On 13 November 2025, the Court of Justice of the European Union (hereinafter: the Court) delivered its judgment in the case of Inteligo Media/ANSPDCP. The Court ruled that the GDPR may not impose additional obligations where processing already falls within the scope of the ePrivacy Directive. My colleague previously addressed in this blog three difficulties in email marketing.[1]In this blog, I focus on the final difficulty: the interplay between the GDPR and the ePrivacy Directive. This is particularly relevant for direct marketing to existing customers: provided you comply with the ePrivacy Directive, the same processing need not also be assessed against Article 6 of the GDPR. Whilst this sounds like a simplification, it also raises new questions regarding, for example, cookies and other similar technologies. Below, we analyse the Court's reasoning and the potential implications for practice.
General 'Exception' of the GDPR to the ePrivacy Directive
The relationship between the GDPR and the ePrivacy Directive is governed by Article 95 GDPR. The ePrivacy Directive concerns the processing of personal data and the protection of privacy within the electronic communications sector.[2].In this context, the ePrivacy Directive acts as lex specialis in relation to the GDPR, which functions as the general framework, or lex generalis. This means that the rules of the ePrivacy Directive take precedence where they apply, unless the GDPR expressly provides otherwise.
In the Inteligo Media judgment, the Court demonstrates how this system operates. The essence: where the ePrivacy Directive already imposes specific obligations, the GDPR may not impose additional requirements on processing within publicly available electronic communications networks.[3]
No GDPR Legal Basis Required for Direct Marketing to Existing Customers
The Court makes clear that Article 13(2) of the ePrivacy Directive[4] exhaustively governs the conditions under which personal data may be processed in the context of electronic direct marketing. That provision already contains the relevant conditions and purposes of the processing and thereby imposes specific obligations on the controller within the meaning of Article 95 GDPR. This means that processing falling within the scope of Article 13(2) need not be separately assessed against Article 6(1) GDPR.[5].
The practical significance of this is considerable. The Court appears to confirm that the soft opt-in under Article 13(2) of the ePrivacy Directive can independently provide a legal basis for direct marketing. For sending such communications, a separate reliance on the legitimate interest under Article 6 GDPR is therefore no longer required, nor is a separate legitimate interests’ assessment. Given that the lex specialis already exhaustively governs the conditions for processing personal data in this context, no further GDPR legal basis is needed.
What About Cookies and Other Technologies?
Whether the reasoning in Inteligo Media also applies to cookies and similar technologies[6] cannot yet be stated with certainty. Nevertheless, it is relevant to examine whether the same systematic approach may apply here, particularly for functional cookies.
Article 5(3) of the ePrivacy Directive provides that the storing of, or gaining access to, information on users' terminal equipment is only permitted with prior consent in accordance with the GDPR. However, an exception to this general rule applies: consent is not required where the storage or access is solely for the purpose of carrying out the transmission of a communication over an electronic communications network or is strictly necessary to provide an information society service explicitly requested by the user.
If the Court's line of reasoning were to be extended, the question arises whether this exception also qualifies as a specific obligation within the meaning of Article 95 GDPR. In that case, the ePrivacy Directive would exhaustively govern the conditions for necessary cookies, and a separate legal basis under Article 6 GDPR would no longer be required.
However, there appears to be a distinction from Article 13(2) of the ePrivacy Directive. That provision itself governs the conditions under which direct marketing is permitted. The exception in Article 5(3) seems more limited in nature: it merely determines when the consent requirement does not apply, without independently formulating the conditions for lawful processing. It could therefore also be argued that even for functional cookies, an independent assessment against the GDPR remains required, although such assessment is likely to favour the controller in practice.
The precise application furthermore depends on the national implementation of the directive.
The Dutch Telecommunications Act
In the Netherlands, the ePrivacy Directive has been transposed into the Telecommunications Act (hereinafter: Tw). The structure of Article 11.7a Tw follows the same systematic approach as the directive: paragraph 1 requires consent "without prejudice to the GDPR", whilst paragraph 3 provides that this does not apply to, amongst other things, functional cookies and privacy-friendly analytical cookies. Here too, the question therefore arises whether the inapplicability of paragraph 1 also means that the supplementary effect of the GDPR falls away.
The uncertainty at directive level thus continues into national law. Additionally, the exception for privacy-friendly analytical cookies is a Dutch addition. Whether Inteligo Media also extends to such national expansions will need to become apparent from further case law and supervisory practice.
Conclusion
The Inteligo Media/ANSPDCP judgment primarily demonstrates that the interplay between the GDPR and the ePrivacy Directive must be read systematically. The broader lesson from the judgment is therefore that the GDPR and the ePrivacy Directive should not be viewed as a double hurdle alongside one another, but rather as a general and a specific regime that complement each other. It is precisely in this where the benefit of Inteligo Media lies: less duplication of work and a legally sounder interplay between general and sector-specific rules. At the same time, this approach raises new questions, for example in the case of cookies, meaning that the precise scope of this line of reasoning will need to be further clarified.
Interested in further blogs on data and privacy? You can find them here.
[1] (1) When something constitutes 'direct marketing', (2) when there is a sale of a product or service, and (3) how the relationship between the GDPR and the ePrivacy Directive operates.
[2] A. Engelfriet, C. van Ekeren en P. Kager, ‘Artikel 95. Verhouding tot Richtlijn 2002/58/EG’, in: De Algemene Verordening Gegevensbescherming en Uitvoeringswet AVG Artikelsgewijs commentaar, Amsterdam: Ius Mentis 2023/2024, p. 328-329.
[3] CJEU 13 November 2025, C‑654/23, ECLI:EU:C:2025:871 (Inteligo Media/ANSPDCP), paras 66 and 67.
[4] In the Netherlands transposed into Article 11.7(4) of the Telecommunications Act.
[5] Inteligo Media/ANSPDCP, para 68.
[6] E.g. URL- en pixeltracking.
