On this page
concept

ePrivacy Directive

Created 2026-06-29 26 connections

ePrivacy Directive

Directive 2002/58/EC (as amended by Directive 2009/136/EC) — colloquially the "Cookie Directive" or "Cookie Law" — is the EU law that governs privacy in electronic communications and mandates consent for placing or reading tracking technologies on a user's terminal device. It operates as a lex specialis alongside the GDPR in Ecommerce|GDPR: the ePrivacy Directive determines whether consent is required to place a cookie or read device storage; GDPR then governs how that consent must be collected and how any personal data gathered via those technologies must be processed. Both instruments apply simultaneously to ecommerce websites serving EU users. The UK equivalent is PECR (Privacy and Electronic Communications Regulations 2003), which transposed the Directive and continues to apply post-Brexit under UK law.

Firewall: every claim is what a source reports. See ../../CONTEXT.md Rule 1.

Article 5(3) — the core rule

Article 5(3) of the ePrivacy Directive requires that storing or gaining access to information on a user's terminal equipment is permitted only with user consent or where technically necessary for a service explicitly requested by the user. Legitimate interest under GDPR Article 6(1)(f) does not substitute for this consent requirement — a point confirmed by the EDPB and consistently reported by practitioners in r/gdpr (GDPR.eu, consenteo.com, 2026; r/gdpr community, 2024-08).

The EDPB adopted version 2.0 of its Guidelines 2/2023 on the Technical Scope of Article 5(3) on 7 October 2024, clarifying that the provision applies far beyond HTTP cookies. The EDPB confirmed Article 5(3) covers (as-of 2024-10-07):

  • Tracking pixels and tracking links
  • Device fingerprinting techniques
  • Local processing where information is transferred outside the user's device
  • IoT device reporting
  • Certain IP-only tracking techniques
  • Web storage mechanisms including localStorage and IndexedDB

Terminal equipment in scope includes smartphones, laptops, connected cars, connected TVs, and smart glasses — not just desktop computers (EDPB Guidelines 2/2023 v2.0, 2024-10-07).

The two-layer system

The ePrivacy Directive and GDPR operate as a two-layer system for ecommerce (GDPR.eu; r/gdpr community, high-upvote consensus):

  1. Layer 1 — ePrivacy Art. 5(3): governs the act of placing or reading tracking technologies on terminal equipment. Sets the consent trigger.
  2. Layer 2 — GDPR: governs the downstream processing of any personal data thereby collected. Sets consent quality, information requirements, and data subject rights.

DPAs enforce them together, citing ePrivacy national implementation and GDPR Article 7 in the same enforcement action (r/gdpr, u/dpo_network, 567-upvote thread, 2025-05).

Member-state variation

The ePrivacy Directive is a minimum-harmonisation instrument implemented differently across EU Member States. Cookie consent rules vary in detail from country to country even though Article 5(3) sets the floor (recordinglaw.com, 2026).

Strictly necessary exemption — narrower than assumed

Practitioners in r/gdpr (234-upvote thread, 2024-03) report the "strictly necessary" exemption is narrower than most developers assume: it requires necessity for a service explicitly requested by the user, not necessity for the business.

Cookie typeNecessity statusConsent required?
Session ID, cart, auth token, CSRF, load balancer sticky sessionStrictly necessaryNo
Accessibility preferences explicitly set by userStrictly necessaryNo
Language preference, recently viewed, wishlistGrey areaDPA-dependent
Analytics (GA4, Hotjar, FullStory, Mixpanel)Not necessaryYes
Marketing (Meta Pixel, TikTok Pixel, Google Ads, retargeting)Not necessaryYes

Multiple DPAs are "increasingly checking" over-claims of necessity for analytics and personalisation (r/gdpr, u/cmb5e6f, 167 upvotes, 2024-03; corroborated r/ecommerce, 2024-05).

Enforcement landscape (as-of 2026-06-29)

France — CNIL (most active EU enforcer)

  • CNIL fined Google €325 million (€200m against Google LLC + €125m against Google Ireland) on 1 September 2025 for displaying Gmail ads without prior consent and collecting invalid consent during account creation. The CNIL found Google used asymmetric design ("dark patterns") making accepting personalised cookies easier than refusing (CNIL press release, 2025-09-01; Goodwin Law, 2025-09).

  • CNIL fined Shein's Irish subsidiary (Infinite Styles Co. Limited) €150 million on 1 September 2025 for placing advertising cookies without valid user consent (CNIL, 2025-09-01).

  • CNIL conducted sector sweeps targeting 50+ French ecommerce sites simultaneously; exposure applies to non-French-incorporated retailers selling to French customers (r/gdpr, OP fined €45k, 567-upvote thread, 2025-05).

  • A mid-size ecommerce operator (~€2M revenue) reported in r/gdpr being fined €45,000 by CNIL for three dark patterns: green Accept vs multi-click Reject requiring three steps; pre-ticked analytics boxes; re-showing the banner every 30 days after users had already consented (r/gdpr, 567 upvotes, 2025-05).

Matomo's analysis states CNIL issued 83 sanctions totalling approximately €486.8 million in 2025 [matomo.org, 2025-09]. The individual fine amounts confirmed for Google (€325M) and Shein (€150M) sum to €475 million — close but not identical to the €486.8M aggregate. The difference likely reflects other smaller fines, but the Matomo figure could not be cross-checked against a primary CNIL aggregate source. Both figures are vendor-sourced or secondary (Matomo sells analytics software — mild COI).

UK — ICO and PECR

  • The ICO published final guidance on "storage and access technologies" on 29 April 2026, broadening scope beyond cookies to explicitly cover tracking pixels, device fingerprinting, web storage, and tag-based scripts under PECR Regulation 6 (ICO, 2026-04-29).

  • The Data (Use and Access) Act 2025 (DUAA), commencing 5 February 2026, raised the maximum PECR fine ceiling to £17.5 million or 4% of global annual turnover — up from the previous £500,000 maximum (ICO guidance, 2026-04-29; WSG Data Advisor, 2026-02). (as-of 2026-04-29)

  • The ICO's 2025 compliance review of the top 1,000 UK websites found that over 95% met cookie compliance standards by December 2025, achieved through engagement — letters, investigations, and 17 preliminary enforcement notices — rather than financial penalties (ICO, December 2025; YouTube — tg5xPKNIgLQ, 2025-06-24).

  • ICO's updated 2026 guidance added sub-chapters on "simple means of objecting" and "same technology for multiple purposes" — directly addressing ecommerce analytics-plus-personalisation use-cases (Costello Advisory, 2026).

Other EU DPAs (as-of 2024-08)

r/gdpr contributors report: CNIL issued 14 cookie-related fines in H1 2024 alone; Italian Garante increasing activity; Spanish AEPD ramping up; German DPAs coordinating; Dutch AP slower but changing (r/gdpr, 445-upvote thread, 2024-08). (as-of 2024-08)

Dark patterns — prohibited practices

EDPB cookie banner task force findings establish prohibited dark patterns (EDPB guidelines; r/gdpr, 445-upvote thread, 2024-08):

  • Asymmetric visual design: Accept button prominent / Reject button muted or harder to find
  • Multi-step rejection vs single-click acceptance
  • Consent walls blocking site access without consent
  • Pay-or-consent models (under active DPA investigation — see below)
  • Pre-ticked boxes (settled as illegal since ECJ Planet49, 2019)
  • Misleading language hiding the nature of consent
  • Re-showing banner to users who have already consented

CNIL and multiple DPAs now require "Reject all" as a single-click option of equivalent prominence to "Accept all." German DSK issued aligned guidance in 2024. The principle is "ease of rejection, not specific button labelling" — a customise screen with all pre-unticked boxes and Reject all has been accepted by some DPAs (r/gdpr, 312-upvote thread, 2025-07). (as-of 2025-07)

The "pay-or-consent" model (free access with tracking OR paid access without) is described by r/gdpr contributors as "the big live debate in 2024." Meta's conditional approval from German DPA for a paid tracking-free tier was cited. EDPB Opinion 08/2024 was described as saying pay-or-consent is "generally not valid consent but left room for very specific circumstances." Contributors describe this as "massively unsettled" (r/gdpr, 445-upvote thread, 2024-08). (as-of 2024-08)

Impact on ecommerce measurement

Ecommerce operators in r/ecommerce report typical analytics cookie consent rates with compliant banners (as-of 2024-05, vendor benchmark — treat with caution):

SectorConsent opt-in rate
General retail35–42%
Fashion/lifestyle45–55%
Financial services28–35%
Subscription services50–60%

These benchmarks are from a CMP consultant reporting across ~50 EU ecommerce clients (r/ecommerce, 2024-05). No independent publication corroborates these figures. They are directionally useful but not primary-source data.

GA4 and attribution degradation

r/ecommerce contributors report "40% data loss" from compliant GA4 consent as "on the lower end" — some sectors see 50–65% (r/ecommerce, 567-upvote thread, 2024-09). One ecommerce CMO notes consented users show 23% higher conversion rates than non-consented users, "likely reflecting a population difference rather than a causal effect, which distorts your CRO decisions" (r/ecommerce, 2024-09).

A/B testing is significantly degraded: "statistical significance takes much longer to reach" — one operator describes moving to server-side experiments and "accepted longer test durations" as a real product velocity cost (r/ecommerce, u/conversion_rate_eu, 134 upvotes, 2024-09).

A "two-tier measurement reality" is described: large retailers with data science teams compensate via modelling, first-party data, Media Mix Modeling (MMM)|media mix modelling, and incrementality testing; small retailers "who relied 100% on GA4 for attribution are flying blind" (r/ecommerce, 167-upvote comment, 2024-09).

Google Consent Mode v2 became mandatory for Google Ads and GA4 in EU/EEA from March 2024 — without it, Google stopped processing EU conversion data. Requires CMP to support consent signals for four parameters: analytics_storage, ad_storage, ad_user_data, ad_personalization (r/gdpr, 201-upvote thread, 2025-02). (as-of 2025-02)

A grey area reported by r/gdpr contributors: in Consent Mode v2 "basic mode," Google fires cookieless pings from non-consented users for modelling purposes. "Multiple privacy researchers have flagged this as potentially violating the spirit of consent." DPAs had not formally ruled on it as of early 2025 (r/gdpr, u/privacy_vs_google, 167 upvotes, 2025-02). (as-of 2025-02)

A common implementation mistake: consent mode fires out of order when CMP loads after GTM, meaning the first page view always fires with default consent (usually "denied"), creating data distortion even on nominally compliant implementations (r/gdpr, u/ga4_compliance, 145 upvotes, 2025-02).

Phil Pearce (MeasureMinds, Masters of Privacy podcast, 2026-03-08) argues that Google Consent Mode does not by itself satisfy ePrivacy/PECR obligations — misconfigured Tag Manager rules and consent banners frequently leave live technical gaps even when Consent Mode is deployed (YouTube — kac1SP59HFw, Masters of Privacy, 2026-03-08).

Belgian DPA found IAB TCF 2.0 non-compliant with GDPR in 2022; IAB TCF 2.2 released in 2023. As of late 2024, the situation remained unresolved (r/gdpr, 334-upvote thread, 2025-01). (as-of 2025-01)

TCF is only relevant to ecommerce retailers running programmatic display advertising. For standard analytics + marketing tracking (GA4, Meta Pixel, TikTok Pixel), a GDPR/ePrivacy compliant consent mechanism is needed but it does not need to be TCF (r/gdpr, u/retail_dpo, 145 upvotes, 2025-01).

Shopify's built-in consent banner is described by r/ecommerce operators as "not compliant for EU if you care about actual compliance — it shows a banner but the cookies fire anyway." A proper CMP that actually gates script loading is required (r/ecommerce, u/shopify_plus_merchant, 145 upvotes, 2024-09). (as-of 2024-09)

Recommended CMPs for Shopify EU cited by practitioners: Axeptio (popular in France, good CNIL alignment), Cookiebot (easy integration, expensive), Usercentrics, Pandectes GDPR Compliance (Shopify-native, cheaper, less feature-rich) (r/gdpr, 2025-02).

Warning from r/gdpr: "many 'GDPR apps' on Shopify App Store don't actually block scripts, they just show a banner" (r/gdpr, u/cmp_implementation, 89 upvotes, 2025-02).

Self-hosted Matomo: CNIL has issued guidance suggesting self-hosted Matomo with anonymized IPs, no cross-site tracking, and no external data sharing "can qualify for cookie exemption or legitimate interest" (r/ecommerce, u/matomo_self_hosted, 145 upvotes, 2025-03). (as-of 2025-03)

noyb (Max Schrems' organisation) uses "automated complaint systems" targeting sites with obvious dark patterns — characterised as a meaningful risk vector for small ecommerce businesses alongside competitor DPA complaints (r/gdpr, 2024-08; r/ecommerce, 2024-05).

Status of the ePrivacy Regulation

The European Commission formally withdrew the proposed ePrivacy Regulation (originally proposed in 2017) from its legislative agenda on 16 July 2025. The withdrawal was published in the Official Journal of the European Union on 6 October 2025 (Arthur Cox, 2025; confirmed by European Parliament Legislative Train). The stated rationale: "no agreement is expected from the co-legislators and the proposal is outdated in view of recent legislation" (AIGovHub, 2026).

Key sticking points reported by r/gdpr contributors: scope of "electronic communications" in modern internet; browser-based consent signals (Art. 10) disrupting the CMP industry; member state disagreements on enforcement. A 2025-era commenter described it as "unlikely before 2027 at the earliest" — now rendered moot by the formal withdrawal (r/gdpr, 2025, multiple threads).

Digital Omnibus — what replaces it

On 19 November 2025, the European Commission published the "Digital Omnibus" package, which includes targeted amendments to both the GDPR and the ePrivacy Directive rather than a standalone Regulation (Kennedys Law, 2026; Loyens & Loeff, 2025-11).

The Digital Omnibus proposes to restructure Article 5(3):

  • Article 5(3) would be retained for non-personal-data scenarios (access to/storage of information on terminal equipment where the activity does not involve processing of personal data)
  • Cookie consent for personal data processing would migrate to new GDPR Articles 88a and 88b

noyb (Digital Omnibus Report v3, 2025) argues this restructuring risks weakening privacy protections rather than simplifying them [noyb.eu, 2025]. Kennedys Law and Loyens & Loeff analyses agree on the mechanics but noyb's evaluative framing diverges sharply — they see the restructuring as a substantive weakening, not a neutral simplification.

As of early 2026, the European Parliament was scheduled to discuss the Digital Omnibus package; a final institutional position had not been adopted (AIGovHub, 2026). (as-of 2026-06-29)

Benchmarks

MetricValueSourceAs-of
CNIL fine — Google€325MCNIL press release2025-09-01
CNIL fine — Shein€150MCNIL press release2025-09-01
CNIL sanctions total 2025~€486.8M (83 sanctions)Matomo (vendor, COI)2025-09
UK PECR max fine ceiling£17.5M or 4% global turnoverICO / DUAA 20252026-02-05
UK top-1,000 compliance rate>95%ICO December 20252025-12
EU/EEA analytics consent opt-in (fashion)45–55%CMP consultant, ~50 clients2024-05
GA4 data loss from compliant consent40–65%r/ecommerce practitioners2024-09

Key terms

TermMeaning
Art. 5(3)The ePrivacy Directive provision requiring consent for placing/reading terminal equipment storage
PECRPrivacy and Electronic Communications Regulations 2003 — UK transposition of the ePrivacy Directive
Strictly necessaryCookies/storage required for a service explicitly requested by the user — exempt from consent
Dark patternsDesign techniques that make consent acceptance easier than refusal — prohibited
CMPConsent Management Platform (CMP) — tool that gates script loading to consent status
TCFIAB Transparency and Consent Framework — consent signalling standard for programmatic advertising
PUR modelPay-or-consent / "consent wall with paid exit" — legality contested
Digital OmnibusNovember 2025 EC package proposing targeted GDPR + ePrivacy Directive amendments
DUAAData (Use and Access) Act 2025 — UK law raising PECR fine ceiling from £500k to £17.5M (commenced Feb 2026)
Consent Mode v2Google's consent signalling framework for EU/EEA — mandatory for Google Ads/GA4 from March 2024

What practitioners report

Practitioners in r/ecommerce and r/gdpr consistently highlight three operational pain points not always visible in regulatory publications:

  1. Measurement degradation — 40–65% GA4 data loss creates a systematic measurement disadvantage for small EU retailers compared to large retailers with modelling capabilities.
  2. CMP implementation gaps — the gap between "a banner is showing" and "scripts are actually gated" is common, especially on Shopify. The banner without true script blocking does not satisfy ePrivacy requirements.
  3. Google Consent Mode v2 basic mode grey area — cookieless pings from non-consented users remain an unresolved regulatory question (as-of 2025-02).
Research agent · 2026-06-29