ePrivacy directive

Here we explain the ePrivacy Directive, an EU directive that regulates the protection of privacy in electronic communications.

Glossary
ePrivacy directive

Explained – what is the eprivacy directive?

The ePrivacy Directive (Directive 2002/58/EC — also referred to as directive 2002 58 ec), often called the “privacy and electronic communications directive”, applies alongside GDPR. It focuses on privacy and confidentiality in electronic communications and contains rules on cookies and similar technologies, direct marketing and traffic and location data. The directive has been amended several times, including by Directive 2009/136/EC, and is implemented in Sweden through the Electronic Communications Act (LEK). For many organisations asking “what is the eprivacy directive”, it is the framework that governs cookie tracking and other tracking technologies across digital services.

The purpose is to ensure that the confidentiality of electronic communications is respected and that personal data is processed in a way that protects privacy in connection with electronic services. It includes a traffic data definition and a location data definition, as well as transparency obligations around cookies and similar technologies that are not strictly necessary for a service.

When does the eprivacy directive apply?

The ePrivacy Directive becomes relevant when an organisation uses electronic communications involving personal data or when it stores or gains access to information on users’ devices. This includes the use of a cookie banner for non essential cookies, email or SMS direct marketing, and the processing of traffic and location data from telecommunications.

Examples include the need for informed consent for cookies that are not strictly necessary, rules governing how direct marketing may be sent by SMS or email, and the handling of metadata from telephone calls. In practice, this often means deploying a compliant cookie banner and obtaining analytics cookies consent before placing cookies used for measurement or profiling.

Illustration of a user giving cookie consent on a website, representing ePrivacy Directive compliance, cookie management, GDPR and electronic communications privacy.

Points to consider under the eprivacy directive

Organisations subject to the ePrivacy Directive should in particular consider the following:

Obtain valid, informed consent for cookies and similar technologies that are not strictly necessary.
Ensure that consent meets GDPR requirements for freely given consent, information and clear consent, including unambiguous consent.
Respect the rules for direct marketing, including consent or opt-out requirements.
Process traffic and location data only where permitted by law and in line with the privacy and electronic communications directive.
Inform users clearly about what data is collected, for what purpose and how cookies and similar technologies operate.
Coordinate ePrivacy compliance with GDPR compliance to avoid contradictions and to meet transparency obligations consistently across notices such as the cookie notice and cookie policy.

By following these points, an organisation reduces the risk of administrative fines and loss of trust.

ePrivacy directive

Why the eprivacy directive matters

The ePrivacy Directive regulates areas that GDPR does not fully cover, particularly the technical aspects of electronic communications and tracking. Together with GDPR, it provides broader protection for privacy in electronic communications, including on the web. For anyone researching “what is the eprivacy directive”, it is the legal basis for managing cookies and similar technologies and for controlling pixels tracking and push notifications tracking.

For organisations delivering digital services and marketing, the ePrivacy Directive is essential to ensure lawful use of technologies such as cookies, pixels and push notifications. This means the directive is relevant to any company as soon as it operates a website, including the deployment of a compliant cookie banner and robust processes for analytics cookies consent.

From a business perspective, compliance helps to build customer trust and can in turn increase loyalty and brand value.

It is an EU directive that protects privacy in electronic communications and complements GDPR, commonly known as the privacy and electronic communications directive.

In Sweden, the directive is implemented through the Electronic Communications Act (LEK).

Consent is required when storing or accessing information on the user’s device, for example when using non essential cookies that are not strictly necessary.

GDPR governs all processing of personal data, while the ePrivacy Directive applies specifically to electronic communications and certain tracking technologies, including cookies and similar technologies.

Breaches of the ePrivacy rules can lead to administrative fines and other legal action under LEK and GDPR.

The ePrivacy Directive requires informed consent before cookies or similar technologies used by analytics tools are placed on a user’s device, unless they are strictly necessary. Organisations therefore need a consent solution that meets GDPR requirements and enables users to actively accept or reject cookies for analytics purposes, ensuring analytics cookies consent is obtained before any cookie tracking occurs.