ePrivacy Directive — Directive 2002/58/EC, amended by 2009/136/EC ("the Cookie Directive"). Pre-dates GDPR but is the legal source of the cookie consent requirement specifically.
Article 5(3) is the cookie article: prior consent is required for the storage or access of information on a user's terminal equipment, except where strictly necessary to provide the service explicitly requested.
In practice:
- Strictly necessary cookies (cart, checkout, language preference, fraud prevention) — no consent needed.
- Everything else (analytics, marketing, personalisation) — opt-in consent before storage.
The directive requires implementation in national law, so wording varies between EU member states. Germany, France, Italy, and Spain have particularly strict implementations.
The long-promised ePrivacy Regulation has been delayed since 2017 and remains in legislative limbo. The current directive remains in force.
Most cookie banner regulators cite GDPR + ePrivacy together in enforcement actions — the consent definition comes from GDPR; the cookie-specific requirement comes from ePrivacy.
See also: GDPR, Strictly necessary cookies.