Most people think GDPR governs cookies, but it doesn't — not directly. The actual cookie rules come from the ePrivacy Directive (2002/58/EC) and its national implementations, like the UK's PECR. Understanding this distinction is critical for compliance, because ePrivacy rules apply regardless of whether you process personal data.
ePrivacy vs GDPR: Key Differences
| Aspect | ePrivacy / PECR | GDPR |
|---|---|---|
| Scope | Electronic communications (cookies, email, trackers) | All personal data processing |
| Applies to | Any terminal equipment storage/access | Personal data only |
| Consent standard | Prior informed consent for non-essential cookies | Freely given, specific, informed, unambiguous |
| Controller vs user | Whoever sets the cookie | Whoever determines processing purpose |
| Exemptions | Strictly necessary cookies | Multiple legal bases available |
| Enforcement | National authorities (e.g., ICO, CNIL) | National DPAs + EDPB |
What ePrivacy/PECR Actually Requires
Consent Before Setting Cookies
You must obtain consent before setting any cookie or similar technology on a user's device,unless the cookie is strictly necessary for the service the user requested.
Strictly Necessary Exemption
The following cookies do NOT require consent:
- Session cookies for shopping carts
- Authentication cookies (login state)
- Security cookies (CSRF tokens)
- Load balancing cookies
- User interface customization cookies (language preference)
- Cookie consent preference cookies
Cookies That Always Require Consent
- Analytics cookies (Google Analytics, Hotjar, etc.)
- Advertising and retargeting cookies
- Social media tracking pixels
- A/B testing cookies
- Personalization cookies (beyond basic preferences)
- Third-party embedded content cookies
National Implementations
| Country | Law | Authority | Notable Requirement |
|---|---|---|---|
| UK | PECR 2003 | ICO | Consent must be "informed" — explain each cookie category |
| France | Loi Informatique | CNIL | "Refuse All" must be as easy as "Accept All" |
| Germany | TDDDG (formerly TTDSG) | BfDI / State DPAs | Applies to all teleservices, not just websites |
| Italy | Cookie Guidelines 2021 | Garante | Must re-ask consent every 6 months even if previously given |
| Spain | LSSI | AEPD | "Cookie wall" approach is prohibited |
| Netherlands | Telecommunicatiewet | AP | Analytics require consent (no legitimate interest exemption) |
The Upcoming ePrivacy Regulation
The EU has been working on an ePrivacy Regulation to replace the 2002 Directive. When adopted, it will become directly applicable without national transposition. Key expected changes:
- Browser-level consent settings may satisfy website consent requirements
- Metadata protection (location data, traffic data)
- Harmonized rules across all EU member states
- Higher fines aligned with GDPR (up to €20M / 4% turnover)
Common Compliance Mistakes
- Relying on "legitimate interest" for analytics cookies: ePrivacy doesn't have a legitimate interest exception — consent is required
- Cookie walls: Blocking content until cookies are accepted is prohibited in most jurisdictions
- Assuming "necessary" broadly: Analytics are not "strictly necessary" for the service the user requested
- Missing "Reject All" button: Dark patterns in consent flows are heavily scrutinized
- Ignoring non-cookie technologies: ePrivacy also covers local storage, fingerprinting, and tracking pixels
Scan your website with PrivacyChecker to identify all cookies and tracking technologies, and verify your consent banner meets ePrivacy requirements in your target markets.