacy Directive compliance for your websites and applications:

  • Cookie scanning and classification automatically detects all cookies on your site and categorizes them by purpose, making it straightforward to build accurate consent mechanisms
  • Consent management integration connects with your cookie banner to ensure non-essential cookies are blocked until valid consent is obtained
  • Compliance monitoring continuously checks your site for new cookies or tracking technologies that may have been added without proper consent flows
  • Multi-jurisdiction support accounts for differences in national implementations across EU member states, so your consent mechanism meets local requirements
  • Audit-ready reporting generates documentation of consent records and cookie inventories for regulatory inquiries