← Glossary / ePrivacy Directive

What is ePrivacy Directive?

ePrivacy Directive (often called the "Cookie Law") is the EU framework governing confidentiality of electronic communications and the storage of data on user equipment. For scraping pipelines, it dictates how you handle cookies, local storage, and device fingerprinting when interacting with EU-hosted targets. If your scraper drops or reads non-essential cookies without consent, or uses passive fingerprinting to track sessions across domains, you are operating outside the directive's compliance bounds.

ComplianceCookie LawEU RegulationFingerprintingConsent
// 02 — definitions

Consent before
storage.

The legal boundary separating essential session state from trackable client identity, and why your scraper's cookie jar matters.

Ask a DataFlirt engineer →

TL;DR

The ePrivacy Directive requires explicit user consent before storing or accessing information on a user's device, unless strictly necessary for the service. In scraping, this means dropping analytics cookies, executing third-party tracking scripts, or generating persistent device fingerprints on EU targets without consent creates compliance liability.

01Definition & scope
The ePrivacy Directive (2002/58/EC, amended 2009/136/EC) is an EU directive that specifically targets the confidentiality of electronic communications. Its most famous provision, Article 5(3), requires prior informed consent before any information is stored on or accessed from a user's terminal equipment. This covers HTTP cookies, HTML5 local storage, IndexedDB, and passive browser fingerprinting.
02How it impacts scraping
For web scrapers, ePrivacy manifests primarily as cookie consent banners and tracking scripts. When a headless browser visits an EU site, it is immediately served a consent management platform (CMP) overlay. If the scraper blindly accepts all cookies, it ingests tracking payloads that pollute the session and violate the directive's intent. If it ignores the banner, the DOM may remain obscured, breaking extraction selectors.
03The "Strictly Necessary" exemption
Not all cookies require consent. The directive exempts storage that is "strictly necessary" to provide an information society service explicitly requested by the user. For a scraper, this means you can legally retain load-balancing cookies (like AWS ALB tokens), authentication session IDs, and security cookies (like Cloudflare's __cf_bm) without triggering compliance violations.
04How DataFlirt handles it
We operate a zero-toxic-state policy. Our network layer intercepts all Set-Cookie headers and drops anything not explicitly whitelisted as strictly necessary. We block third-party tracking domains at the proxy level, ensuring our headless fleets never execute analytics payloads. Consent banners are removed from the DOM via CSS injection or network blocking, allowing clean extraction without legally compromising "Accept All" clicks.
05ePrivacy vs GDPR
While often conflated, they are distinct. GDPR protects personal data (names, emails, IPs). ePrivacy protects the device and the communication channel. You can violate ePrivacy without ever touching personal data — simply dropping an anonymous analytics cookie on a device without consent is an ePrivacy breach, even if no GDPR-defined personal data is processed.
// 03 — compliance logic

Evaluating cookie
necessity.

DataFlirt's network layer evaluates inbound cookies against ePrivacy exemptions before allowing them into the scraper's session state.

Consent Requirement = C = storage_event AND NOT strictly_necessary
If C is true, explicit user consent is required before execution. ePrivacy Directive Art. 5(3)
Essential Exemption = E = auth_token OR load_balancer_id OR cart_state
Exempt from prior consent. Scrapers can safely retain these. EDPB Guidelines
Fingerprint Liability = L = passive_signals × cross_domain_persistence
ePrivacy covers passive fingerprinting just as strictly as active cookies. EU Legal Precedent
// 04 — network interception

Filtering trackers
at the edge.

A live trace of a DataFlirt worker intercepting a response from an EU e-commerce target, stripping non-essential cookies to maintain ePrivacy compliance.

EU targetcookie strippingconsent bypass
edge.dataflirt.io — live
CAPTURED
// inbound HTTP response
status: 200 OK
set-cookie: session_id=98a7...; HttpOnly; Secure // essential
set-cookie: _ga=GA1.2...; Domain=.target.eu // analytics
set-cookie: fbp=29b...; Domain=.target.eu // tracking

// ePrivacy filter evaluation
eval.session_id: strictly_necessary -> ALLOW
eval._ga: requires_consent -> DROP
eval.fbp: requires_consent -> DROP

// DOM execution
script.block: "https://www.google-analytics.com/analytics.js"
script.block: "https://connect.facebook.net/en_US/fbevents.js"

// consent banner handling
dom.element: div#onetrust-consent-sdk -> REMOVED
pipeline.status: compliant_extraction_ready
// 05 — compliance risks

Where scrapers
breach ePrivacy.

The most common ways naive scraping pipelines violate the ePrivacy Directive when interacting with EU infrastructure.

PIPELINES AUDITED ·  ·    1,200+
JURISDICTION ·  ·  ·  ·   EU/EEA
UPDATED ·  ·  ·  ·  ·  ·  2026-05-19
01

Accepting all cookies blindly

default behavior · Standard HTTP clients store everything
02

Executing third-party trackers

headless risk · Browsers running all page scripts
03

Persistent device fingerprinting

tracking risk · Using canvas/WebGL across sessions
04

Bypassing consent for PII

legal risk · Clicking 'Accept' to reach gated data
05

Storing local storage tokens

storage risk · Retaining non-essential JWTs
// 06 — our architecture

Clean sessions,

no toxic state.

DataFlirt enforces ePrivacy compliance at the network layer. Our proxy gateways automatically strip non-essential cookies and block known tracking domains before the response ever reaches the browser context. We don't click 'Accept All' on consent banners — we block the banner from rendering and operate strictly within the essential session state. This keeps your pipeline legally insulated and reduces bandwidth overhead by up to 40%.

Session State Filter

Real-time cookie and script filtering for an EU-targeted extraction job.

target.jurisdiction EU (Germany)
cookies.received 14
cookies.dropped 11 · non-essential
cookies.retained 3 · session/auth
scripts.blocked 22 · trackers/ads
consent_banner removed from DOM
compliance.status ePrivacy aligned

Stay ahead of the pipeline

Data engineering
intel, weekly.

Anti-bot shifts, scraping infrastructure updates, dataset delivery patterns, and business outcomes from our pipelines. Short, technical, no fluff.

By submitting, you acknowledge our Privacy Notice.

// 07 — FAQ

Common
questions.

Common questions about ePrivacy, cookie banners, fingerprinting, and how DataFlirt navigates EU compliance.

Ask us directly →
Does ePrivacy apply if I'm just scraping public data? +
Yes. ePrivacy regulates the interaction with the user's device (or in this case, your scraper's interaction with the target server's storage mechanisms), regardless of whether the data extracted is public or personal. If you store non-essential cookies, you need consent.
Can my scraper just click 'Accept All' on the cookie banner? +
Technically yes, but legally it's risky. By clicking 'Accept', you are consenting to tracking on behalf of an automated agent, which complicates your data processing agreement. It is safer and faster to block the banner and reject non-essential cookies entirely.
How is ePrivacy different from GDPR? +
GDPR governs the processing of personal data. The ePrivacy Directive governs the confidentiality of communications and the storage of information on a device (cookies, trackers), even if that information isn't strictly personal data.
Does ePrivacy cover browser fingerprinting? +
Yes. The revised interpretations of the directive explicitly state that passive tracking techniques like canvas fingerprinting or WebGL hashing fall under the same consent requirements as cookies.
How does DataFlirt handle consent walls that block content? +
If a site uses a hard consent wall where content is inaccessible without accepting cookies, we evaluate the target. Often, the content is available in the initial HTML payload before the JavaScript wall renders. We extract from the raw response, bypassing the need to interact with the consent mechanism.
Do I need to worry about ePrivacy if my company is based in the US? +
If you are scraping targets hosted in the EU, or extracting data about EU citizens that involves interacting with EU infrastructure, the directive applies due to its extraterritorial scope.
$ dataflirt scope --new-project --target=eprivacy-directive READY

Tell us what
to extract.
We do the rest.

20-minute scoping call. Pilot dataset within the week. Production within two. Whether you need a one-off catalogue dump or a continuous feed across millions of records — we scope, build, and operate the pipeline.

Start a pipeline → View pricing
hello@dataflirt.com  ·  Bengaluru  ·  IST  ·  typical reply < 4h
// 08 — keep reading

Related glossary terms

Scraping Security

GDPR and Web Scraping

How the EU's primary data protection law impacts the extraction of personal data.

Read →
Scraping Browsers

Cookie Consent Bypass

Techniques for navigating cookie banners without polluting your scraper's session state.

Read →
Anti-Bot Bypass

Browser Fingerprinting

The passive tracking techniques that fall under ePrivacy's strict consent requirements.

Read →
Scraping Security

Data Minimization Principle

Why extracting only what you need is a core tenet of compliant scraping.

Read →