2002: EU ePrivacy Directive: Cookie Consent and Email Marketing

In July 2002, the European Parliament adopted Directive 2002/58/EC — known more commonly as the ePrivacy Directive — and quietly set in motion two of the most visible changes to the modern internet experience. The first was the consent requirement for commercial email, which established the opt-in standard that would define European email marketing for the next two decades. The second was the cookie consent requirement, which spawned the ubiquitous “accept cookies” banners that now greet visitors to virtually every European website.

The ePrivacy Directive wasn’t as famous as GDPR would later become, but it arrived 16 years earlier and established principles that GDPR would build upon.

The Email Provisions

Article 13 of the ePrivacy Directive addressed unsolicited commercial communications — what the rest of the world was simply calling spam. The Directive’s approach was unambiguous: prior consent was required before sending commercial electronic messages (email, SMS, or other electronic messaging) to individuals.

This was the opt-in standard. Unlike the American CAN-SPAM Act (passed the following year), which allowed businesses to send unsolicited commercial email as long as they provided an unsubscribe mechanism, the ePrivacy Directive required the sender to have permission before the first message was sent. No permission, no email.

The Directive included one significant exception: the “soft opt-in.” If a company obtained a customer’s email address in the context of a sale of a product or service, it could use that address to send direct marketing for its own similar products or services — provided it gave the customer a clear opportunity to opt out at the time of collection and in every subsequent message.

This soft opt-in was a practical compromise. It recognized that customers who buy running shoes from an online retailer probably expect (and might welcome) emails about new running shoes, without requiring the retailer to obtain separate explicit consent for each marketing message.

Implementation Across Member States

As a directive (rather than a regulation), the ePrivacy Directive required each EU member state to transpose it into national law. This meant 15 different implementations (later 28 as the EU expanded), each interpreting the Directive’s requirements slightly differently.

The United Kingdom implemented it through the Privacy and Electronic Communications Regulations 2003 (PECR). Germany incorporated the provisions into its Telemedia Act. France implemented them through the Postal and Electronic Communications Code. Each country’s implementation added nuances, creating a patchwork of related but not identical rules.

This fragmentation was a headache for email marketers operating across multiple European countries. A marketing practice that was compliant in one member state might violate the rules in another. The practical response for most marketers was to default to the strictest interpretation — genuine, explicit opt-in consent for all commercial email — to avoid navigating the inconsistencies.

The Cookie Dimension

While email marketers were adjusting to the opt-in requirement, the ePrivacy Directive’s Article 5(3) was quietly laying the groundwork for a change that would affect every website on the internet. The provision required that the storage of information or access to information on a user’s device (primarily through cookies) required the user’s consent.

The original 2002 text was ambiguous enough that most websites initially ignored it. But the 2009 amendment to the ePrivacy Directive strengthened the language, making it clear that consent for non-essential cookies must be informed and freely given. This amendment triggered the wave of cookie consent banners that began appearing on European websites around 2011-2012.

The connection between cookies and email marketing was direct. Email marketers used cookies to track user behavior after clicking through from an email — which product pages they visited, what they added to cart, whether they converted. The ePrivacy Directive’s cookie consent requirement meant that this post-click tracking also required user consent, adding another layer of compliance to email campaign measurement.

The Practical Impact on Email Marketing

For email marketers, the ePrivacy Directive’s most significant practical effect was the death of purchased email lists in Europe. Under the opt-in requirement, sending commercial email to addresses acquired from a third-party list broker was illegal unless the individuals on that list had specifically consented to receive messages from the purchasing company. Since purchased lists rarely came with that level of consent documentation, the practice became untenable.

This was a major shift. In the United States, purchasing email lists and sending cold commercial email remained legal (under CAN-SPAM’s opt-out framework). In Europe, the same practice could result in regulatory action and fines. Companies operating in both markets had to maintain fundamentally different approaches to list building and prospecting.

The result was that European email marketing developed around permission-based list building years before the practice became standard elsewhere. European marketers became skilled at building organic subscriber lists through content marketing, lead magnets, and genuine opt-in processes. When GDPR arrived in 2018 with even stricter consent requirements, European email marketers were better prepared than their American counterparts might have been.

Setting the Stage for GDPR

The ePrivacy Directive was, in many ways, a preview of GDPR. It established the consent-first philosophy that GDPR would expand to all personal data processing. It introduced the concept of purpose limitation (consent given for one type of communication doesn’t cover another). And it demonstrated that the EU was willing to regulate digital practices in ways that prioritized individual privacy over commercial convenience.

When GDPR took effect in May 2018, it didn’t replace the ePrivacy Directive — both coexist and apply simultaneously to email marketing. GDPR governs the processing of personal data (including email addresses), while the ePrivacy Directive governs the act of sending electronic communications. An email marketer in Europe must comply with both: GDPR for collecting and storing the email address, and the ePrivacy Directive for actually sending the message.

The long-promised ePrivacy Regulation — intended to replace the Directive with a directly applicable regulation (like GDPR) — has been in legislative limbo since 2017. Multiple drafts have been proposed, debated, and revised. As of 2026, the original 2002 Directive, amended in 2009, still forms the backbone of EU electronic communications privacy law.

The ePrivacy Directive didn’t generate the headlines that GDPR later would. But it established the legal and philosophical foundation for privacy-respecting email marketing in Europe — a framework that has influenced privacy legislation worldwide and pushed the global email marketing industry toward practices that are both more ethical and, as it turns out, more effective.

Infographic

Share this visual summary. Right-click to save.

Frequently Asked Questions

What is the EU ePrivacy Directive?

The ePrivacy Directive (Directive 2002/58/EC), adopted in July 2002, regulates electronic communications privacy in the European Union. It covers email marketing (requiring opt-in consent for commercial messages), cookies (requiring user consent for non-essential tracking), and confidentiality of electronic communications.

How did the ePrivacy Directive affect email marketing?

The ePrivacy Directive required marketers to obtain prior consent (opt-in) before sending commercial email to individuals in the EU. This was stricter than the US CAN-SPAM Act's opt-out approach and forced email marketers targeting European audiences to build permission-based subscriber lists.

What is the difference between the ePrivacy Directive and GDPR?

The ePrivacy Directive (2002) specifically regulates electronic communications including email and cookies. GDPR (2018) is a broader data protection regulation covering all personal data processing. Both apply to email marketing in the EU, with the ePrivacy Directive handling the specific rules for electronic messaging and GDPR governing the underlying data processing.