What is the ePrivacy Directive (and how does it relate to GDPR)?

The ePrivacy Directive (Directive 2002/58/EC, revised 2009/136/EC) is an EU directive specifically regulating electronic communications — alongside and on top of GDPR. Dutch implementation: Telecommunications Act (Tw) Art. 11.7 (marketing) + 11.7a (cookies + similar technologies). What does ePrivacy regulate? (1) Cookies and local storage (Tw 11.7a) — consent required for non-functional cookies. Stricter than GDPR because it separately regulates the placement, not just processing. (2) Email and SMS marketing (Tw 11.7) — opt-in mandatory at first contact. Exception: existing customer relationship + similar product + opt-out in every expression. (3) Telephone cold calls (Tw 11.7) — since abolition of Dutch Do-Not-Call register opt-in is the standard. Automatic dialler never without prior consent. (4) Location data from mobile devices — only with consent. (5) Confidentiality of communications — prohibition on intercepting, storing, or analysing content without consent. Relation to GDPR: ePrivacy is lex specialis — it wins over GDPR on specific topics. For other elements GDPR continues to apply. Example: a cookie banner — ePrivacy says "consent for placement", GDPR says "lawful basis for the processing that follows". Businesses must comply with both. Fines: Tw violations can lead to ACM fines (typically up to €900,000/violation) AND AP fine (GDPR tier, up to €20m / 4%) if personal data is also involved. ePrivacy Regulation? Since 2017 the EU has been negotiating a successor (e-Privacy Regulation) — expected 2026-2027 to enter force. Then replaces the current directive with stronger protection.