ePrivacy Directive Compliance: The Cookie Law Guide for European SaaS

📢 Important: This guide covers legal compliance requirements. While we strive for accuracy, this is not legal advice. Consult a qualified EU privacy lawyer for your specific situation.

You've implemented GDPR compliance for your SaaS. But are you compliant with the ePrivacy Directive — often called the "Cookie Law"?

While GDPR governs personal data processing broadly, the ePrivacy Directive (officially Directive 2002/58/EC, updated by 2009/136/EC) specifically regulates:

Electronic communications privacy
Use of cookies and similar tracking technologies
Direct marketing via email and SMS

The key difference: GDPR requires a lawful basis for processing personal data (consent, legitimate interest, contract). The ePrivacy Directive requires prior informed consent for storing or accessing information on a user's device — i.e., cookies, local storage, fingerprinting, device ID access.

Non-compliance risks: fines up to €20M or 1% of global annual turnover (whichever is higher) under the ePrivacy rules, plus potential GDPR penalties if personal data is involved without proper basis.

This guide covers everything European SaaS founders need to know about ePrivacy compliance in 2026, including consent requirements, cookie categorization, CMP selection, and implementation steps.

What Is the ePrivacy Directive? (And Why It Still Matters in 2026)

The ePrivacy Directive is a sector-specific privacy law that predates GDPR. While GDPR applies to all personal data, ePrivacy focuses on electronic communications services and privacy in the digital environment.

Key Principles

Opt-in consent required for non-essential cookies — Users must actively consent before cookies are set (pre-ticked boxes are invalid).
Clear and comprehensive information — Consent requests must explain purposes in plain language.
Easy withdrawal — Users must be able to withdraw consent as easily as they gave it.
Cookie categorisation — Cookies must be grouped by purpose (essential, preferences, analytics, advertising).

ePrivacy vs GDPR: How Do They Overlap?

Aspect	GDPR	ePrivacy Directive
Scope	All personal data processing	Electronic communications, cookies, tracking
Consent standard	Freely given, specific, informed, unambiguous	Same + prior requirement (before storage/access)
Lawful bases	Consent, legitimate interest, contract, legal obligation, vital interests, public task	Consent for non-essential cookies; legitimate interest for some direct marketing
Territorial reach	Extra-territorial (targets EU data subjects)	Extra-territorial (applies to services provided to EU users)
Enforcement	National Data Protection Authorities (DPAs)	Same DPAs; often coordinated with GDPR enforcement

Bottom line: If your SaaS website or application uses cookies, local storage, tracking pixels, or device fingerprinting and you have EU users, ePrivacy applies to you — regardless of where your company is incorporated.

Which Cookies Require Prior Consent?

The European Data Protection Board (EDPB) clarifies that the strict prior consent rule only applies to non-essential cookies. The distinction is critical:

1. Strictly Necessary (Essential) Cookies — No Consent Needed

These cookies are required for the service to function:

Authentication cookies (login sessions)
Shopping cart cookies (e-commerce)
Security cookies (fraud prevention, CSRF tokens)
Load-balancing cookies (server distribution)
User interface preference cookies (language, font size, if essential for functionality)

2. Non-Essential Cookies — Prior Informed Consent Required

These require opt-in consent before being set:

Analytics cookies — Google Analytics, Mixpanel, Amplitude, heatmaps
Advertising cookies — retargeting, conversion tracking (Google Ads, Facebook Pixel, LinkedIn Insight)
Functional cookies — personalization, live chat, support widgets (Intercom, Drift)
Social media cookies — sharing buttons, embedded feeds (Twitter, LinkedIn)

3. The "First-Party vs Third-Party" Distinction

Wrong assumption: "First-party cookies are exempt from consent."

The EDPB has clarified that it's about purpose, not provenance. Even first-party analytics or advertising cookies require consent unless they're strictly necessary for the service requested by the user.

Example: A first-party analytics cookie tracking user behavior for marketing purposes is non-essential and requires consent.

ePrivacy Compliance Checklist for SaaS

Use this 10-point checklist to assess and implement compliance:

1. Conduct a Cookie & Tracker Audit

Inventory every piece of tracking technology on your site/app:

First-party cookies (domain)
Third-party cookies (set by external services)
LocalStorage / SessionStorage usage
Tracking pixels (Facebook, LinkedIn, Twitter)
Scripts that set device fingerprints
Embedded content (YouTube, Vimeo) that may set cookies

Tools: Cookiebot, OneTrust, or manual browser DevTools inspection (Application → Storage).

Action: Document each tracker's purpose, provider, data category, retention period, and whether it's strictly necessary.

2. Categorise Cookies by Purpose

Group cookies into clear categories:

Essential (no consent banner needed)
Preferences (remember settings)
Analytics (usage statistics, heatmaps)
Advertising (retargeting, personalization)
Social Media (sharing buttons, embedded feeds)

Action: Each non-essential category gets its own toggle in the consent banner; users must be able to opt into/out of categories independently.

3. Implement a Compliant Consent Management Platform (CMP)

Do not build your own consent banner unless you have privacy law expertise. A compliant CMP handles:

Prior blocking of non-essential scripts until consent
Granular category-level consent toggles
Clear, jargon-free consent request wording
Cookie declaration with detailed descriptions
Consent logging (for audit trails)
Easy withdrawal mechanism
Regular updates as new trackers are added

Recommended CMPs for European SaaS:

Tool	Headquarters	EU Data Hosting	Notable Clients	Pricing
Cookiebot	Denmark (EU)	EU (Denmark)	Philips, BMW, Orange	Freemium + paid
OneTrust	UK (EU)	EU + global	Many Fortune 500	Enterprise
Axonius	Israel (EU adequacy)	EU	Mid-market	Paid
Didomi	France (EU)	EU	Media companies	Freemium + paid
Usercentrics	Germany (EU)	EU	Siemens, Bosch	Paid

For a thorough comparison of consent management platforms, see our guide on best CMPs for GDPR and ePrivacy (coming soon).

4. Design a Clear Consent Banner

Placement: Banner must appear before any non-essential cookies are set. No "implied consent" via "by using this site you accept..."

Required elements:

✅ Clear heading — "We value your privacy" or "Cookie preferences"

✅ Plain-language description — Explain what cookies are used for and why

✅ Granular options — Separate toggles for each category (Analytics, Advertising, Social)

✅ Reject all / Accept all buttons of equal prominence

✅ Link to detailed cookie policy (not just privacy policy)

✅ "More info" link to specific cookie descriptions (name, provider, purpose, duration)

✅ Preferences button permanently accessible (e.g., footer link "Cookie Settings")

❌ Pre-ticked boxes — illegal under ePrivacy

❌ "By continuing to browse" — invalid implied consent

❌ Dark patterns — making rejection harder than acceptance

5. Configure Prior Blocking

Your CMP must block all non-essential scripts until consent is given. This means:

Google Analytics, Ads, Tag Manager blocked until Analytics consent granted
Facebook Pixel blocked until Advertising consent granted
Intercom, Drift live chat blocked until Preferences/Functionality consent granted
YouTube embeds blocked until appropriate consent

Implementation pattern:


<script type="text/plain" data-category="analytics">
  // GA script only loads if user consented to analytics
</script>


<script>
  window.dataLayer = window.dataLayer || [];
  function gtag() { dataLayer.push(arguments); }
  gtag('consent', 'default', {
    'analytics_storage': 'denied',
    'ad_storage': 'denied',
    'wait_for_update': 500
  });
</script>

Action: Audit every third-party integration on your site. Match each to the correct consent category and ensure it's blocked by default.

6. Document Your Lawful Basis for Each Processing Activity

Even after obtaining cookie consent, you still need a GDPR lawful basis for personal data processing. Most analytics and advertising cookies rely on consent under both GDPR and ePrivacy.

Create a Record of Processing Activities (RoPA) documenting:

Purpose of each data collection (analytics, advertising, personalization)
Categories of personal data collected (IP address, browsing behavior, device ID)
Lawful basis under GDPR (typically consent for analytics/advertising)
Data retention periods
Third-party recipients (Google, Facebook, etc.)
International transfer mechanisms (SCCs, DPF)

Action: Maintain this RoPA and make it available to regulators on request.

7. Enable Easy Withdrawal of Consent

Users must be able to withdraw consent as easily as they gave it. This means:

A clearly visible "Cookie Settings" or "Privacy Settings" link in your footer
Clicking it re-opens the consent banner with same granular toggles
No requirement to delete browser cookies or contact support to withdraw
Withdrawal takes effect immediately and non-essential cookies/trackers are disabled

Action: Test your withdrawal flow end-to-end: consent → withdraw → verify trackers stop firing.

8. Honor "Do Not Sell" Signals (ePrivacy + GDPR Recital 32)

The ePrivacy Directive's consent standard aligns with the "opt-in" approach. Under the ePrivacy "right to object" to direct marketing, users can opt out of profiling for advertising at any time.

Additionally, if your SaaS targets California users, CCPA/CPRA's "Do Not Sell or Share" signal must be respected. Many CMPs integrate this opt-out mechanism.

Action: If applicable, ensure your privacy policy includes "Do Not Sell" mechanism and honor Global Privacy Control (GPC) signals.

9. Implement a Transparent Cookie Policy

Your cookie policy must be accessible, specific, and up-to-date. Include:

Table of all cookies with: name, provider, purpose, category, duration, data transferred
Lawful basis for each (consent, legitimate interest)
Third-party links to their own privacy policies
Contact details for privacy questions
Last updated date

Action: Keep this policy separate from your general privacy policy; don't bury cookie details in a 50-page privacy policy document.

10. Monitor and Re-consent Regularly

Consent isn't a one-time event. You must:

Re-obtain consent at reasonable intervals (12 months is a common benchmark)
Refresh consent when purposes change (e.g., adding a new analytics tool)
Document consent version (what the user agreed to and when)
Refresh cookie policy when trackers change

Action: Set a calendar reminder to review tracking technologies quarterly and re-consent annually.

Consent Management Platforms: European Alternatives to OneTrust

For SaaS with EU users, using a European-headquartered CMP simplifies data protection clauses and ensures alignment with evolving EDPB guidance.

European CMP Options

Cookiebot (Denmark)

EU-hosted: Yes (Denmark)
Strengths: Simple setup, automatic cookie scanning, Transparent Data Processing Agreement (DPA) with SCCs
Best for: Small to mid-market SaaS wanting EU data residency
Pricing: Freemium tier up to 5000 visits/month; paid from ~€10/month

Usercentrics (Germany)

EU-hosted: Yes (Germany)
Strengths: Granular consent management, customizable UI, strong German privacy compliance pedigree
Best for: German-market SaaS and B2B companies needing detailed consent logging
Pricing: Custom quote (enterprise-focused)

Didomi (France)

EU-hosted: Yes (France)
Strengths: Strong UI/UX design, good for consumer-facing apps, centralized preference center
Best for: Mobile apps and high-volume consumer SaaS
Pricing: Freemium available; paid tiers scale with traffic

US-Based but EU-Acceptable

Some US CMPs (OneTrust, TrustArc) are widely used in Europe but store consent logs in the US. If you choose a US provider, ensure:

They offer EU data residency options for consent logs
They provide GDPR-compliant Data Processing Agreements
They support SCCs and/or EU-US Data Privacy Framework for transfers

Frequently Asked Questions (FAQ)

1. Do I need consent for Google Analytics?

Yes. Google Analytics sets cookies to collect usage data. Even first-party GA is analytics cookies requiring prior informed consent under ePrivacy, unless you can demonstrate legitimate interest overriding user privacy expectations — which is a high bar for marketing/analytics purposes.

Most European DPAs expect consent for analytics. The safest path: block GA until Analytics consent granted.

2. What about "legitimate interest" for analytics?

Legitimate interest can apply to analytics if:

The processing is strictly necessary for a legitimate interest (e.g., security monitoring, fraud detection)
The user's interests don't override your legitimate interest (marketing analytics typically fail this test)
You've conducted a Legitimate Interests Assessment (LIA)

For standard website analytics for business improvement, consent is strongly recommended. The EDPB's "Opinion 6/2014 on legitimate interest" suggests users don't expect websites to analyze their behavior without consent.

3. Does the "cookie wall" (blocking site access without consent) violate ePrivacy?

Yes. Cookie walls (you must accept tracking to access the site) are illegal under ePrivacy and GDPR. The EDPB's "Guidelines 5/2020 on consent" clearly states consent must be "freely given" — blocking access unless consent is given is not freely given.

You may block non-essential features (e.g., video playback without consent for YouTube cookies), but core site content must remain accessible.

4. What about server-side tracking? Does it avoid cookie consent?

No. The ePrivacy Directive covers "access to information stored on terminal equipment" or "storage of information". If server-side tracking accesses device characteristics (IP address, screen size, browser fingerprint) to create a profile, it still constitutes tracking requiring consent.

Server-side Google Analytics doesn't place cookies on the user's browser, but it still collects device IP and behavior data. The ePrivacy rules on "access to information" may still apply depending on the technical implementation. Consult a qualified EU privacy lawyer for your specific setup.

5. Do I need consent for embedded YouTube videos?

Yes. YouTube sets advertising and analytics cookies when embedded. Under ePrivacy, these are non-essential cookies requiring consent.

Implementation options:

Require consent — Block YouTube until "Marketing/Advertising" consent granted
Use a privacy-friendly alternative — Upload video to a privacy-focused host (Vimeo with privacy mode, PeerTube self-hosted)
Use a placeholder with clear notice — Show video thumbnail with "click to load" requiring explicit user action; some DPAs accept this as implied consent for that specific action

6. Are IP addresses personal data under GDPR?

Yes. An IP address is personal data if it can identify an individual (which it can, typically via ISP records). Under GDPR, collecting IP addresses (e.g., for analytics, fraud prevention) requires a lawful basis.

For analytics collecting IP, consent is safest. Some analytics tools offer IP anonymization (remove last octet) to reduce identifiability — implement this optionally as a supplemental measure.

7. What about browser "Do Not Track" (DNT) signals?

The ePrivacy Directive does not legally require sites to honor DNT headers. However, under GDPR's accountability principle, you should have a clear policy and respect DNT if you rely on legitimate interest for marketing. If relying on consent, DNT doesn't override user choice.

Best practice: Implement a DNT-aware CMP that pre-selects "deny all" for users with DNT enabled.

8. How long must I store consent records?

There's no fixed period, but you must be able to demonstrate valid consent at the time of processing. A minimum of 3 years is a practical standard, aligning with typical audit retention windows and providing a defensible record if challenged.

Store consent logs in an immutable, access-controlled format. Include timestamp, user ID (if logged in), consent version, and selected categories.

9. Do I need consent for email newsletters?

No — ePrivacy's consent requirement is for storing/accessing information on a user's device (cookies). Email marketing falls under different rules:

GDPR: Require opt-in consent to send marketing emails (soft opt-in may apply for existing customers)
ePrivacy (Article 13): Requires prior consent for unsolicited direct marketing by email — regardless of cookie consent

So: you need separate email opt-in consent when collecting newsletter signups — this is unrelated to cookie consent but equally important.

10. What about A/B testing tools (Optimizely, VWO)?

A/B testing typically sets cookies to assign users to variants and track behavior. These are analytics/functional cookies requiring consent.

Block A/B testing scripts until the user consents to Analytics or Functionality cookies, depending on your categorization.

Regional Variations Within Europe

While the ePrivacy Directive is EU-wide, national implementations vary:

Country	Key Specifics
Germany	Strictest interpretation; German DPA (BfDI) expects granular consent, rejects "legitimate interest" for most cookies
France	CNIL requires "Explain, Choose, Refuse" triad; consent must be as easy to refuse as accept
Italy	Garante emphasises cookie banners must not obscure content; 6-month consent validity maximum
UK	Post-Brexit PECR mirrors ePrivacy; ICO provides detailed cookie guidance
Netherlands	ACM emphasizes clear affirmative action; rejects implied consent

If you operate across multiple EU countries, implement the strictest standard (typically German/CNIL approach) to cover all bases.

Comparison: Top European Consent Management Platforms

For SaaS targeting EU businesses, selecting a CMP with strong EU data residency and transparent compliance features reduces legal risk.

	Cookiebot	Usercentrics	Didomi
HQ	Denmark (EU)	Germany (EU)	France (EU)
EU Data Hosting	✅ Yes	✅ Yes	✅ Yes
Auto-Blocking	✅ Yes	✅ Yes	✅ Yes
Granular Categories	✅ Yes	✅ Yes	✅ Yes
Consent Logging	✅ Yes	✅ Yes	✅ Yes
Mobile App Support	✅ Yes	✅ Yes	✅ Yes
Freemium Tier	✅ Up to 5k visits	❌ No	✅ Up to 10k monthly users
Best For	Small→mid SaaS, EU-focused	German market, compliance-heavy	Consumer apps, mobile-first

Our top pick for most European SaaS: Cookiebot — straightforward setup, EU hosting, generous freemium tier. For enterprise-scale operations, Usercentrics provides deeper configurability and logging. For consumer mobile apps, Didomi excels.

Implementation Roadmap: From Zero to ePrivacy Compliant

Week 1: Audit & Planning

Day 1-2: Complete cookie inventory using a scanner (Cookiebot's free scan or manual DevTools check)
Day 3: Categorise every tracker by purpose (essential / preferences / analytics / advertising)
Day 4: Choose and integrate a CMP (Cookiebot recommended for fast setup)
Day 5: Configure blocking rules and consent categories; draft updated cookie policy

Week 2: Configuration & Testing

Day 1-2: Implement prior-blocking tags (Google Consent Mode, Meta Conversions API with Limited Data Use)
Day 3: Build/update cookie policy table with all tracker details (purpose, provider, retention)
Day 4: Design consent banner UX (test for clarity and ease of refusal)
Day 5: Test across browsers (Chrome, Safari, Firefox, Brave with default settings) and mobile

Week 3: Documentation & Launch

Day 1: Configure consent logging storage (prefer EU database if available)
Day 2: Document RoPA and LIA in your GDPR compliance docs
Day 3: Deploy to staging; run end-to-end tests (consent → withdrawal → tracker blocking)
Day 4: Launch on production with monitoring
Day 5: Set calendar reminders for quarterly review and annual re-consent

Ongoing:

Monitor CMP dashboard for consent rates and category opt-ins
When adding new third-party tools (e.g., new analytics or ads), update cookie inventory and CMP configuration immediately
Re-consent all users every 12 months

What If I Don't Comply?

Enforcement varies by country but penalties are real:

France (CNIL): Fines up to €20M for cookie consent violations
Germany (BfDI): Strict enforcement; cookie walls deemed illegal
Italy (Garante): Frequent audits; imposed fines for improper Google Analytics usage
Ireland (DPC): Large fines under GDPR for tracking violations when combined with data transfer issues

Recent enforcement examples:

Google Analytics bans in France/Austria for data transfer issues (separate but related concern)
Meta behavioral advertising fines for lack of valid legal basis (EDPB coordinated)
Cookie banner fines in France (Google €50M partially related to consent practices)

Risk profile: While isolated ePrivacy cookie fines are typically lower than major GDPR fines (< €2M), cumulative violations across member states plus GDPR linkage create substantial exposure.

Looking Beyond ePrivacy: Related EU Compliance Topics

If you found this guide useful, consider these related compliance areas:

GDPR-compliant analytics — EU-hosted web analytics alternatives to Google Analytics (Matomo, Plausible, Umami)
Data residency requirements — Understanding SCCs, DPF, and Schrems II
EU AI Act compliance for SaaS — how cookie consent, tracking governance, and model documentation connect when AI features personalize or automate user-facing workflows
Best European cloud hosting — EU-hosted infrastructure for data residency
PSD2 compliance for payment SaaS — Upcoming guide on payment services regulations (subscribe for updates)

Summary: ePrivacy Compliance Quick Reference

✅ Prior blocking — Block all non-essential cookies until consent
✅ Granular opt-in — Separate toggles for Analytics, Advertising, Functional cookies
✅ Clear language — No legalese; explain purposes plainly
✅ Easy withdrawal — "Cookie Settings" link always available
✅ Consent logging — Store records (who, when, what)
✅ Regular review — Quarterly checks; annual re-consent
✅ Cookie policy — Detailed, specific, and maintainable

❌ No pre-ticked boxes
❌ No cookie walls that block core content
❌ No implied consent ("by browsing")
❌ No bundling (can't force all-or-nothing)
❌ No expired consent without renewal

Need Help with Your SaaS Compliance?

Navigating EU regulations is complex. Start with a Cookiebot scan of your site to see what trackers you have. Then work through the checklist above methodically.

Next steps: If you haven't already, also ensure your broader GDPR program covers:

Data protection officer (if required)
Data subject request procedures
Privacy policy updates
International data transfer mechanisms (SCCs, DPF)
Vendor due diligence and DPAs

For other compliance questions, browse our complete guide to European SaaS legal requirements or reach out to a qualified EU privacy lawyer.

This guide was last updated April 2026. Regulations change — confirm with legal counsel.