Ch 8.3 - ePrivacy

Requirements of the ePrivacy Directive

The ePrivacy Directive (2002/58/EC, as amended) adds information requirements for cookies and similar technologies on websites, apps and connected devices. Under Article 5(3), storing or accessing information on a user's terminal equipment is allowed only if the user has given consent after being given clear and comprehensive information. The WP29 reads this as a duty on whoever places the cookie to obtain prior informed consent: information first, then consent before the cookie is set or read. Full disclosure is required regardless of the consent mechanism; many operators use a stand-alone cookie policy.

Scope: cookies and similar technologies on websites, applications and increasingly other connected devices.
Rule: under Article 5(3), storing/accessing info on terminal equipment needs consent after clear and comprehensive information.
Order: information about the cookie and its purposes first, then consent before the cookie is placed or read (prior informed consent).
Disclosure duty applies irrespective of the consent mechanism chosen; cookie consent is covered in detail in Chapter 17.

Prior informed consent

The WP29 reads Article 5(3) as requiring the entity placing the cookie to obtain prior informed consent: the user must be told about the cookie and its purposes before consenting, and consent must come before the cookie is set or the stored information retrieved.

Key terms - quick answers

What is “ePrivacy Directive”?

Directive 2002/58/EC on privacy in electronic communications; sets cookie/consent rules and is likely to be replaced by a proposed ePrivacy Regulation.

What is “Article 5(3) ePrivacy”?

Permits storing/accessing information on a user's terminal equipment only with the user's consent given after clear and comprehensive information.

← Exemptions to the obligation to provide information Fair processing notices and best practice →