ePrivacy Directive

What is the ePrivacy Directive?

Directive 2002/58/EC — commonly known as the ePrivacy Directive or the “cookie law” — is a piece of EU legislation that establishes privacy rules specifically for electronic communications. It was adopted in 2002 and updated by Directive 2009/136/EC (the “Cookie Directive”) to require prior informed consent before storing or accessing information on a user's device.

While it earned the nickname “cookie law” for its impact on website cookies, the scope is far broader. It covers all forms of electronic communications, including email, SMS, and instant messaging — meaning its consent and transparency obligations extend well into your email programme.

Article 5(3) and tracking pixels

Article 5(3) of the Directive is the provision most directly relevant to email tracking. It states that storing information, or gaining access to information already stored, on the terminal equipment of a subscriber or user is only allowed if the user has given prior consent.

A tracking pixel — a 1×1 transparent image embedded in an email — works by triggering an HTTP request to a remote server the moment the email is opened. That request reveals the recipient's IP address, approximate location, device type, email client, and the timestamp of the open. This constitutes “accessing information stored on a user's device” within the meaning of Article 5(3).

The two narrow exceptions — strictly necessary technical storage and communications service provision — do not cover marketing analytics. There is no “legitimate interests” equivalent in Article 5(3): only consent suffices.

How it affects email marketing

Most email marketing platforms embed tracking mechanisms by default. Senders are often unaware that enabling “open tracking” or “click tracking” in their ESP triggers Article 5(3) obligations.

The consequence is that a recipient who has consented to receive your newsletter under GDPR has not automatically consented to being tracked within it. These are two separate consent decisions — marketing consent and tracking consent — and both must be obtained before you can lawfully profile engagement.

What MailRadar checks

MailRadar analyses the raw email source for the following ePrivacy-relevant signals:

• Tracking pixel detection

  Identifies 1×1 images and known beacon patterns from providers such as Mailchimp, SendGrid, HubSpot, Klaviyo, Campaign Monitor, ActiveCampaign, and others.

• Click redirect detection

  Flags links that pass through known tracking domains before reaching the destination URL, indicating click data collection.

• Consent mechanism presence

  Checks whether the email includes a visible unsubscribe link or other indication that consent and preference management is in place.

• Externally loaded assets

  Inspects HTML for off-domain resources that could fingerprint the recipient at open time, even when not from a recognised tracking vendor.

The upcoming ePrivacy Regulation

The European Commission has been working on an ePrivacy Regulation — a binding EU Regulation that would replace the Directive entirely. Unlike a directive, a regulation applies directly in all member states without requiring national transposition, which would eliminate the current patchwork of national implementations.

Negotiations have been ongoing since 2017. The current draft is expected to be stricter than the Directive: it would extend coverage to over-the-top communication services (WhatsApp, Signal, etc.), tighten consent standards, and introduce penalties aligned with GDPR — up to €20 million or 4% of global annual turnover.

How to comply

Compliance with Article 5(3) in an email context requires action at the point of consent collection, within the email itself, and in how you configure your ESP.