When people talk about "cookie law," they are usually conflating two separate pieces of legislation: GDPR and the ePrivacy Directive. Both apply to cookies and similar tracking technologies, but they operate differently and create distinct obligations. Understanding the relationship between them is essential for getting your cookie compliance right.
What is the ePrivacy Directive?
The ePrivacy Directive — sometimes called the "Cookie Directive" — is a 2002 EU law that specifically governs electronic communications, including cookies, email marketing, and telephone marketing. In the UK it is implemented as the Privacy and Electronic Communications Regulations 2003 (PECR). It was updated in 2009 to add the current cookie consent requirements.
The core rule from ePrivacy is the one that drives cookie banners: you must obtain prior informed consent before storing or accessing information on a user's device, unless that access is strictly necessary to provide a service the user has explicitly requested. This is where the "consent required for non-essential cookies" obligation comes from — ePrivacy, not GDPR.
The EU has been working on a new ePrivacy Regulation to replace the Directive for several years, but as of 2026, the existing Directive remains in force across member states.
How ePrivacy and GDPR interact
GDPR came into force in 2018, long after ePrivacy. The relationship between the two is sometimes described as "lex specialis": ePrivacy is the specific law for electronic communications, and GDPR is the general data protection framework. Where ePrivacy has a specific rule (cookie consent), ePrivacy applies. Where it is silent, GDPR fills the gaps.
The practical implication is that consent under ePrivacy must meet the GDPR standard for valid consent — freely given, specific, informed, and unambiguous. The ePrivacy rule says you need consent for cookies; GDPR sets the quality standard that consent must meet. Both laws apply simultaneously, and you need to satisfy both.
This is why regulators have been so clear that "continuing to browse this website" is not valid consent. ePrivacy requires prior consent. GDPR requires an unambiguous affirmative action. Neither is satisfied by passive browsing.
What this means in practice for your website
For your day-to-day cookie compliance, the key takeaways are:
- The obligation to get cookie consent comes from ePrivacy (PECR in the UK), not GDPR — but the consent must meet GDPR's quality standard
- The obligation to document your cookie practices, describe your lawful bases, and give individuals rights over their data comes from GDPR
- Both laws apply to you if you serve users in the UK or EU
- Relying on legitimate interests as a basis for analytics cookies is not permissible — ePrivacy requires consent specifically
- Any data collected after valid cookie consent was given is then subject to GDPR's full obligations for that data
The practical upshot is that most businesses need two documents: a cookie policy (satisfying ePrivacy's transparency obligations) and a privacy policy (satisfying GDPR). These can be separate pages or a combined document, but the content requirements for each are distinct.