Quick Answer: The ePrivacy Directive and the GDPR are two distinct but overlapping EU laws that jointly govern cookie consent and online privacy. The ePrivacy Directive sets the specific rules for placing cookies on users' devices, while the GDPR defines the standards for valid consent. Most websites operating in the EU must comply with both, and as of 2026, a major legislative overhaul is underway that could consolidate cookie rules directly into the GDPR.
Key Takeaways
- The ePrivacy Directive (2002, updated 2009) is the primary law requiring consent before setting non-essential cookies; the GDPR (2018) defines what "valid consent" actually means.
- Both laws apply simultaneously to most EU-facing websites, one does not replace the other.
- The proposed ePrivacy Regulation was formally withdrawn by the European Commission in February 2025.
- The Digital Omnibus Package, unveiled in November 2025, proposes integrating cookie consent rules into the GDPR via new Articles 88a and 88b.
- Essential (strictly necessary) cookies are exempt from consent requirements under the ePrivacy Directive.
- The ePrivacy Directive has been transposed differently across EU member states, creating compliance variation by country.
- A 2026 study found only 30.66% of websites featured a "reject all" button, indicating widespread non-compliance [7].
- Cookie consent banners can satisfy both laws, but only if they meet the GDPR's conditions for freely given, specific, informed, and unambiguous consent.
- Consent Management Platforms (CMPs) will need to adapt to browser-level consent signals under the proposed GDPR changes [3].

What Is the Difference Between the ePrivacy Directive and GDPR
The ePrivacy Directive and the GDPR serve different but complementary functions. The ePrivacy Directive (Directive 2002/58/EC, amended by 2009/136/EC) is a sector-specific law governing electronic communications privacy, including the use of cookies and similar tracking technologies. The GDPR is a general data protection regulation that sets the legal framework for processing personal data across all sectors, including the definition and requirements for valid consent.
The key distinction:
| Feature | ePrivacy Directive | GDPR |
|---|---|---|
| Legal form | EU Directive (requires national transposition) | EU Regulation (directly applicable) |
| Primary focus | Cookies, tracking, electronic communications | All personal data processing |
| Consent standard | Requires consent for non-essential cookies | Defines what valid consent means |
| Enforcement body | National telecom/DPA regulators | National Data Protection Authorities |
| Status (2026) | Still in force; reform pending | In force; proposed amendments underway |
Because the ePrivacy Directive is a Directive rather than a Regulation, each EU member state has transposed it into national law differently, producing variation in enforcement and specific requirements across countries [6].
Do You Need to Comply With Both the ePrivacy Directive and GDPR, or Just One
Both laws apply simultaneously, and compliance with one does not satisfy the other. The ePrivacy Directive tells you when you need consent (before setting non-essential cookies); the GDPR tells you what that consent must look like (freely given, specific, informed, unambiguous, and withdrawable at any time) [5].
Think of it this way: the ePrivacy Directive is the trigger, and the GDPR is the standard. A cookie banner that technically appears before cookies load but uses pre-ticked boxes would violate the GDPR's consent requirements, even if it nominally complies with the ePrivacy Directive's notification obligation.
Common mistake: Assuming that a cookie notice (informing users cookies exist) is sufficient. Under both frameworks, passive notification is not consent for non-essential cookies.
How Does the ePrivacy Directive Apply to Cookies on Your Website
The ePrivacy Directive requires that website operators obtain prior, informed consent before storing or accessing information on a user's device, this covers cookies, pixels, local storage, and similar technologies [6]. This obligation applies regardless of whether the data collected qualifies as personal data under the GDPR.
Practically, this means:
- No non-essential cookies may fire before a user takes an affirmative action to consent.
- The consent mechanism must be clear and not bundled with terms of service acceptance.
- Users must be able to withdraw consent as easily as they gave it.
The Directive applies to any service targeting EU users, regardless of where the website operator is based.
What Cookies Require Consent Under the ePrivacy Directive vs. GDPR
Under the ePrivacy Directive, consent is required for all cookies except those that are "strictly necessary" for a service explicitly requested by the user. Under the GDPR, any processing of personal data requires a lawful basis, and for tracking cookies, that basis is almost always consent.
Cookie categories and consent requirements:
- Strictly necessary cookies (session management, login state, shopping cart): No consent required under the ePrivacy Directive. The GDPR's legitimate interest or contract performance basis may apply.
- Analytics cookies (e.g., page view tracking that identifies users): Consent required under both frameworks.
- Marketing and advertising cookies (behavioral targeting, retargeting): Consent required under both frameworks, this is the highest-risk category for enforcement.
- Functional cookies (language preferences, UI settings): Debated; if they process personal data, consent is the safest approach.
Is the ePrivacy Directive Being Replaced, and What Is the ePrivacy Regulation
The ePrivacy Directive is not being replaced by the GDPR. However, a proposed ePrivacy Regulation was intended to replace the Directive with a directly applicable EU-wide law. That proposal was formally withdrawn by the European Commission in February 2025, citing a lack of foreseeable agreement among member states and the proposal's outdated character given recent technological changes [2].
The ePrivacy Directive vs. the proposed ePrivacy Regulation: The Regulation would have been directly binding across all member states (eliminating national transposition differences), but it never reached adoption.
In its place, the European Commission introduced the Digital Omnibus Package on November 19, 2025. This package proposes integrating cookie consent rules directly into the GDPR through new Articles 88a and 88b [2][3]. Article 88a would define scenarios where consent is not required (such as for transmission of electronic communications or services explicitly requested by the user). Article 88b would introduce requirements for automated, machine-readable consent mechanisms, including browser-level consent signals [3].
As of July 2026, the Digital Omnibus Package is still undergoing legislative processes, with final text expected by late 2026 or early 2027 [4].
Do Essential Cookies Need Consent Under the ePrivacy Directive
No. Strictly necessary cookies are explicitly exempt from the ePrivacy Directive's consent requirement. These are cookies without which the service the user has actively requested cannot function, for example, session identifiers, authentication tokens, and shopping cart cookies [6].
Edge case: "Necessary" is interpreted narrowly. A cookie that improves performance or enables analytics is not strictly necessary, even if the operator considers it operationally important. When in doubt, err on the side of requiring consent.
How to Get Valid Cookie Consent That Satisfies Both Regulations
Valid consent under the GDPR (and therefore under the ePrivacy Directive, which defers to GDPR consent standards) must be:
- Freely given, No consent walls or forced bundling with terms acceptance.
- Specific, Separate consent for each category of cookies (analytics, marketing, etc.).
- Informed, Users must know what cookies do and who processes the data.
- Unambiguous, An affirmative action is required; pre-ticked boxes are invalid.
- Withdrawable, Revoking consent must be as easy as granting it [5].
A well-configured Consent Management Platform (CMP) handles this workflow. Biscotti CMP is designed to support these requirements, including granular consent categories and consent logging for audit purposes. With the Digital Omnibus Package proposing browser-level consent signals under Article 88b, CMPs will also need to ingest and respect signals from browser settings, a significant operational shift for the industry [3].
Can Cookie Banners Satisfy Both ePrivacy and GDPR Requirements
Yes, but only if the banner is correctly designed. A cookie banner that meets GDPR consent standards will also satisfy the ePrivacy Directive's consent requirement, because the Directive defers to the GDPR's definition of consent for EU member states [5][6].
A compliant banner must:
- Present a clear "Accept" and "Reject" (or equivalent) option with equal visual prominence.
- Not use dark patterns (e.g., making "Reject" harder to find than "Accept").
- Block non-essential cookies until consent is given.
- Record and store consent with a timestamp and version reference.
- Allow users to change their preferences at any time.
A 2026 study found that only 30.66% of websites featured a "reject all" button, which means the majority of surveyed sites likely fall short of compliance expectations [7].
Are There Countries Where the ePrivacy Directive Does Not Apply
The ePrivacy Directive applies across all EU member states. However, because it is a Directive (not a Regulation), each country has transposed it into national law with some variation in scope, enforcement priorities, and penalties [6]. Countries outside the EU, including the UK post-Brexit, have their own equivalent laws (the UK's Privacy and Electronic Communications Regulations, or PECR).
Choose your compliance baseline based on where your users are located, not just where your business is registered. A US-based company with significant EU traffic must comply with both the ePrivacy Directive (as transposed in relevant member states) and the GDPR.
What Happens if You Don't Comply With ePrivacy Directive Rules
Non-compliance with the ePrivacy Directive (as transposed into national law) can result in fines and enforcement action from national regulators. Penalties vary by member state but can be substantial, and GDPR violations triggered by invalid consent (for example, processing personal data via tracking cookies without a valid legal basis) carry fines of up to 4% of global annual turnover or 20 million euros, whichever is higher [5].
National Data Protection Authorities (DPAs) continue to actively investigate and fine organizations for cookie consent failures [1]. Enforcement actions have targeted large platforms and small operators alike.
Common compliance mistakes:
- Firing analytics or advertising cookies on page load before consent is registered.
- Using consent banners that do not block cookies until after interaction.
- Failing to honor consent withdrawal promptly.
- Not updating consent records when cookie policies change.
- Treating cookie notices as equivalent to consent mechanisms.
How Long Can Cookies Be Stored Under ePrivacy Directive Rules
The ePrivacy Directive does not specify a maximum cookie storage duration directly. However, the GDPR's data minimization and storage limitation principles apply where cookies process personal data. Consent should be time-limited, and regulators generally expect organizations to re-request consent periodically, commonly cited guidance suggests 12 months as a reasonable interval, though this is not a hard statutory limit [6].
Practical guidance: Set cookie expiry periods proportionate to their purpose. A session cookie should expire when the browser closes. An analytics cookie does not need a two-year lifespan if six months serves the same purpose.
What Are Common Mistakes Companies Make With ePrivacy Compliance
Beyond the issues noted above, several patterns consistently appear in enforcement cases and audits:
- Implied consent: Assuming that continued browsing constitutes consent. This has been explicitly rejected by EU courts and DPAs.
- Bundled consent: Combining cookie consent with privacy policy acceptance in a single click.
- Inconsistent geo-targeting: Applying stricter consent rules only for users from certain countries while serving tracking cookies to others, a risk given that enforcement can follow the user's location.
- Ignoring national variations: Assuming that a single banner configuration satisfies all EU member states, when in fact some countries have stricter national requirements [6].
- No consent audit trail: Failing to log what users consented to, when, and under which version of the privacy notice [1].
Conclusion
The relationship between The ePrivacy Directive vs. GDPR: Navigating the EU's Cookie Rules is not a matter of choosing one framework over the other, both apply, and both must be satisfied. The ePrivacy Directive defines when consent is needed for cookies; the GDPR defines what valid consent looks like. Together, they form the legal foundation for cookie compliance across the EU.
The regulatory landscape is shifting. The ePrivacy Regulation proposal was withdrawn in early 2025, and the Digital Omnibus Package now proposes folding cookie rules directly into the GDPR through Articles 88a and 88b. Final text is expected by late 2026 or early 2027, but current obligations remain fully in force in the meantime.
Actionable next steps for 2026:
- Audit your website's cookie behavior to confirm no non-essential cookies fire before consent is captured.
- Review your consent banner for dark patterns and ensure "reject" options are as prominent as "accept."
- Implement a CMP such as Biscotti CMP that logs consent records and supports granular category management.
- Monitor the Digital Omnibus Package's progress and assess whether your CMP vendor is preparing for browser-level consent signal support.
- Check the national transposition of the ePrivacy Directive in each EU member state where you have significant user traffic.
FAQ
Q: Does the GDPR replace the ePrivacy Directive for cookies? No. The GDPR and the ePrivacy Directive coexist. The ePrivacy Directive remains the primary law requiring consent for cookies; the GDPR governs what valid consent means and how personal data processed via cookies must be handled.
Q: What is the ePrivacy Regulation, and is it still coming? The ePrivacy Regulation was a proposed EU law intended to replace the ePrivacy Directive with a directly applicable regulation. It was formally withdrawn by the European Commission in February 2025 and will not proceed in its current form.
Q: What is the Digital Omnibus Package? The Digital Omnibus Package, unveiled in November 2025, is an EU legislative proposal that would simplify digital regulation by integrating cookie consent rules into the GDPR via new Articles 88a and 88b. As of July 2026, it is still under legislative review.
Q: Are analytics cookies exempt from consent requirements? No. Analytics cookies that identify individual users or devices are non-essential and require prior consent under the ePrivacy Directive, regardless of whether they are used for commercial purposes.
Q: Can a cookie wall (blocking access unless users accept cookies) constitute valid consent? Generally no. EU regulators and courts have found that consent obtained through cookie walls is not freely given under the GDPR, because users have no genuine choice. Some national DPAs allow cookie walls in limited circumstances if a paid alternative is offered, but this remains contested.
Q: How often must users be asked to re-consent to cookies? There is no fixed statutory period, but regulators generally expect consent to be refreshed when the purposes or cookie list change materially, or after a reasonable period (often cited as 12 months in practice). Consent obtained under a previous version of a privacy notice may not cover new processing activities.
Q: What is a strictly necessary cookie? A strictly necessary cookie is one without which a service explicitly requested by the user cannot function, for example, a login session token or a shopping cart identifier. These are exempt from the ePrivacy Directive's consent requirement.
Q: Does the ePrivacy Directive apply to non-EU businesses? Yes, if those businesses target or serve users located in the EU. The territorial scope follows the user's location, not the operator's registered address.
Q: What should I look for in a Consent Management Platform? A compliant CMP should block non-essential cookies before consent, support granular consent categories, log consent with timestamps, allow easy withdrawal, and be prepared to support browser-level consent signals as required under the proposed GDPR amendments.
Q: Can I use a single cookie banner for the entire EU? A single banner can work as a baseline, but because the ePrivacy Directive has been transposed differently across member states, some countries may have stricter requirements. Legal review against each target market's national law is advisable for high-traffic sites.
References
[1] Gdpr Cookie Consent 2026 - https://www.consenteo.com/knowledge-hub/GDPR/gdpr_cookie_consent_2026?utm_source=openai
[2] Baking A New Batch Digital Omnibus And Cookies - https://www.considerati.com/publications/baking-a-new-batch-digital-omnibus-and-cookies/?utm_source=openai
[3] Eu Digital Omnibus Cookie Consent Gdpr 88a 88b Cmp Browser Signals - https://inimino.org/eu-digital-omnibus-cookie-consent-gdpr-88a-88b-cmp-browser-signals/?utm_source=openai
[4] Eu Digital Omnibus And Gdpr Changes - https://www.ontapgroup.com/blog/eu-digital-omnibus-and-gdpr-changes?utm_source=openai
[5] Gdpr Cookie Consent Requirements Banners And Fines - https://legalclarity.org/gdpr-cookie-consent-requirements-banners-and-fines/?utm_source=openai
[6] Eprivacy Directive Cookie Law Guide - https://cookiebeam.com/guides/eprivacy-directive-cookie-law-guide?utm_source=openai
[7] arxiv - https://arxiv.org/abs/2606.31485?utm_source=openai