The reason European websites ask about cookies at all traces back to a telecoms law. The ePrivacy Directive was written for the electronic communications sector, and its cookie rule (Article 5(3)) sits alongside rules on traffic data (Article 6) and location data (Article 9) that were aimed squarely at phone and internet providers. So a telecom operator or ISP carries a double burden that a normal e-commerce site doesn't. You need consent for the cookies on your website, and you need a lawful basis for the traffic and location data your network generates about the same customers.
This guide is about the website side, where the two obligations meet: consent management on a telco or ISP property that also happens to hold some of the most sensitive communications metadata there is.
The cookie rule and the network rules are the same law
Article 5(3) of the ePrivacy Directive says that storing information on, or reading information from, a user's device is only allowed with consent or where it's strictly necessary for a service the user asked for. That's the cookie rule every EU site follows. For a telecom, two neighboring articles matter just as much:
- Article 6 (traffic data). Traffic data must be erased or anonymized once it's no longer needed for the communication or billing, and processing it for marketing a communications service or a value-added service requires prior informed consent.
- Article 9 (location data). Location data beyond what's needed to carry the call can only be processed if anonymized or with consent, and users must be able to withdraw that consent easily.
The website is where consent for the marketing and value-added uses is often captured, which is why the consent layer on a telco site does more work than a banner elsewhere. It can be the record that a customer agreed to location-based offers or to marketing built on their usage data.
EDPB guidance widened what counts as tracking
The scope of the cookie rule is broader than cookies. In its guidelines on the technical scope of Article 5(3) (updated in 2024), the EDPB confirmed the rule catches tracking pixels, URL and link decoration, local storage, IP-based techniques, and device fingerprinting, well beyond classic cookies. For an operator with rich first-party identifiers (a logged-in account, a device, a line), that matters. Techniques you might treat as "just analytics" can fall inside Article 5(3) and need consent.
The takeaway for a telco or ISP site: audit for the full range of tracking, not a cookie list. Fingerprinting on a device-management portal, pixels on a plan-comparison page, and local-storage identifiers on a self-service app all count. A cookie scan that also captures scripts and outbound connections gives you the real picture. Our guide on cookie categories covers how to classify what you find.
OTT services, bundled apps, and the EECC
The European Electronic Communications Code (EECC) expanded the definition of electronic communications services to include number-independent interpersonal communications, meaning messaging and calling features delivered over the top, beyond the traditional network. Operators that bundle their own messaging app, TV app, or web-based calling now find those services pulled into the communications-confidentiality regime, and the consent and confidentiality expectations follow. IAPP's analysis of the EECC and OTT services lays out how the ePrivacy Directive reaches these apps.
Practically, if your web property is the front door to an OTT communications service (sign-up, account management, web client), treat the confidentiality of those communications and the consent for any tracking around them with the same seriousness as the core network. Marketing analytics on a web-messaging login page is a consent decision, not a default.
US operators: CPNI and state privacy law
US telecoms don't sit under the ePrivacy Directive, but they have their own regime. Customer Proprietary Network Information (CPNI), the data about what services a customer buys and how they use them, is protected under FCC rules, and carriers need customer approval to use or share it for many marketing purposes. On top of that, US state privacy laws apply to the carrier's website like any other business, with opt-out of sale/sharing, Global Privacy Control honoring, and sensitive-data rules (precise geolocation is sensitive).
So a US operator's website has to run an opt-out consent model with a working Do Not Sell or Share path, honor GPC, and keep marketing uses of CPNI behind the approvals the FCC requires. Our GPC guide covers the browser-signal side.
One brand, many jurisdictions
Large operators run properties across countries, each with its own transposition of the ePrivacy rules and its own supervisory authority. National implementations differ on details like analytics exemptions and consent lifetimes, so a single global banner will be wrong somewhere. Geo-targeted consent matches each visitor to the right national framework: strict prior opt-in in the EU and UK, opt-out with a Do Not Sell or Share path in US states. Our regional consent guide shows how one configuration handles both, and our ePrivacy changes guide tracks where the EU framework is heading.
How CookieBeam fits a telecom stack
CookieBeam manages the website consent layer. It doesn't govern your network-side traffic and location data processing, which lives in your OSS/BSS and network systems, but it's built for the range of tracking a telco site runs.
- Detection beyond cookies. The scanner captures scripts, pixels, and outbound network connections, beyond cookies alone, which matches the broader Article 5(3) scope the EDPB confirmed.
- Category-based blocking. Marketing and analytics tracking stays blocked until consent, while session, authentication, and fraud cookies that keep self-service portals working are never blocked.
- Geo-targeted rules. One configuration serves EU/UK opt-in and US opt-out, with each national framework matched to the visitor's location.
- Durable consent records. Timestamped logs of what each customer agreed to, which supports both a supervisory-authority inquiry and an internal audit. See our consent logging guide.
Checklist for telecom and ISP websites
- Treat the cookie rule and the network rules as one framework. Article 5(3) for the site, Articles 6 and 9 for traffic and location data.
- Audit the full range of tracking. Pixels, local storage, IP techniques, and fingerprinting count, not cookies alone.
- Bring OTT and bundled apps inside the confidentiality regime. The EECC pulls number-independent communications in.
- US operators: run opt-out, honor GPC, and keep CPNI marketing behind FCC approvals.
- Geo-target the banner. Each national implementation differs; one global banner will be wrong somewhere.
- Keep session and self-service cookies unblocked. Necessary cookies shouldn't sit behind consent.
- Log consent and re-scan continuously. Keep records for supervisory inquiries and catch new tracking as portals and apps change.