ePrivacy AI Compliance — Consent for Outbound AI Messaging

Last updated: 8 April 2026 · 8 min read · Reviewed by Audact compliance team · Directive 2002/58/EC

The ePrivacy Directive governs the act of sending electronic communications. It applies to every AI-generated outbound message — email, SMS, WhatsApp, or voice call — regardless of whether a human or AI composed it.

What is the ePrivacy Directive?

The ePrivacy Directive (2002/58/EC) is the EU's primary law governing electronic communications privacy. It is lex specialis to the GDPR — where ePrivacy has a specific rule, it takes precedence over GDPR.

Practically: ePrivacy governs sending the communication and accessing the device. GDPR governs the subsequent processing of personal data collected. They require separate compliance — GDPR consent does not automatically satisfy ePrivacy requirements, and vice versa.

ePrivacy Directive vs ePrivacy Regulation: what changes for AI

The 2002 Directive (as amended in 2009) is a legal instrument transposed differently in each Member State, which is why German TDDDG, Dutch Telecommunicatiewet and UK PECR all look superficially similar but diverge in detail. The proposed ePrivacy Regulation would have replaced the patchwork with a single directly applicable text, tightening rules on cookies, machine-to-machine traffic and metadata processing. After eight years of deadlock the Commission formally withdrew the file on 11 February 2025.

For AI deployers the practical consequence is that nothing changes immediately: the Directive remains in force, and the same opt-in-driven regime continues to apply to outbound AI messaging. But the Digital Omnibus Package proposed in November 2025 contains targeted ePrivacy amendments — notably around cookie consent fatigue and legitimate-interest grounds for analytics — that are likely to land in 2027. AI vendors should design their consent capture today so that the legal basis can be re-mapped without re-collecting consent.

Key articles for AI deployers

Article 13 — Unsolicited communications

Requires prior opt-in consent before sending direct marketing via automated calling systems, email, SMS, fax, or any electronic messaging. This is technology-neutral: an AI sending a marketing email is treated identically to a human sending one.

AI chatbot initiating a WhatsApp message → consent required
AI sending marketing emails → consent required
AI-generated SMS campaigns → consent required
Outbound AI voice calls → consent required

Article 13(2) — Soft opt-in exception

An exception allowing marketing without fresh consent if: (a) the email address was obtained in the context of a sale or service, (b) marketing is for similar products/services, and (c) an easy opt-out is provided at collection and in every message.

Article 5(3) — Cookies and device access

Requires consent before storing or accessing information on a user's terminal equipment. For AI chatbots, this applies when the chatbot places tracking cookies — not to the conversation itself.

Cookie consent and AI tracking under ePrivacy

Article 5(3) is technology-neutral: it applies to any storage of, or access to, information on a user's terminal equipment. That covers classic HTTP cookies, but also browser local storage, fingerprinting libraries and the SDKs that AI personalisation engines embed in websites and mobile apps. If the data is later fed into a recommendation model or a behavioural-targeting AI, the legal basis for the initial read or write must still be valid GDPR-grade consent — captured before the script fires. CNIL, the Garante and the Dutch AP have all confirmed that "reject all" must be as easy as "accept all".

For AI voice or chat agents the cookie question is usually limited to the surrounding web property — but AI-powered web push, in-app messaging and on-device speech models trigger 5(3) the moment they cache state. Audact treats every consent decision as an auditable event, which lets customers prove cookie validity even when the front-end stack changes.

B2B exemptions under ePrivacy for AI communications

B2B treatment is the most fragmented part of ePrivacy. The Directive permits Member States to allow direct marketing to legal persons on an opt-out basis, but does not require it. The UK's PECR exempts corporate subscribers from the strict opt-in for live calls and faxes (but not for SMS or email to individual employees). France similarly allows opt-out marketing to professional addresses provided the message relates to the recipient's job. Germany takes the opposite stance: §7 UWG requires prior express consent even for B2B email, with very narrow exceptions.

For AI outbound systems the operational rule is simple: a single global "B2B exemption" flag is non-compliant by design. The policy engine must resolve the recipient's country, the channel and the nature of the message before each send, and log that decision for the regulator. Audact ships these per-jurisdiction rules out of the box.

B2B vs B2C

B2C always requires opt-in. B2B treatment varies by Member State: some (e.g., UK, France) allow contacting corporate email addresses on an opt-out basis for business-related products. Others (e.g., Germany) apply stricter rules. Audact's Policy Engine handles these per-country differences automatically.

Enforcement & penalties

Enforced by national authorities (typically Data Protection Authorities). Since ePrivacy is a Directive — not a Regulation — fines vary by Member State:

Germany (TDDDG): Up to €300,000
UK (PECR): Fines under PECR, with higher penalties possible where breaches overlap with GDPR
Netherlands: Dutch DPA warned 50 organisations in April 2025 over cookie violations
France (CNIL): Strict enforcement, blocks cookies before consent, prohibits dark patterns

The EDPB has confirmed that ePrivacy violations can be factored into GDPR fines where the same authority enforces both.

ePrivacy Regulation — what happened?

The standalone ePrivacy Regulation was formally withdrawn by the European Commission on 11 February 2025 after years of failed negotiations. Instead, targeted ePrivacy amendments are now part of the Digital Omnibus Package (proposed November 2025), currently under negotiation with political agreement expected late 2026.

How Audact helps

Consent verification: Policy Engine validates opt-in status before any outbound AI communication is sent
Per-country rules: Jurisdiction-specific consent and opt-out requirements enforced automatically
Evidence logging: Every consent check is logged with cryptographic evidence for regulator audits
Soft opt-in validation: Automatic verification that Article 13(2) conditions are met before allowing communications

Frequently asked questions

Does ePrivacy apply to AI-generated messages?

Yes. ePrivacy is technology-neutral — an AI sending a marketing email, SMS, or WhatsApp message is treated identically to a human sending one.

Does GDPR consent satisfy ePrivacy?

No. ePrivacy is lex specialis and requires separate compliance. GDPR consent does not automatically satisfy ePrivacy's prior opt-in requirement.

What about B2B outbound?

B2C always requires opt-in. B2B rules vary by Member State — some allow opt-out for corporate addresses, others (e.g. Germany) apply stricter rules.

Is the ePrivacy Regulation coming?

The standalone Regulation was withdrawn in February 2025. Targeted ePrivacy amendments are now part of the Digital Omnibus Package under negotiation.

Compare EU AI compliance laws

Law	Deadline	Who	Penalty
EU AI Act Art. 50	2 Aug 2026	All AI deployers in EU	€7.5M / 1.5% turnover
NL Telecomwet	1 Jul 2026	Outbound marketing to NL consumers	€900k / 10% turnover
GDPR	In force	Any processor of EU personal data	€20M / 4% turnover
DSA	In force (Feb 2024)	Intermediaries & VLOPs	6% global turnover
ePrivacy	In force	Senders of electronic communications	Varies by Member State

Related compliance resources

Disclaimer: This page is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific compliance obligations.

← Back to home