--- title: "EU ePrivacy analytics cookies: consent, exemption, and evidence guide" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/analytics-cookies" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/analytics-cookies" author: "Sorena AI" description: "source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 5(3)" - "analytics cookies" - "audience measurement" - "cookie consent" - "cookie banner" - "terminal equipment" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy analytics cookies: consent, exemption, and evidence guide source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. *Artifact Guide* *EU* ## EU ePrivacy Analytics Cookies Decide whether analytics cookies need consent, whether a limited analytics exemption can be supported, and what evidence must prove the configuration. Built for privacy, product analytics, web engineering, consent-platform, legal, and regional operations teams that need source-linked cookie decisions without inventing country rules. Analytics cookies are not automatically exempt from EU ePrivacy consent rules. The starting point is Article 5(3): storing information on, or accessing information from, a user's terminal equipment generally requires clear information and consent unless a narrow exemption applies. For analytics, teams need a documented technical classification, consent or exemption rationale, live banner behavior, and country-specific checks where national implementation or regulator guidance controls the final answer. ## When analytics cookies fall within Article 5(3) Treat analytics as an Article 5(3) issue whenever the website or app stores identifiers, reads cookies or local storage, sends client-side analytics events, uses tracking pixels or tracked URLs, or instructs browser code to send device-derived information to an analytics endpoint. The technical scope is broader than classic browser cookies. EDPB guidance covers storage and access separately, client-side JavaScript calls, tracking pixels, tracked links, local processing that sends results back over the network, IP-based tracking in some circumstances, and unique identifiers in websites or mobile apps. - Inventory cookies, SDKs, pixels, local storage, ETags, tracked URLs, IP-only analytics, and unique identifiers used for measurement. - Record whether the site or a supplier instructs the browser, app, or device to send analytics information back over a public communications network. - Do not treat server logs, IP addresses, or first-party tooling as automatically outside Article 5(3); document why the information does or does not originate from terminal equipment. - Separate analytics cookies from authentication, security, shopping-cart, user-input, and preference cookies because purpose and implementation drive the exemption analysis. Sources for this answer: - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports treating cookies, JavaScript analytics calls, tracking pixels, tracked links, local processing callbacks, IP-based tracking, and unique identifiers as potential Article 5(3) access or storage scenarios. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports deciding cookie exemptions by purpose and implementation, not by cookie label alone. ## When analytics usually need consent The conservative EU-wide default is that analytics cookies and similar tracers require consent before they are deposited or read unless the deployment fits a narrow exemption. CNIL's analytics sheet states that audience-measurement tracers are subject to the consent rule unless they fall exactly within the described exemption perimeter, and it warns that national variation remains relevant. If the analytics deployment supports advertising, cross-site measurement, partner attribution, user profiling, CRM enrichment, product personalization beyond measurement, or reuse across multiple publishers, do not classify it as exempt from EU-wide sources alone. Route it through consent unless a competent national rule and the actual configuration support a different conclusion. - Require consent for analytics tied to advertising, affiliate tracking, remarketing, customer-file matching, cross-site statistics, or multipurpose identifiers. - Require consent where the analytics provider or another controller reuses data outside the publisher's own audience measurement purpose. - Reject pre-ticked analytics toggles; consent must result from a clear affirmative user action. - Treat cookie walls, hidden reject paths, misleading color contrast, and accept-only first layers as legal-design issues that need review before launch. Sources for this answer: - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Supports the position that audience-measurement tracers generally require consent unless they fit CNIL's limited exemption conditions, with national variation flagged. - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports consent-quality requirements: freely given, specific, informed, unambiguous, demonstrable, and withdrawable. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports checking reject options, pre-ticked boxes, deceptive link design, misleading visual emphasis, and withdrawal paths in cookie banners. ## When limited analytics may be exempt or lower-risk A limited analytics exemption is not a generic ePrivacy safe harbor. WP29 explains that Article 5(3) exemptions are narrow: the cookie must be for network transmission, or strictly necessary for a service or functionality explicitly requested by the user. For analytics, CNIL describes a more specific national-regulator path where audience-measurement cookies may move from opt-in to opt-out only if listed conditions are met. Use the CNIL criteria as a grounded example of what a limited analytics configuration can look like. In practice, you still need to check the local law and regulator guidance for each Member State, and you should document the implementation evidence that shows the actual setup matches the claimed exemption. - Limit the analytics purpose to audience measurement or A/B testing and prohibit advertising, CRM enrichment, cross-site statistics, or other secondary use. - Inform users and give them an effective ability to object when relying on the CNIL-described opt-out model. - Keep the tracer limited to one site or application editor and prevent cross-checking with other processing. - Truncate the last byte of the IP address and set tracker lifetime no longer than 13 months when using the CNIL criteria. - For a third-party processor providing comparative analytics to several publishers, document that data and trackers are collected, processed, stored, and separated independently for each publisher. - Flag major audience-measurement offerings for extra review because CNIL states that most large offerings do not fall within the exemption regardless of configuration. Sources for this answer: - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Provides the listed audience-measurement exemption conditions: information, objection, limited purposes, no cross-checking, single editor scope, IP truncation, 13-month lifetime, and separated third-party processing. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports the narrow Article 5(3) exemption tests and the rule that multipurpose cookies are exempt only if every purpose is exempt. ## Configuration and evidence requirements The analytics decision should be reproducible from evidence, not from vendor labels. Keep the scanned cookie list, tag-manager rules, consent-management-platform configuration, event taxonomy, data-sharing settings, IP handling, retention settings, processor terms, and tests showing what fires before accept, after reject, after withdrawal, and after opt-out. Consent logs matter when analytics is consent-based, but they are not the whole record. The team also needs proof that non-essential analytics is blocked until consent, reject and withdrawal choices are honored, and exempt or opt-out analytics remains within the exact configuration justified in the decision. - Save a cookie and tracer inventory with names, domains, purposes, lifetimes, first-party or third-party status, provider, data recipient, and trigger condition. - Capture CMP screenshots or configuration exports for the first layer, settings layer, analytics purpose text, accept control, reject control, save choices control, and withdrawal path. - Retain consent logs with timestamp, region, banner version, purpose version, user choice, withdrawal events, and a link to the policy text shown at the time. - Run evidence tests in at least four states: fresh visitor before choice, accepted analytics, rejected analytics, and withdrawn analytics. - For exemption claims, keep an engineering attestation that analytics is limited to measurement or A/B testing, separated per publisher, not cross-checked with other processing, IP-truncated where required, and subject to the documented lifetime. - Refresh the record when analytics vendors, tag-manager containers, SDK versions, purposes, countries, user journeys, retention, or banner design change. Sources for this answer: - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports maintaining cookie lists, documenting purposes, demonstrating essentiality, and checking accessible withdrawal routes. - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports keeping evidence that consent was obtained validly and can be withdrawn as easily as it was given. - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Supports configuration evidence for analytics exemption claims, including IP truncation, tracker lifetime, and independent processing by a third-party processor. ## What EU-wide sources cannot conclude alone EU-level materials do not give a single operational answer for every analytics setup in every Member State. The ePrivacy Directive is implemented through national laws, national data protection authorities publish different levels of cookie guidance, and CNIL's analytics sheet itself warns that ePrivacy analytics guidance may be subject to national variation. Do not state that a vendor, tag template, consent mode, or first-party analytics product is exempt across the EU merely because it can be configured with privacy controls. The final conclusion needs the actual configuration, the Member State position, and the evidence record. - Do not invent Member State analytics exemptions or retention limits where the grounding folder does not contain that country rule. - Do not infer that all first-party analytics is strictly necessary; WP29 says purpose and implementation decide the answer. - Do not infer that opt-out analytics is lawful EU-wide from CNIL guidance alone. - Do not treat a vendor's privacy-preserving mode as evidence unless technical settings and live network behavior prove the claim. - Escalate when the site uses analytics for logged-in users, sensitive journeys, children, employee portals, health or financial services, cross-device measurement, or multi-controller data sharing. Sources for this answer: - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Supports warning readers that analytics-cookie conclusions may vary by national regulator position. - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports the need to assess actual technical access or storage rather than relying on product names. - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Provides the baseline ePrivacy Directive framework for terminal-equipment consent and narrow exceptions, as implemented through Member State law. *Recommended next step* *Placement: before sources* ## Use this guide to classify analytics cookies and prove consent behavior Sorena can help convert the analytics-cookie decisions on this page into cookie inventories, CMP checks, consent-log evidence, exemption rationales, and country-specific review prompts. - [Open Research Copilot for EU ePrivacy](/solutions/research-copilot.md): Ask source-linked questions about analytics cookies, Article 5(3), consent quality, exemption criteria, and evidence records using the cited sources on this page. - [Review analytics cookie implementation](/contact.md): Walk through cookie inventories, CMP behavior, consent logs, and limited analytics-exemption evidence with Sorena. ## Primary sources - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Primary analytics-specific grounding for when audience-measurement cookies require consent and when CNIL describes a limited opt-out exemption. - Quote: "subject to national variation" - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Technical-scope grounding for cookies, JavaScript calls, tracking pixels, tracked URLs, local processing callbacks, IP-based tracking, and unique identifiers. - Quote: "storage or access" - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent-quality grounding for analytics deployments that rely on consent under Article 5(3). - Quote: "freely given, specific, informed and unambiguous" - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Cookie-banner grounding for reject controls, pre-ticked boxes, deceptive design, withdrawal paths, and cookie-list evidence. - Quote: "withdraw consent at any time" - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Exemption-analysis grounding for Article 5(3) strict-necessity criteria, first-party versus third-party indicators, multipurpose cookies, and purpose-based assessment. - Quote: "strictly necessary" - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Baseline directive source for Article 5(3) terminal-equipment consent and exception framing. - Quote: "terminal equipment" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/analytics-cookies