EuroComply
Sign up
Fine exposure

How much can my company be fined under ePrivacy?

ePrivacy carries penalties of up to Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR). This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

The ePrivacy Directive governs electronic communications privacy, including cookies and tracking, with penalties reaching €20 million per member state for violations. Enforcement is fragmented across 27 national regulators, but fines are increasingly common.

DirectiveDirective 2002/58/EC — ePrivacy Directive
EnforcementIn force since 2002; updated 2009 (cookies)
Maximum FineUp to €20 million per member state (varies)
Key ObligationObtain explicit consent before placing cookies/tracking on user device
StatusePrivacy Regulation (replacement) pending; Directive remains in force

Common Questions

What is the ePrivacy Directive and how does it relate to GDPR?
The ePrivacy Directive (2002/58/EC) governs electronic communications privacy, including cookies, email marketing, and confidentiality. GDPR covers personal data processing. They operate together: ePrivacy requires consent for cookies (technical), GDPR requires legal basis for data processing (legal).
What is a cookie and when does ePrivacy apply?
A cookie is any data file stored on a user's device. ePrivacy applies to: strictly necessary cookies (require no consent), analytics/tracking cookies (require prior explicit consent), advertising cookies (require prior explicit consent), and third-party cookies (require prior explicit consent).
What cookie consent errors trigger penalties?
Enforcement targets: pre-ticked consent boxes, requiring cookies to use the site (except necessary), tracking without consent, tracking via fingerprinting, third-party ads without disclosure, dark patterns in consent interfaces, and lack of easy opt-out.
How does ePrivacy enforcement work across the EU?
Each member state has a national authority (data protection authority, telecommunications regulator, or both) that enforces ePrivacy. This creates 27 different enforcement regimes. Ireland (where many Big Tech companies are based) has been particularly active.
What notable ePrivacy fines have been issued?
Google: €90 million (Ireland) + €10 million (France) for inadequate consent; Meta: €405 million (Ireland) for tracking without consent; Microsoft: €60 million (EDPB recommendation) for tracking. Average fines are €1–50 million.
Is there a cookie consent replacement coming?
Yes. The ePrivacy Regulation (replacing the Directive) is under negotiation and is expected to be finalized 2025–2026. It will modernize cookie rules, broaden definitions of tracking, and create more harmonized enforcement across member states.

Maximum fine

Per member state (GDPR rates of €20M/4% apply where violation also breaches GDPR)

Source: Directive 2002/58/EC

How ePrivacy penalties work

The ePrivacy Directive does not contain its own penalty provisions — enforcement is delegated entirely to Member States. However, where cookie and tracking violations also constitute GDPR violations (as they usually do, given cookies track personal data), DPAs can apply GDPR's Article 83 fines. This effectively means cookie non-compliance can attract the same maximum fines as the worst GDPR violations.

Fine tiers by article

GDPR Art. 83(5) (via ePrivacy overlap)

Cookie and tracking violations that also breach GDPR (most common)

€20,000,000

or 4% of global turnover

Applies to:

  • Cookie walls that make service access conditional on consent (CNIL decisions)
  • Pre-ticked cookie consent boxes (not freely-given consent)
  • Analytics cookies loading before consent (e.g. Google Analytics decisions in AT, SE)
  • Fingerprinting without consent
EUR-Lex — GDPR Art. 83(5) (via ePrivacy overlap)
National ePrivacy enforcement (non-GDPR violations)

Direct marketing, spam, and electronic communications privacy violations

Per member state — typically €50,000–€1,000,000+

Applies to:

  • Sending unsolicited commercial emails (spam) without consent
  • Cold-calling without prior consent or opt-out mechanism
  • Failure to provide an opt-out in marketing emails
EUR-Lex — National ePrivacy enforcement (non-GDPR violations)

Stacked exposure with other EU regulations

ePrivacy violations almost always stack with GDPR, since cookies typically process personal data. DPAs like CNIL and AEPD routinely apply GDPR penalties for cookie consent failures. The highest fines for cookie non-compliance have been in the tens of millions of euros.

Calculate your stacked fine exposure →

Frequently asked questions

What are the penalties for cookie consent violations?

Cookie consent violations are typically enforced under both ePrivacy (national law) and GDPR. Since cookies usually involve personal data, DPAs can apply GDPR Art. 83(5) fines up to €20M or 4% of global annual turnover. France's CNIL fined Google €150M and Meta €60M for cookie consent violations in 2022.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across ePrivacy, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
ePrivacy compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: