Certified Information Privacy Professional (CIPP): EU - ePrivacy Directive, Cookie Consent, Direct Marketing, Confidentiality

What This Is

The ePrivacy Directive (officially the “Directive 2002/58/EC” and its 2009 amendment) governs privacy in electronic communications across the EU. It sets the rules for cookie consent, direct marketing, and the confidentiality of traffic/data. For a website that serves EU visitors, failing to obtain proper cookie consent can trigger €20?million or 4?% of global turnover fines under the GDPR?aligned ePrivacy Regulation draft. Think of a multinational retailer’s EU?focused e?commerce site that drops tracking cookies on every page load – without a clear opt?in banner, the site is already in breach of the ePrivacy Directive.

Key Terms & Provisions

• Cookie Consent (ePrivacy Directive, Art.?5(3)): Users must give prior, informed, and explicit consent before any non?essential cookies are stored or read. Example: A news portal must show a banner asking “Do you accept analytics cookies?” before the analytics script runs.
• Strictly Necessary Cookies: Cookies that are essential for the service requested (e.g., shopping?cart session ID). No consent required, but a clear explanation is still mandatory.
• Direct Marketing (ePrivacy Directive, Art.?13): Any unsolicited electronic communication (email, SMS, push?notification) that promotes goods/services. Requires opt?in consent unless a soft?opt?in exception applies (existing customer relationship, clear opt?out option).
• Confidentiality of Communications (Art.?5(1) & Art.?6): The content of electronic communications must be protected from interception or disclosure without user consent. Example: An ISP cannot read the body of a user’s email without a lawful basis.
• Traffic Data (Art.?5(1)): Metadata such as source/destination IP, timestamps, and volume. Must be purged or anonymised after the transmission is complete unless retained for billing or fraud?prevention with a legitimate purpose.
• Location Data (Art.?5(3) & GDPR Recital?157): Any data that reveals the physical location of a device or person. Requires explicit consent before collection or processing.
• Joint Controllers (GDPR Art.?26, applied via ePrivacy): When two or more entities jointly determine the purposes and means of processing (e.g., a website and a third?party ad network), they must clearly allocate responsibilities in a transparent agreement.
• Data Retention Limits (ePrivacy, Art.?5(1) & GDPR Art.?5(1)(e)): Personal data may be kept no longer than necessary for the purpose it was collected. Example: Analytics cookies should be set to expire after 13 months at most.
• Consent Management Platform (CMP): A technical solution that records, stores, and proves user consent choices, and allows users to withdraw consent as easily as it was given.
• Soft?Opt?In Exception (ePrivacy, Art.?13(2)(c)): Allows direct marketing to existing customers without prior consent if the message contains a clear and free opt?out mechanism and the marketing is about similar products/services.

Step?by?Step Process Flow (Applying ePrivacy to a Web Site)

1. Map All Electronic Tracking – Inventory every cookie, pixel, and local?storage item; classify each as strictly necessary or non?essential.
2. Select a Consent Mechanism – Deploy a CMP that blocks non?essential cookies until the user clicks “Accept”; ensure the banner includes a link to a detailed cookie policy.
3. Draft a Transparent Cookie Policy – List each cookie’s name, purpose, provider, data type collected, and retention period; publish it in plain language.
4. Implement Direct?Marketing Controls – For email newsletters, add a double?opt?in sign?up form; for any promotional push?notifications, embed an easy “unsubscribe” link.
5. Document Compliance – Keep records of consent logs (date, time, IP, consent version) for at least the retention period required by GDPR (normally 2?years).
6. Review & Refresh – Conduct a quarterly audit; update the CMP and policy whenever a new cookie or marketing channel is added.

Common Mistakes

• Mistake: Assuming “click?through” on a privacy notice equals valid consent.
  Correction: Consent must be affirmative, specific, and freely given; a passive scroll or pre?ticked box does not satisfy Art.?5(3).

• Mistake: Treating “soft?opt?in” as a blanket exemption for all existing customers.
  Correction: The exception only applies when the marketing is about similar products/services and an easy opt?out is provided; otherwise, explicit opt?in is required.

• Mistake: Forgetting to purge traffic data after the transmission is complete.
  Correction: Retain metadata only for the period needed for billing, fraud detection, or legal obligations; automatically delete or anonymise it thereafter.

• Mistake: Using a single CMP for both GDPR and ePrivacy without distinguishing the consent scopes.
  Correction: Separate consent records for purpose?based GDPR consent and cookie?based ePrivacy consent; each must be stored and retrievable independently.

• Mistake: Assuming the ePrivacy Directive no longer applies because the EU is drafting the ePrivacy Regulation.
  Correction: Until the Regulation is in force, the Directive (and its national implementations) remains the applicable law; exam questions still reference the Directive.

CIPP Exam Insights

1. Opt?In vs. Opt?Out – The exam loves to test the distinction: ePrivacy requires opt?in for cookies and direct marketing (except the soft?opt?in carve?out); CCPA/CPRA uses opt?out for sale of personal information.
2. Scope of “Electronic Communications” – Remember that the Directive covers both content and metadata; a common trap is thinking only email content is protected.
3. Joint Controller Obligations – Expect a question on how responsibilities (e.g., providing the cookie policy) are allocated between a website operator and a third?party ad network.
4. National Implementations – Some EU states (Germany, Italy) have stricter rules on cookie consent (e.g., requiring a two?click approach). The exam may ask which country imposes the higher standard.

Quick Check Questions

1. Scenario: A French e?commerce site wants to place a Facebook “Like” button on product pages.
   Answer: The site must obtain prior explicit consent before the button loads because the social plug?in sets third?party cookies that are not strictly necessary.

2. Scenario: An Italian telecom operator wants to use call?detail records for targeted advertising.
   Answer: It must first get opt?in consent from each subscriber; using traffic data for marketing without consent breaches Art.?5(1) confidentiality.

3. Scenario: A UK?based newsletter provider sends promotional emails to EU customers who previously bought a product. The emails contain an “unsubscribe” link.
   Answer: Because the emails are direct marketing to existing customers and include a clear opt?out, the soft?opt?in exception applies; no prior consent is needed.

Last?Minute Cram Sheet (10 One?Liners)

1. ePrivacy Directive Art.?5(3) – Prior, informed, explicit consent required for any non?essential cookie.
2. Strictly necessary cookies – No consent needed, but must be clearly described in the cookie policy.
3. Soft?opt?in exception (Art.?13(2)(c)) – Applies only to existing customers, similar products, and a free opt?out.
4. Traffic data – Must be deleted or anonymised after transmission unless retained for billing/fraud purposes.
5. Location data – Treated as special category under GDPR; needs explicit consent under ePrivacy.
6. Joint controllers – Must publish a transparent allocation of responsibilities (GDPR Art.?26).
7. Maximum cookie lifespan – Generally 13 months (industry?wide best practice; not a legal limit but widely enforced by supervisory authorities).
8. Fine ceiling – ePrivacy breaches can be penalised up to €20?million or 4?% of global turnover under the GDPR’s “cross?border” penalty regime.
9. Consent Management Platform (CMP) – Must record date, time, IP, and version of consent; logs kept for at least 2?years.
10. Territorial scope – The Directive applies to all providers of electronic communications services and any website that targets EU users, regardless of where the server is located.

Use these nuggets to lock in the core of the ePrivacy Directive before the exam – they’re the “must?know” facts that separate a pass from a high score. Good luck!