ePrivacy Directive and Analytics: EU Cookie Rules That Still Apply
The ePrivacy Directive is the EU law that mandates cookie consent — separate from GDPR. It is the reason you see consent banners on every European website.
The ePrivacy Directive is why cookie banners exist. Cookieless analytics is why they do not have to.
EU cookie rules for analytics: what the law requires and how to comply without losing data.
Jump to section
What Is the ePrivacy Directive?
The ePrivacy Directive (officially Directive 2002/58/EC, amended by 2009/136/EC) is the EU law responsible for the cookie consent banners you see on virtually every European website. It requires informed consent before any non-essential information is stored on or accessed from a user's device.
While GDPR gets more attention, the ePrivacy Directive is actually the older law — and the more specific one when it comes to cookies. GDPR provides the general framework for data protection. The ePrivacy Directive adds specific rules about electronic communications, including cookies, tracking pixels, local storage, and device fingerprinting.
The key provision is Article 5(3): you must obtain consent before storing or accessing information on a user's terminal equipment, unless the storage is strictly necessary for providing the service the user requested.
Two Laws, One Consent Banner
The consent banner exists because of the ePrivacy Directive, not GDPR. GDPR provides the rules for what counts as valid consent. The ePrivacy Directive mandates asking for it before setting cookies.
ePrivacy Directive vs GDPR: Key Differences
Website owners often conflate these two regulations. Understanding the distinction is important for compliance.
| Aspect | ePrivacy Directive | GDPR |
|---|---|---|
| Scope | Device access: cookies, tracking pixels, local storage | Personal data processing: collection, storage, use |
| Cookie consent | Required before any non-essential cookie | Provides rules for valid consent |
| Legal basis options | Consent only (no legitimate interest for cookies) | Consent, legitimate interest, contract, legal obligation, etc. |
| Enforcement | National telecoms regulators | National data protection authorities |
| Year enacted | 2002 (amended 2009) | 2018 |
| Implementation | Each EU country transposes into national law | Directly applicable across all EU states |
| Analytics impact | Consent needed before setting analytics cookies | Consent or legitimate interest for processing analytics data |
Critical Point
Even if you have a valid GDPR legal basis (like legitimate interest) for processing analytics data, you still need ePrivacy consent before setting the cookie that collects it. The two laws stack — you must comply with both.
How the ePrivacy Directive Affects Website Analytics
The ePrivacy Directive has three major impacts on website analytics.
First, any analytics tool that sets cookies requires consent before loading. GA4, Adobe Analytics, Hotjar, and any cookie-based tool must wait for "Accept" before the tracking script fires. Visitors who reject or ignore the banner are invisible.
Second, the consent must be informed, specific, and freely given. Pre-checked boxes, implied consent, and "cookie walls" (blocking content until consent is given) have all been ruled non-compliant by EU courts.
Third, you must provide an easy way for users to withdraw consent at any time. Withdrawing must be as easy as giving consent.
20-40%
Visitors lost to consent rejection
2002
Year ePrivacy Directive enacted
27
EU countries with local implementations
Bring External Site Data Into Copper
Pull roadmaps, blog metadata, and operational signals into one dashboard without asking every team to learn a new workflow.
National Implementations Vary Across the EU
Because the ePrivacy Directive is a directive (not a regulation), each EU member state transposes it into national law differently. This creates a patchwork of cookie rules across Europe.
France's CNIL has been the strictest enforcer, issuing tens of millions in fines to Google, Amazon, and Facebook for cookie violations. Germany, Italy, Spain, the Netherlands, and Belgium have all taken varying enforcement actions.
For website owners operating across the EU, the safest approach is to comply with the strictest interpretation (France/CNIL) or avoid cookies entirely.
Simplest Compliance Strategy
Instead of researching 27 different national cookie implementations, use a cookieless analytics tool. No cookies = no ePrivacy consent required in any EU country.
Frequently Asked Questions
What is the ePrivacy Directive?
EU Directive 2002/58/EC — the law that requires consent before setting cookies or accessing information on a visitor's device. It is the reason cookie consent banners exist on virtually every European website.
Is the ePrivacy Directive the same as GDPR?
No. GDPR governs personal data processing. The ePrivacy Directive governs device access (cookies, tracking pixels, local storage). Both apply simultaneously to websites with EU visitors — you must comply with both.
Do I need consent for Google Analytics under the ePrivacy Directive?
Yes. GA4 sets cookies (_ga, _gid) on visitor devices, which requires informed consent under Article 5(3) before the tracking script loads. You cannot use legitimate interest to bypass this requirement.
What is the ePrivacy Regulation (ePR)?
A proposed replacement for the ePrivacy Directive that would apply directly across all EU states (like GDPR) rather than requiring national transposition. It has been in negotiation since 2017 and remains stalled in EU trilogue as of 2026.
How do I comply with the ePrivacy Directive for analytics?
Two paths: implement a fully compliant consent banner and only load analytics after consent (which loses 20-40% of visitor data), or switch to a cookieless analytics tool like Copper Analytics that does not trigger Article 5(3) at all.
What to Do Next
The right stack depends on how much visibility, workflow control, and reporting depth you need. If you want a simpler way to centralize site reporting and operational data, compare plans on the pricing page and start with a free Copper Analytics account.
You can also keep exploring related guides from the Copper Analytics blog to compare tools, setup patterns, and reporting workflows before making a decision.