ePrivacy Directive and Cookie Consent Requirements
The EU's Directive 2002/58/EC, amended by Directive 2009/136/EC, governing electronic communications privacy including cookie consent, spam, and confidentiality of communications.
Directive 2002/58/EC ("Directive on Privacy and Electronic Communications"), as amended by Directive 2009/136/EC (the "Cookie Directive"), is the EU's sector-specific privacy law for electronic communications. Article 5(3) of the amended Directive requires prior informed consent before storing or accessing information on a user's terminal equipment (cookies, pixels, fingerprinting, local storage, IndexedDB) — unless strictly necessary for a service explicitly requested by the user. This "strictly necessary" exemption is narrow: it covers only technical session cookies required for login state and shopping cart functionality, not analytics, advertising, A/B testing, performance monitoring, or social media embedding. The ePrivacy Directive operates alongside the GDPR: consent under Article 5(3) must satisfy GDPR Article 7 consent standards — freely given, specific, informed, and unambiguous affirmative action.
Engineering implementation of ePrivacy compliance requires a Consent Management Platform (CMP) that: blocks all non-essential JavaScript, pixels, and tracking technologies from executing before consent is obtained; captures granular consent signals by purpose category (analytics, marketing, personalization, social media); persists consent records with timestamps and consent string versions for auditability; transmits consent signals downstream to third-party vendors using IAB TCF v2.2 (Transparency and Consent Framework) signals or equivalent; and provides a mechanism for users to withdraw consent with equal ease to granting it (GDPR Article 7(3)). The CMP must intercept all network requests to tracking domains at the browser level using Content Security Policy or JavaScript interception — not merely hide UI elements. Deploying analytics (Google Analytics 4, Mixpanel, Amplitude) without consent gating constitutes a violation regardless of contractual representations by the vendor.
Enforcement of ePrivacy requirements has accelerated dramatically since 2021. The French CNIL issued €150 million in cookie fines against Google and Facebook in January 2022 for making the cookie rejection mechanism harder to use than the acceptance mechanism. The Irish DPC, Spanish AEPD, and Italian Garante have all issued significant fines and orders for cookie walls (requiring cookie consent as a condition of service access). The noyb "cookie banner" complaint campaign filed 226 complaints in 2021 across EU member states targeting cookie banners that used dark patterns to nudge consent. The proposed ePrivacy Regulation (replacing the Directive) has been under negotiation since 2017 and would apply directly as a Regulation across all EU member states, but as of 2024 remains in trilogue — leaving the amended Directive as the operative law.
We design and implement ePrivacy-compliant consent architectures that block all non-essential tracking at the network request level before consent, integrate IAB TCF v2.2 signals into analytics and advertising platforms, and build consent audit logging systems that satisfy the GDPR Article 7(1) burden-of-proof requirement. We audit existing CMP implementations against current DPA guidance on dark patterns and consent withdrawal mechanisms.
Compliance-Native Architecture Guide
Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.