ePrivacyDirective 2002/58/EC
EU ePrivacy Directive Cookies, Communications, and Marketing Rules
Use this hub to classify ePrivacy work by rule: confidentiality of communications under Article 5, traffic and location-data use by communications providers, Article 5(3) storage or access on terminal equipment, consent and strictly necessary exemptions, and Article 13 direct-marketing controls.
This is source-linked implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. The ePrivacy Directive is transposed through Member State law, so cookie-banner practice, analytics exemptions, direct-marketing channels, competent authorities, and penalties need jurisdiction checks before launch.
Open the ePrivacy checklistPublication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 21, 2026
Updated
May 26, 2026
ePrivacy questions this hub helps answer
Is the issue communications confidentiality?
Separate the secrecy of electronic communications from later personal-data processing; ePrivacy protects communications and terminal equipment even where the GDPR also applies.
Does Article 5(3) apply?
Check whether a cookie, SDK, pixel, local storage, identifier, IoT report, or similar technique stores information or gains access to information on a user's terminal equipment.
Can you rely on an exemption?
Use the narrow transmission and strictly necessary tests before treating a cookie as essential; advertising, cross-site tracking, and most analytics need consent or a jurisdiction-specific exemption analysis.
Which marketing path applies?
Article 13 starts with prior consent for automated calls, fax, and electronic mail, with a soft opt-in only for a customer's electronic contact details, the sender's own similar products or services, and easy free objection at collection and in each message.
By Sorena AIUpdated 2026-05No signup required
ePrivacy quick scan
Directive 2002/58/ECCommunications layer
Article 5 protects confidentiality of communications and related traffic data; traffic and location-data use cases must be separated from ordinary website tracking and checked against the provider role and purpose.
Terminal-equipment layer
Article 5(3), as amended in 2009, covers storing information or gaining access to information already stored on terminal equipment; EDPB technical guidance treats the scope as broader than cookies and not limited to personal data.
Consent and exemption layer
Consent must meet GDPR conditions where ePrivacy refers to consent. Exemptions are narrow: transmission-only access or access strictly necessary for an information society service explicitly requested by the user.
Marketing layer
Direct marketing by automated calling systems, fax, or electronic mail generally needs prior consent, while the customer soft opt-in requires collection during a sale, own similar products or services, and easy free opt-out.
Use the topic guides to move from technical inventory to consent model, banner design, analytics configuration, marketing permissions, suppression lists, and jurisdiction-specific enforcement review.
2002/58
Directive
Art. 5
Confidentiality
Art. 5(3)
Devices
Art. 13
Marketing
Confidentiality
Terminal equipment
Marketing consent
ePrivacy Timeline
Track source-linked ePrivacy milestones and guidance
Use the timeline to separate the 2002 Directive baseline, the 2009 terminal-equipment and marketing amendments, GDPR-era consent interpretation, EDPB Article 5(3) technical-scope guidance, and national implementation or enforcement updates.
Loading timeline...
Topic guides
Deep dive pages for implementation planning, controls, reporting, and evidence.
1
ePrivacy cookie consent vs DSA ads obligations: source-limited comparison
Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
Read Guide
2
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
Read Guide
3
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
Read Guide
4
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
Read Guide
5
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
Read Guide
6
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
Read Guide
7
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
Read Guide
8
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
Read Guide
9
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
Read Guide
10
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
Read Guide
11
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
Read Guide
12
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
Read Guide
13
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
Read Guide
14
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
Read Guide
15
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
Read Guide
16
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
Read Guide
17
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
Read Guide
18
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
Read Guide
19
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
Read Guide
20
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
Read Guide
21
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
Read Guide
22
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
Read Guide
23
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
Read Guide
24
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
Read Guide
25
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
Read Guide
26
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
Read Guide
27
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Read Guide
Next step
Turn ePrivacy scope into owned product, marketing, and evidence work
Use this hub as the shared starting point for privacy, legal, product, analytics, marketing, and engineering teams. Confirm the technical operation first, then assign the ePrivacy rule, consent status, exemption rationale, jurisdiction check, and retained evidence.
What this unlocks
- Start with one concrete operation: message transmission, traffic or location-data use, cookie, SDK, pixel, local-storage item, device identifier, analytics tag, social plug-in, marketing email, SMS, automated call, or suppression-list process.
- For terminal-equipment access, record the technology, purpose, first-party or third-party role, lifespan, data flow, whether access happens before consent, and whether the claimed exemption is transmission-only or strictly necessary for a user-requested service.
- For consent flows, keep the banner text, purpose list, accept and reject paths, withdrawal mechanism, consent log, version history, and evidence that no consent-required tags fire before a valid affirmative action.
- For direct marketing, keep the source of permission, sale context for any soft opt-in, product-similarity rationale, opt-out shown at collection and in each message, suppression-list operation, and Member State law or regulator guidance used for the channel.
Recommended route
Open Assessment Autopilot
Turn ePrivacy cookie, analytics, communications, and marketing questions into owned tasks, evidence requests, and jurisdiction checks.
Supporting route
Open Research Copilot
Answer ePrivacy Directive, Article 5(3), consent, exemption, analytics, soft opt-in, and GDPR interplay questions with cited outputs.
Talk to Sorena
Talk through ePrivacy implementation
Review your cookie inventory, consent UX, analytics setup, communications-data use, marketing permissions, and retained evidence.
Discuss your setup
Share it internally
Download the timeline export to align legal, product, engineering, and commercial teams on milestones and deadlines.