EU ePrivacy Analytics Cookies

Treat analytics as an Article 5(3) issue whenever the website or app stores identifiers, reads cookies or local storage, sends client-side analytics events, uses tracking pixels or tracked URLs, or instructs browser code to send device-derived information to an analytics endpoint.

The technical scope is broader than classic browser cookies. EDPB guidance covers storage and access separately, client-side JavaScript calls, tracking pixels, tracked links, local processing that sends results back over the network, IP-based tracking in some circumstances, and unique identifiers in websites or mobile apps.

The conservative EU-wide default is that analytics cookies and similar tracers require consent before they are deposited or read unless the deployment fits a narrow exemption. CNIL's analytics sheet states that audience-measurement tracers are subject to the consent rule unless they fall exactly within the described exemption perimeter, and it warns that national variation remains relevant.

If the analytics deployment supports advertising, cross-site measurement, partner attribution, user profiling, CRM enrichment, product personalization beyond measurement, or reuse across multiple publishers, do not classify it as exempt from EU-wide sources alone. Route it through consent unless a competent national rule and the actual configuration support a different conclusion.

A limited analytics exemption is not a generic ePrivacy safe harbor. WP29 explains that Article 5(3) exemptions are narrow: the cookie must be for network transmission, or strictly necessary for a service or functionality explicitly requested by the user. For analytics, CNIL describes a more specific national-regulator path where audience-measurement cookies may move from opt-in to opt-out only if listed conditions are met.

Use the CNIL criteria as a grounded example of what a limited analytics configuration can look like. In practice, you still need to check the local law and regulator guidance for each Member State, and you should document the implementation evidence that shows the actual setup matches the claimed exemption.

The analytics decision should be reproducible from evidence, not from vendor labels. Keep the scanned cookie list, tag-manager rules, consent-management-platform configuration, event taxonomy, data-sharing settings, IP handling, retention settings, processor terms, and tests showing what fires before accept, after reject, after withdrawal, and after opt-out.

Consent logs matter when analytics is consent-based, but they are not the whole record. The team also needs proof that non-essential analytics is blocked until consent, reject and withdrawal choices are honored, and exempt or opt-out analytics remains within the exact configuration justified in the decision.

EU-level materials do not give a single operational answer for every analytics setup in every Member State. The ePrivacy Directive is implemented through national laws, national data protection authorities publish different levels of cookie guidance, and CNIL's analytics sheet itself warns that ePrivacy analytics guidance may be subject to national variation.

Do not state that a vendor, tag template, consent mode, or first-party analytics product is exempt across the EU merely because it can be configured with privacy controls. The final conclusion needs the actual configuration, the Member State position, and the evidence record.