--- url: https://eurocomply.app/regulations/eprivacy canonical: https://eurocomply.app/regulations/eprivacy title: Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directive 2009/136/EC) — EuroComply shortName: ePrivacy Directive alternateNames: [Cookie Law, Directive on privacy and electronic communications] regulationNumber: 2002/58/EC celex: 32002L0058 instrumentType: directive status: in-force inForceDate: 2002-07-31 applicationDate: 2003-10-31 transpositionDeadline: 2003-10-31 extraterritorialReach: false sourceUrl: https://eur-lex.europa.eu/eli/dir/2002/58/oj officialJournalRef: OJ L 201, 31.7.2002, p. 37–47 lastReviewed: 2026-05-12 author: EuroComply Team license: CC-BY-4.0 --- # Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended by Directive 2009/136/EC) The EU's directive on privacy in electronic communications. Sets rules on confidentiality of communications, cookies and similar tracking technologies (Article 5(3)), unsolicited marketing communications, and traffic/location data. The intended replacement ePrivacy Regulation has been in EU legislative negotiation since 2017 and has not been adopted; the current Directive remains in force. ## Who does ePrivacy Directive apply to? Applies to processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the EU. **Applies to:** - providers of publicly available electronic communications services - operators of cookies / similar tracking technologies on user devices ## What are the penalties for ePrivacy Directive non-compliance? **Maximum fine:** Penalties set by national law. Cookie/consent violations may also trigger GDPR Article 83 penalties via the personal-data overlap. **Tier detail:** - Member-state penalties for ePrivacy violations: national law (set by national law) — Article 15a - GDPR overlap for personal-data consent breaches: €20M or 4% of global turnover (max — via GDPR Article 83(5)) — GDPR Article 83 ## When does ePrivacy Directive apply? **Key dates:** - 2002-07-31 — Entry into force (Article 21) - 2003-10-31 — Transposition deadline (Article 17) - 2009-11-19 — Amendments by Directive 2009/136/EC (cookies, breach notification) (Article 5(3) amended) ## Supervising authorities - National DPAs (in most member states) *(member-state)* - National communications regulators (in some member states) *(member-state)* ## Sector applicability - telecoms, ISPs, OTT communications, any website using cookies or similar tracking ## Primary articles - **confidentialityOfCommunications:** Article 5 - **cookiesAndTracking:** Article 5(3) - **trafficData:** Article 6 - **locationData:** Article 9 - **unsolicitedCommunications:** Article 13 - **penalties:** Article 15a ## Related EuroComply resources - Hub: [/regulations/eprivacy](https://eurocomply.app/regulations/eprivacy) ## Source Authoritative text: [2002/58/EC — EUR-Lex](https://eur-lex.europa.eu/eli/dir/2002/58/oj) (OJ L 201, 31.7.2002, p. 37–47). --- Informational only. Not legal advice — consult qualified legal counsel for your specific situation. Last reviewed: 2026-05-12 by the EuroComply Team. License: CC-BY-4.0.