ePrivacy Directive vs GDPR: Which Law Actually Governs Cookies?

Ask most website owners about cookie compliance and they will mention GDPR. But the law that specifically governs cookies is not GDPR. It is the ePrivacy Directive (ePD), also known as the “Cookie Law,” which has been in effect since 2002 and was amended in 2009 to require opt-in consent.

Understanding how these two regulations interact is essential for building a compliant consent implementation. Getting this wrong is one of the most common sources of enforcement risk.

Two laws, different scopes

The ePrivacy Directive (2002/58/EC)

The ePrivacy Directive specifically regulates electronic communications and the storage of information on a user’s device. Article 5(3) states:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent.

This covers:

• HTTP cookies
• localStorage and sessionStorage
• IndexedDB
• Device fingerprinting techniques
• Tracking pixels that store or access device information

The only exception is for cookies that are “strictly necessary” to provide the service the user explicitly requested.

The ePrivacy Directive is a directive, not a regulation. This means each EU member state implements it through national law. The specific rules vary slightly by country, but the core consent requirement is consistent across the EU.

GDPR (Regulation 2016/679)

GDPR regulates the processing of personal data. It defines what constitutes valid consent (Article 7), establishes legal bases for data processing (Article 6), and sets standards for transparency and data subject rights.

GDPR does not specifically mention cookies. However, Recital 30 acknowledges that cookies can constitute personal data:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers.

GDPR is a regulation that applies directly in all EU member states without needing national implementation.

How they interact

The ePrivacy Directive and GDPR work together as complementary rules:

1. ePrivacy Directive controls access to the device. Before you can set a cookie on a user’s device, you need consent under the ePrivacy Directive (unless the cookie is strictly necessary).

2. GDPR controls what you do with the data. Once you have the cookie data, any processing of personal data contained in or derived from cookies must comply with GDPR’s rules on lawful processing, transparency, and data subject rights.

3. ePrivacy is lex specialis. Where the ePrivacy Directive and GDPR overlap, the ePrivacy Directive takes precedence as the more specific law. This is explicitly stated in GDPR Article 95.

Why this distinction matters

Legitimate interest does not work for cookies

Some organizations argue that they can use GDPR’s “legitimate interest” basis (Article 6(1)(f)) for analytics cookies instead of obtaining consent. The reasoning is: “We have a legitimate interest in understanding our website traffic, so we do not need consent for analytics cookies.”

This argument fails because the ePrivacy Directive requires consent for storing information on the device, regardless of the GDPR legal basis for processing the resulting data. The two consent requirements operate independently:

• ePrivacy: Do you have consent to set the cookie? (Required for all non-essential cookies)
• GDPR: Do you have a legal basis to process the personal data the cookie contains? (Consent is one option, but legitimate interest could theoretically apply)

Since you need ePrivacy consent to set the cookie in the first place, the GDPR legitimate interest argument is moot. You cannot process cookie data if you were not allowed to set the cookie.

The EDPB has confirmed this interpretation in its guidelines on consent (05/2020), and multiple DPAs have issued enforcement actions against organizations that relied on legitimate interest for analytics cookies.

Consent standards come from GDPR

While the ePrivacy Directive requires consent, it does not define what valid consent looks like. For this, it refers to GDPR’s definition of consent (Article 4(11)):

‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

This means all the GDPR consent requirements apply to ePrivacy cookie consent:

• Prior (before setting the cookie)
• Freely given (no cookie walls, no bundled consent)
• Specific (granular categories, not “all or nothing”)
• Informed (clear descriptions of what each cookie does)
• Unambiguous (active opt-in, no pre-ticked boxes)
• Withdrawable (easy mechanism to change preferences)

For a detailed breakdown of these requirements, see our GDPR cookie consent requirements guide.

The ePrivacy Regulation (pending)

The European Commission proposed replacing the ePrivacy Directive with an ePrivacy Regulation in 2017. As of 2026, this regulation has not been finalized. Until it is adopted, the ePrivacy Directive (as implemented by each member state) remains in effect.

The proposed ePrivacy Regulation would:

• Apply directly in all EU member states (like GDPR)
• Maintain the consent requirement for non-essential cookies
• Potentially standardize enforcement across the EU
• Introduce cookie “whitelisting” in browser settings

Until the ePrivacy Regulation is adopted, website operators must comply with both the ePrivacy Directive (through their applicable national law) and GDPR.

National implementations vary

Because the ePrivacy Directive is a directive, each EU country has its own implementation. This creates some differences:

France (CNIL): Requires that “Reject All” and “Accept All” buttons are equally prominent. Has actively fined organizations for dark patterns in consent banners. Does not allow analytics cookies under legitimate interest.

Germany (DSK/State DPAs): The Telecommunications and Telemedia Data Protection Act (TDDDG) implements the ePrivacy requirements. German DPAs have been strict on cookie consent enforcement and do not accept the legitimate interest basis for analytics.

Austria (DSB): Issued a landmark decision on Google Analytics (January 2022) finding that the transfer of analytics data to the US violated GDPR. This decision influenced similar findings across Europe.

Netherlands (AP): The Dutch DPA has specifically stated that analytical cookies require consent unless they meet strict conditions (first-party only, aggregated, privacy-friendly configuration).

Spain (AEPD): Has issued numerous guidelines on cookie consent and actively enforces against non-compliant banners.

For websites that serve visitors across multiple EU countries, the safest approach is to follow the strictest interpretation: require opt-in consent for all non-essential cookies, provide equal prominence to accept and reject options, and offer granular category controls.

Practical implications for your website

Given how the ePrivacy Directive and GDPR interact, here is what your cookie consent implementation needs:

1. Full blocking mode is required. Since the ePrivacy Directive requires consent before setting cookies, your CMP must physically prevent non-essential scripts from executing until the user consents. Signal-only mode (where scripts fire but receive a consent signal) does not satisfy the ePrivacy Directive’s prior consent requirement.

2. Analytics always needs consent. Do not rely on GDPR legitimate interest for analytics cookies. The ePrivacy Directive independently requires consent for storing any non-essential information on the user’s device.

3. Consent must meet GDPR standards. Even though the cookie-setting requirement comes from the ePrivacy Directive, the consent itself must meet GDPR’s definition: freely given, specific, informed, unambiguous, and withdrawable.

4. Apply the strictest national rules. If your site serves visitors from multiple EU countries, implement the strictest requirements (typically France or Germany) to ensure compliance everywhere.

5. Keep your cookie inventory current. Both regulations require transparency about what cookies you use. Regular cookie audits ensure your consent banner accurately reflects your site’s actual cookies.

Getting compliant

CookieBoss supports full blocking mode, granular consent categories, and geo-rules that let you apply different consent behaviors based on the visitor’s location. This means you can satisfy both the ePrivacy Directive’s prior consent requirement and GDPR’s consent standards with a single implementation.

Start a free trial to see how it works on your website, or read our setup guide to understand how CookieBoss integrates with Google Consent Mode V2.