Legal Guide 10 min read·

GDPR vs ePrivacy Directive: The Difference Everyone Ignores

Most companies think that 'complying with GDPR' is enough. Wrong: when it comes to cookies and commercial emails, it is the ePrivacy Directive — transposed in France as Article 82 of the LIL — that takes precedence. Understanding both texts means avoiding invisible sanctions.

Two distinct texts, two fields of application

The GDPR (General Data Protection Regulation, EU 2016/679) came into force in May 2018. It is a European regulation directly applicable in all Member States, without national transposition. Its scope: any processing of personal data, whatever its form (customer file, email, analytics, HR...). Its logic: a legal basis for each processing, rights for individuals, obligations for data controllers.

The ePrivacy Directive (2002/58/EC, amended by Directive 2009/136/EC) is older and more specific. It governs electronic communications: email privacy, cookies, tracking on the user's terminal, commercial prospecting by electronic means. Being a directive (not a regulation), it required transposition in each Member State. In France, this transposition appears in Article 82 of the French Data Protection Act (LIL).

Regulation vs Directive: the key difference

A European regulation (like GDPR) applies directly, uniformly in all Member States. A directive sets objectives but allows each State to transpose it into national law — hence variations between countries. This is why the ePrivacy Directive has different names in different countries (PECR in the UK, Article 82 LIL in France, TDDDG in Germany).

Cookies: why ePrivacy, not GDPR?

This is the most widespread confusion. Many companies think their cookie banner is a GDPR obligation. Technically, this is wrong — or at least incomplete.

Article 82 of the LIL (transposing ePrivacy) states that 'any subscriber or user of an electronic communications service must be clearly and completely informed [...] and must have a means of refusal' before any deposit or reading of non-strictly-necessary cookies. This text requires prior consent for analytics, advertising, personalization cookies, etc.

GDPR comes in addition: data collected via these cookies (IP addresses, identifiers, browsing behaviors) constitute personal data, subject to GDPR requirements (legal basis, purpose, retention period, rights of individuals). But prior consent to the deposit falls under ePrivacy/Article 82 LIL.

Article 82 LIL in detail

Article 82 of the French Data Protection Act is the central text for cookie regulation in France. Here is what it concretely provides:

  • Scope Any deposit, reading, or access to information stored on the user's terminal (cookies, trackers, fingerprinting, LocalStorage, etc.).
  • General rule Prior consent mandatory, with exceptions.
  • Exceptions (without consent) Trackers strictly necessary for service provision (shopping cart, authentication, language preferences, load balancing).
  • CNIL sanction Up to €20,000 or 4% of global revenue for violation of Article 82 LIL.

Do your cookies comply with Article 82 LIL?

RGPDScan automatically detects cookie deposits before consent and ePrivacy violations on your site.

Commercial emails: ePrivacy + GDPR in practice

Email prospecting is another area where both texts apply in a complementary manner. The ePrivacy Directive (Article L. 34-5 of the French Postal and Electronic Communications Code) prohibits sending commercial emails to individuals without their prior consent. Exception: if the person is already a customer and the email concerns a product or service similar to what they purchased.

GDPR applies to the data itself: how email addresses were collected (legal basis), how long to retain them, how to manage unsubscribes, how to respond to rights exercise requests. An email may be legally sendable under ePrivacy but violate GDPR if the data was not collected with a valid legal basis or if retention period is not defined.

The ePrivacy Regulation: long-awaited since 2017

In January 2017, the European Commission proposed an ePrivacy Regulation to replace Directive 2002/58/EC. This regulation was supposed to accompany the GDPR at its entry into force in May 2018. Nine years later, it has still not been adopted.

The reasons for the blockage are mainly intense lobbying from digital advertising players (Google, Meta, IAB Europe) and disagreements between Member States on the legal basis applicable to analytics cookies. The EU Council proposed several successive compromise texts, all rejected or abandoned.

The ePrivacy Regulation, if ever adopted, would bring significant changes: direct application in all States (harmonization), new rules on metadata, extension to OTT communications (WhatsApp, Signal), potentially a relaxation on some analytics cookies. In the meantime, Directive 2002/58/EC and its national transpositions remain applicable.

Practical interactions between the two texts

CaseePrivacy (Art. 82 LIL)RGPD
Analytics cookie depositConsent requiredLegal basis (consent or LI)
Shopping cart cookieExempt (necessary)Legitimate interest or contract
B2C prospecting emailConsent requiredConsent required
B2B prospecting emailLegitimate interest possibleLegitimate interest
FingerprintingConsent requiredLegal basis required

What this means for your site

The confusion between GDPR and ePrivacy generates two types of frequent compliance errors. The first: companies that have an impeccable GDPR privacy policy but deposit cookies before the user has clicked 'Accept'. They violate Article 82 LIL even if their GDPR is in order. The second: companies that think refusing analytics cookies is sufficient, without realizing that GDPR also requires a processing register, DPAs with processors, documented retention periods.

The right approach is to treat both texts as complementary layers. ePrivacy governs the moment of deposit (before/after consent, exemptions). GDPR governs the entire life of the collected data (purpose, duration, rights, security). Respecting one without the other always exposes to a sanction.

The 3 rules to remember

  1. ePrivacy applies before any cookie deposit: verify your scripts don't execute before consent.
  2. GDPR applies to all collected data: maintain a processing register, draft your DPAs, document retention periods.
  3. Both texts apply cumulatively: GDPR compliance does not exempt from ePrivacy compliance, and vice versa.

Going further

Frequently asked questions

What is the main difference between GDPR and the ePrivacy Directive?
GDPR is a general regulation on personal data protection: it governs all collection and processing of data. The ePrivacy Directive (transposed in France as Article 82 LIL) is a lex specialis specifically governing electronic communications, cookies, and commercial emails. Both apply simultaneously: a cookie can violate ePrivacy (without prior consent) AND GDPR (if the collected data is poorly managed).
Why are cookies governed by ePrivacy and not by GDPR?
The ePrivacy Directive 2002/58/EC (amended in 2009) preceded the GDPR and specifically addresses privacy in electronic communications. It covers access to the user's terminal (cookie deposits), which GDPR does not directly govern. In France, Article 82 of the LIL transposes this directive: any deposit or reading of information on a terminal requires prior consent, except for strictly necessary cookies.
What is the ePrivacy Regulation planned to replace the Directive?
The European Commission proposed in January 2017 an ePrivacy Regulation to replace Directive 2002/58/EC. Unlike a directive, a regulation would apply directly in all Member States without national transposition. After years of blocking at the EU Council (intense advertising lobby), negotiations are progressing but no adoption date is confirmed in 2026. The current directive therefore remains in force.
Does Article 82 LIL apply to trackers other than cookies?
Yes. Article 82 LIL mentions 'any action tending to access, by electronic transmission, information stored in the user's terminal equipment, or to write information in that equipment.' This covers cookies but also fingerprinting, pixel tracking, localStorage, IndexedDB, etc. Any technique allowing user tracking on their terminal is covered.
Are commercial emails governed by ePrivacy or GDPR?
Both! ePrivacy prohibits email prospecting without prior user consent (except existing customer and similar product). GDPR governs personal data contained in these emails and their processing (legal basis, retention period, rights of persons). In practice: ePrivacy conditions sending, GDPR frames list management.
If I comply with GDPR, am I automatically compliant with ePrivacy?
No, and this is the most frequent mistake. ePrivacy is stricter on cookies: it requires prior consent whereas GDPR admits other legal bases (legitimate interest, contract performance). A site can have a valid GDPR legal basis for its analytical data but still violate ePrivacy by depositing analytics cookies without consent. Both texts apply cumulatively.

Check your ePrivacy compliance in 60 seconds

RGPDScan detects cookies deposited before consent, undeclared trackers and Article 82 LIL violations on your site.