Directive on Privacy and Electronic Communications (ePrivacy Directive)


    Directive on Privacy and Electronic Communications (ePrivacy Directive)

    Directive 2002/58/EC, amended by Directive 2009/136/EC

    The ePrivacy Directive applies to ‘the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks’ in the EU.

    Last Updated: July 30, 2019

  • General

    The ePrivacy Directive (ePR) concerns the processing of personal data and the protection of privacy in the electronic communications sector.  Each EU Member State was required to transpose the Directive’s requirements into national legislation, which has resulted in variation across the EU.

    The ePrivacy Directive complements the EU General Data Protection Regulation (GDPR), providing for specific requirements around metadata, e-marketing, cookies, and more. It is expected to be replaced by the draft ePrivacy Regulation.

  • Lawfulness, Fairness and Nondiscrimination


    The ePR requires that organisations obtain consent and provide clear and comprehensive notice prior to storing or accessing information (e.g., cookies) on an individual’s device.

    Exceptions to this requirement include where the storage or access is for the “sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.’


    Opt-in consent is required prior to engaging in most forms of direct e-marketing (including email and SMS).

    However, there is an exception that allows organisations to send direct e-marketing about to existing customers on an opt-out basis about where:

    1. the recipient’s contact details were originally collected ‘in the context of the sale of a product or a service;
    2. the marketing is in relation to ‘similar products or services’; and
    3. the data subjects are ‘given the opportunity to object, free of charge and in an easy manner.’

    Location Data

    Under the ePR, location data may be processed only if it is anonymized or if consent of the data subject is obtained.

  • Security and Prevention

    Providers of publicly available electronic communications services must have appropriate technical and organisational measures in place.

  • Data Subject Rights

    Under the ePR, recipients of e-marketing must always be given an opportunity to opt out of future marketing. Additionally, users of publicly available electronic communication services have rights related to itemised billing, caller identification, directories, call forwarding and unsolicited calls.

    Individuals also have a private right of action in cases of unlawful communications.

  • Incident and Breach

    Electronic communications service providers must notify the relevant data protection authority (DPA) and relevant individuals in cases where a breach is likely to ‘adversely affect the personal data or privacy of a subscriber or individual.’

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.