What is the ePrivacy Directive and who does it apply to?

The ePrivacy Directive (2002/58/EC) establishes specific privacy rules for electronic communications across the EU. It applies to any organisation that operates websites with cookies, sends marketing emails or SMS, or provides communication services in the EU. Key areas include cookie consent requirements, electronic marketing rules, and communication confidentiality obligations.

How does ePrivacy compliance differ from GDPR compliance?

While GDPR sets general personal data protection rules, ePrivacy provides specific requirements for electronic communications. The ePrivacy Directive complements GDPR with detailed rules for cookie consent, electronic marketing (email, SMS), and communication confidentiality. Many consent mechanisms can meet both ePrivacy and GDPR requirements simultaneously, reducing compliance duplication.

What are the three core compliance areas of the ePrivacy Framework?

The three core areas are: 1) Cookie and Tracking Management - requiring valid consent before storing or accessing information on users' devices; 2) Electronic Marketing Rules - covering opt-in consent, identification requirements, and unsubscribe mechanisms for email, SMS, and automated calls; 3) Communication Services Obligations - protecting communication confidentiality and security of traffic data for telecom and messaging providers.

How does the ePrivacy Framework integrate with other compliance frameworks?

The ePrivacy Framework integrates seamlessly with GDPR (consent infrastructure), ISO 27001 (information security for communication confidentiality), NIS2 (security measures for telecom operators), and the AI Act (transparency for automated decision-making). This integration means you can reuse documentation, leverage existing consent mechanisms, and avoid duplicating compliance work across frameworks.

What are the requirements for valid cookie consent under ePrivacy?

Valid cookie consent under ePrivacy requires obtaining user permission before storing or accessing information on their devices. This includes clear information about cookie purposes, granular consent options for different cookie categories, easy withdrawal mechanisms, and proof of consent. Cookie banners must be implemented before any non-essential cookies are set, and users must be able to use the website if they refuse consent.

What are the electronic marketing compliance requirements under ePrivacy?

Electronic marketing under ePrivacy requires opt-in consent before sending promotional emails, SMS, or automated calls. Organisations must clearly identify themselves in communications, provide easy unsubscribe mechanisms, maintain consent records, and honour opt-out requests promptly. Special rules apply to business-to-business (B2B) marketing and the soft opt-in exception for existing customer relationships.

Who needs to comply with communication services obligations under ePrivacy?

Communication services obligations apply to telecom operators, internet service providers, messaging service providers, and any organisation offering electronic communication services. Requirements include protecting communication confidentiality, securing traffic and location data, implementing security measures against unauthorised access, notifying users of security breaches, and maintaining appropriate technical safeguards.

How can .legal's ePrivacy Framework help my organisation achieve compliance?

.legal's ePrivacy Framework maps all directive requirements into clear, action-oriented tasks. The platform helps you manage cookie consent, track electronic marketing permissions, document communication security measures, and integrate ePrivacy compliance with your existing GDPR, ISO 27001, NIS2, and AI Act programmes. You can reuse documentation, avoid duplication, and maintain comprehensive compliance records in one centralised system.

What penalties apply for ePrivacy non-compliance?

ePrivacy violations can result in significant penalties under national laws implementing the directive. Many EU member states impose fines up to €20 million or 4% of global annual turnover (aligning with GDPR penalty levels). Data protection authorities can issue warnings, order corrective actions, impose processing limitations, and require organisations to delete unlawfully processed data. Penalties vary by member state and violation severity.

Will the ePrivacy Directive be replaced by the ePrivacy Regulation?

The EU is developing an ePrivacy Regulation to replace the current directive and align more closely with GDPR. While negotiations continue, the current ePrivacy Directive (2002/58/EC) remains in force. The proposed regulation will introduce stronger enforcement mechanisms, harmonise rules across EU member states, and clarify requirements for new technologies and services. Organisations should monitor developments while maintaining compliance with existing requirements.

FRAMEWORK .legal | ePrivacy Framework

ePrivacy compliance professional managing cookie banners and electronic marketing consent requirements on .legal platform interface

ePrivacy framework dashboard showing cookie consent management, electronic marketing rules, and communication security requirements

ePRIVACY FRAMEWORK Navigate ePrivacy Compliance with Confidence

The ePrivacy Directive (2002/58/EC) establishes specific privacy rules for electronic communications across the EU. Complex requirements for cookie consent, electronic marketing, and communication confidentiality. We've mapped all ePrivacy requirements into clear, action-oriented frameworks for optimal compliance.

Cookie banners, marketing opt-ins, communication security – the ePrivacy Framework covers all requirements and integrates seamlessly with your existing GDPR compliance work. You're covered if you operate websites with cookies, send marketing emails or SMS, or provide communication services in the EU.

Three core compliance areas:

Cookie & Tracking Management Requirements for valid consent before storing or accessing information on users' devices.
Electronic Marketing Rules for opt-in consent, identification requirements, and unsubscribe mechanisms for email, SMS, and automated calls.
Communication Services Obligations to protect communication confidentiality and security of traffic data for telecom and messaging providers.

Integrated ePrivacy compliance framework showing synergies with GDPR, ISO 27001, NIS2, and AI Act requirements

ePRIVACY FRAMEWORK Don't start from scratch

The ePrivacy Framework integrates seamlessly with your existing compliance programmes. Don't repeat work – maximise the value of your current investments:

Framework Synergies:

The same consent mechanisms meet both ePrivacy and GDPR requirements
Documentation and privacy policies can be reused across frameworks
Investing in one area strengthens compliance on multiple fronts
Less duplication of work and resources

Examples of overlapping frameworks:

GDPR Personal data protection and consent management. ePrivacy complements GDPR with specific rules for electronic communications, cookies, and marketing. Your existing GDPR consent infrastructure and privacy notices form the foundation for ePrivacy compliance.
ISO 27001 Information security management and access controls directly support ePrivacy's requirements for protecting communication confidentiality and securing traffic data against unauthorised access.
NIS2 For digital service providers and telecom operators, security measures for protecting network infrastructure overlap with ePrivacy's requirements for communication security and incident handling.
AI Act Transparency requirements for AI systems that process communication data or marketing preferences align with ePrivacy's obligations around user information and consent for automated decision-making.

Our Customers

+400

companies

+10.000

users

+79.000

contracts

+14.000

processing activities

Bech-Bruun

Mikkel Friis Rossa (Partner)

.legal's team has consistently demonstrated a commitment to innovation while being responsive to the needs of our mutual clients. 

Fenerum

Rasmus Boutrup (Financial Controller)

Case Study

With .legal, we've gained a simpler and more manageable solution that better suits our needs

Lægeforeningen

Michael Berner (Lawyer)

.legal has been the right choice for us. .legal are professional and welcoming with skilled employees.

Molecule Consultancy

Nanna Rodian Christensen (HR & Operational Manager)

Case Study

Firstly, it means that not all the work is in one place (me), and secondly, that the understanding of GDPR is implemented throughout the organisation.

Bech-Bruun

Mikkel Friis Rossa (Partner)

.legal's team has consistently demonstrated a commitment to innovation while being responsive to the needs of our mutual clients. 

Fenerum

Rasmus Boutrup (Financial Controller)

Case Study

With .legal, we've gained a simpler and more manageable solution that better suits our needs

Lægeforeningen

Michael Berner (Lawyer)

.legal has been the right choice for us. .legal are professional and welcoming with skilled employees.

Molecule Consultancy

Nanna Rodian Christensen (HR & Operational Manager)

Case Study

Firstly, it means that not all the work is in one place (me), and secondly, that the understanding of GDPR is implemented throughout the organisation.

Novicell

Julie Oxenvad (Legal Consultant)

Case Study

We are satisfied with the switch to .legal – it has strengthened our compliance work, made processes easier to manage and more transparent, and improved cross-team collaboration

Min By Media

Tinna Schultz (HR Manager)

Case Study

It just works! It is so easy and user-friendly, and the overview of processing activities is brilliant.

DMJX

Kaspar Rochholz (GDPR Coordinator)

Case Study

.legal has really understood what it means to create a user-friendly and efficient solution. Privacy is an attractive product compared to price and functionality.

Axel Kaufmann ApS

Julie Lundkvist Andreasen (Lawyer and Head of Costumer Service)

Case Study

.legal continuously update the platform to ensure their customers always remain compliant. In our view, any other choice would be a downgrade.

Novicell

Julie Oxenvad (Legal Consultant)

Case Study

We are satisfied with the switch to .legal – it has strengthened our compliance work, made processes easier to manage and more transparent, and improved cross-team collaboration

Min By Media

Tinna Schultz (HR Manager)

Case Study

It just works! It is so easy and user-friendly, and the overview of processing activities is brilliant.

DMJX

Kaspar Rochholz (GDPR Coordinator)

Case Study

.legal has really understood what it means to create a user-friendly and efficient solution. Privacy is an attractive product compared to price and functionality.

Axel Kaufmann ApS

Julie Lundkvist Andreasen (Lawyer and Head of Costumer Service)

Case Study

.legal continuously update the platform to ensure their customers always remain compliant. In our view, any other choice would be a downgrade.

.legal Compliance Hub

Read all about .legals compliance on our compliance hub.

ISAE 3402

Get a copy of .legal A/S's latest ISAE3402 (type 2) IT security statement

ISAE 3402 statement
ISAE 3000

Get a copy of .legal A/S's latest ISAE3000 (type 2) statement of our GDPR compliance

ISAE 3000 statement
Data Processing Agreement (DPA)

Find .legal A/S's data processing agreement here.

Data processing agreement
IT security

All .legal A/S's implemented and approved IT security measures are described here.

IT Security Measures