EU ePrivacy Directive (2002/58/EC)
Directive 2002/58/EC (the ePrivacy Directive) is the EU sectoral lex specialis on privacy in the electronic communications sector, alongside the GDPR (which is the lex generalis for personal data). The 2009/136/EC amendment introduced the prior-consent rule for cookies and similar storage-of-information technologies (Article 5(3)) and the security and personal-data-breach-notification regime (Article 4). The Directive applies to providers of publicly available electronic communications services and to natural and legal persons placing or accessing information stored in subscribers' / users' terminal equipment. The proposed ePrivacy Regulation has been WITHDRAWN by the European Commission (February 2025); the 2002/58/EC Directive remains the in-force instrument until the Commission tables a new proposal. Key operational articles: Article 4 security of services + personal-data-breach notification (60-day model in Article 4(3) feeds the GDPR Art.33-34 baseline); Article 5 confidentiality of the communications + Article 5(3) prior-consent storage-of-information rule (cookies, tracking pixels, fingerprinting); Article 6 traffic data; Article 7 itemised billing; Article 8 calling-line identification; Article 9 location data other than traffic data; Article 13 unsolicited communications (email/SMS/voice marketing).
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (5)
ePrivacy - Implementation, Enforcement and Final (Articles 14-21)
| Code | Title |
|---|---|
| ePD-Art.14 | Technical features and standardisation (Article 14) |
| ePD-Art.14a_15a | Committee procedure and implementation/enforcement (Articles 14a and 15a) |
| ePD-Art.15 | Application of Directive 95/46/EC provisions and Article 15(1) Member-State restrictions (Article 15) |
| ePD-Art.16_17 | Transitional arrangements and transposition (Articles 16-17) |
| ePD-Art.18_19_20_21 | Review, repeal, entry into force and addressees (Articles 18-21) |
| ePD-Status.eRegWithdrawn | Status: proposed ePrivacy Regulation withdrawn (February 2025) |
ePrivacy - Scope and Definitions (Articles 1-3)
| Code | Title |
|---|---|
| ePD-Art.1_2_3 | Scope, definitions and services concerned (Articles 1-3) |
ePrivacy - Security and Confidentiality (Articles 4-5)
| Code | Title |
|---|---|
| ePD-Art.4 | Security of services and personal-data-breach notification (Article 4) |
| ePD-Art.5 | Confidentiality of communications including the Article 5(3) cookie consent rule |
ePrivacy - Traffic, Billing, CLI, Location and Directories (Articles 6-12)
| Code | Title |
|---|---|
| ePD-Art.10_11_12 | Exceptions, automatic call forwarding and directories of subscribers (Articles 10-12) |
| ePD-Art.6 | Traffic data (Article 6) |
| ePD-Art.7 | Itemised billing (Article 7) |
| ePD-Art.8 | Calling-line and connected-line identification (Article 8) |
| ePD-Art.9 | Location data other than traffic data (Article 9) |
ePrivacy - Unsolicited Communications (Article 13)
| Code | Title |
|---|---|
| ePD-Art.13 | Unsolicited communications (Article 13) |
Maps to 2 other frameworks
Frequently Asked Questions
What is EU ePrivacy Directive (2002/58/EC)?
EU ePrivacy Directive (2002/58/EC) is a compliance framework from European Union with 5 domains and 15 controls. Directive 2002/58/EC (the ePrivacy Directive) is the EU sectoral lex specialis on privacy in the electronic communications sector, alongside the GDPR (which is the lex generalis for personal data). The 2009/136/EC amendment introduced the prior-consent rule for cookies and similar storage-of-information technologies (Article 5(3)) and the security and personal-data-breach-notification regime (Article 4). The Directive applies to providers of publicly available electronic communications services and to natural and legal persons placing or accessing information stored in subscribers' / users' terminal equipment. The proposed ePrivacy Regulation has been WITHDRAWN by the European Commission (February 2025); the 2002/58/EC Directive remains the in-force instrument until the Commission tables a new proposal. Key operational articles: Article 4 security of services + personal-data-breach notification (60-day model in Article 4(3) feeds the GDPR Art.33-34 baseline); Article 5 confidentiality of the communications + Article 5(3) prior-consent storage-of-information rule (cookies, tracking pixels, fingerprinting); Article 6 traffic data; Article 7 itemised billing; Article 8 calling-line identification; Article 9 location data other than traffic data; Article 13 unsolicited communications (email/SMS/voice marketing). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does EU ePrivacy Directive (2002/58/EC) have?
EU ePrivacy Directive (2002/58/EC) has 15 controls organised across 5 domains. The largest domains are ePrivacy - Implementation, Enforcement and Final (Articles 14-21) (6 controls), ePrivacy - Traffic, Billing, CLI, Location and Directories (Articles 6-12) (5 controls), ePrivacy - Security and Confidentiality (Articles 4-5) (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does EU ePrivacy Directive (2002/58/EC) map to?
EU ePrivacy Directive (2002/58/EC) maps to 2 other compliance frameworks. The top mapping partners are GDPR (27% coverage), Digital Services Act (DSA) - Regulation (EU) 2022/2065 (7% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with EU ePrivacy Directive (2002/58/EC) compliance?
Start your EU ePrivacy Directive (2002/58/EC) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about EU ePrivacy Directive (2002/58/EC) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 15 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required