GDPR vs ePrivacy Directive: The Difference Everyone Ignores
Most companies think that 'complying with GDPR' is enough. Wrong: when it comes to cookies and commercial emails, it is the ePrivacy Directive — transposed in France as Article 82 of the LIL — that takes precedence. Understanding both texts means avoiding invisible sanctions.
Two distinct texts, two fields of application
The GDPR (General Data Protection Regulation, EU 2016/679) came into force in May 2018. It is a European regulation directly applicable in all Member States, without national transposition. Its scope: any processing of personal data, whatever its form (customer file, email, analytics, HR...). Its logic: a legal basis for each processing, rights for individuals, obligations for data controllers.
The ePrivacy Directive (2002/58/EC, amended by Directive 2009/136/EC) is older and more specific. It governs electronic communications: email privacy, cookies, tracking on the user's terminal, commercial prospecting by electronic means. Being a directive (not a regulation), it required transposition in each Member State. In France, this transposition appears in Article 82 of the French Data Protection Act (LIL).
Regulation vs Directive: the key difference
A European regulation (like GDPR) applies directly, uniformly in all Member States. A directive sets objectives but allows each State to transpose it into national law — hence variations between countries. This is why the ePrivacy Directive has different names in different countries (PECR in the UK, Article 82 LIL in France, TDDDG in Germany).
Cookies: why ePrivacy, not GDPR?
This is the most widespread confusion. Many companies think their cookie banner is a GDPR obligation. Technically, this is wrong — or at least incomplete.
Article 82 of the LIL (transposing ePrivacy) states that 'any subscriber or user of an electronic communications service must be clearly and completely informed [...] and must have a means of refusal' before any deposit or reading of non-strictly-necessary cookies. This text requires prior consent for analytics, advertising, personalization cookies, etc.
GDPR comes in addition: data collected via these cookies (IP addresses, identifiers, browsing behaviors) constitute personal data, subject to GDPR requirements (legal basis, purpose, retention period, rights of individuals). But prior consent to the deposit falls under ePrivacy/Article 82 LIL.
Article 82 LIL in detail
Article 82 of the French Data Protection Act is the central text for cookie regulation in France. Here is what it concretely provides:
- Scope — Any deposit, reading, or access to information stored on the user's terminal (cookies, trackers, fingerprinting, LocalStorage, etc.).
- General rule — Prior consent mandatory, with exceptions.
- Exceptions (without consent) — Trackers strictly necessary for service provision (shopping cart, authentication, language preferences, load balancing).
- CNIL sanction — Up to €20,000 or 4% of global revenue for violation of Article 82 LIL.
Do your cookies comply with Article 82 LIL?
RGPDScan automatically detects cookie deposits before consent and ePrivacy violations on your site.
Commercial emails: ePrivacy + GDPR in practice
Email prospecting is another area where both texts apply in a complementary manner. The ePrivacy Directive (Article L. 34-5 of the French Postal and Electronic Communications Code) prohibits sending commercial emails to individuals without their prior consent. Exception: if the person is already a customer and the email concerns a product or service similar to what they purchased.
GDPR applies to the data itself: how email addresses were collected (legal basis), how long to retain them, how to manage unsubscribes, how to respond to rights exercise requests. An email may be legally sendable under ePrivacy but violate GDPR if the data was not collected with a valid legal basis or if retention period is not defined.
The ePrivacy Regulation: long-awaited since 2017
In January 2017, the European Commission proposed an ePrivacy Regulation to replace Directive 2002/58/EC. This regulation was supposed to accompany the GDPR at its entry into force in May 2018. Nine years later, it has still not been adopted.
The reasons for the blockage are mainly intense lobbying from digital advertising players (Google, Meta, IAB Europe) and disagreements between Member States on the legal basis applicable to analytics cookies. The EU Council proposed several successive compromise texts, all rejected or abandoned.
The ePrivacy Regulation, if ever adopted, would bring significant changes: direct application in all States (harmonization), new rules on metadata, extension to OTT communications (WhatsApp, Signal), potentially a relaxation on some analytics cookies. In the meantime, Directive 2002/58/EC and its national transpositions remain applicable.
Practical interactions between the two texts
| Case | ePrivacy (Art. 82 LIL) | RGPD |
|---|---|---|
| Analytics cookie deposit | Consent required | Legal basis (consent or LI) |
| Shopping cart cookie | Exempt (necessary) | Legitimate interest or contract |
| B2C prospecting email | Consent required | Consent required |
| B2B prospecting email | Legitimate interest possible | Legitimate interest |
| Fingerprinting | Consent required | Legal basis required |
What this means for your site
The confusion between GDPR and ePrivacy generates two types of frequent compliance errors. The first: companies that have an impeccable GDPR privacy policy but deposit cookies before the user has clicked 'Accept'. They violate Article 82 LIL even if their GDPR is in order. The second: companies that think refusing analytics cookies is sufficient, without realizing that GDPR also requires a processing register, DPAs with processors, documented retention periods.
The right approach is to treat both texts as complementary layers. ePrivacy governs the moment of deposit (before/after consent, exemptions). GDPR governs the entire life of the collected data (purpose, duration, rights, security). Respecting one without the other always exposes to a sanction.
The 3 rules to remember
- ePrivacy applies before any cookie deposit: verify your scripts don't execute before consent.
- GDPR applies to all collected data: maintain a processing register, draft your DPAs, document retention periods.
- Both texts apply cumulatively: GDPR compliance does not exempt from ePrivacy compliance, and vice versa.
Going further
- The 7 fatal errors on your cookie banner
- GDPR compliance checklist 2026
- CNIL Fines 2026: what exposes your site
- Cookie consent management tools (CMP)
- GDPR for e-commerce: complete obligations