Applicability TestEU

EU ePrivacy Directive Applicability Test

Decide which ePrivacy obligations apply to your product, tracking stack, and marketing.

Scope cookies/SDKs (Article 5(3)), communications confidentiality, and direct marketing (Article 13).

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

ePrivacy isn't one yes/no question. Different obligations apply based on what you do: (1) storing/accessing information on user devices (cookies/SDKs/fingerprinting), (2) handling electronic communications content/metadata, and (3) sending direct marketing. Use this page to reach a defensible outcome and store an evidence-backed decision memo.

Section 1

Step 1 - Do you store/access information on "terminal equipment" (Article 5(3))?

If your product stores or accesses information on a user's device, ePrivacy Article 5(3) logic is usually your first gate.

This includes cookies, local storage, mobile SDK identifiers, and similar tracking techniques. The hard part is mapping each item to consent vs an exemption.

  • Inventory: cookies, pixels, SDKs, local storage, device identifiers, and fingerprinting-like techniques.
  • For each item: purpose, data collected, lifespan, who sets it, who receives data, and where it runs (web/app).
  • Decision: consent required vs exemption ("strictly necessary" / transmission) with documented reasoning.
Section 2

Step 2 - Are you an electronic communications service/provider (content + metadata)?

If you provide communications functionality (including modern OTT messaging/voice), you also need to treat communications confidentiality and metadata as a distinct compliance track.

Even when the GDPR applies, ePrivacy can particularize and complement privacy requirements for communications data.

  • Classify data: communications content vs communications metadata (time, recipients, location, routing, etc.).
  • List use cases: delivery, spam/security, analytics, product improvement, advertising, and lawful access requests.
  • Define retention and access controls per use case; keep an evidence trail for why each use is allowed.
Section 3

Step 3 - Do you send direct marketing by email/SMS/IM (Article 13)?

If you send direct marketing via electronic communications, ePrivacy's unsolicited communications rules are a dedicated workstream.

Treat this like an operational system: consent capture, proof, opt-out, and suppression lists.

  • Identify channels: email, SMS, push/IM, automated calling, and similar.
  • Define legal model: consent vs soft opt-in (where applicable) + opt-out mechanics per message.
  • Evidence: consent logs, timestamp, source, wording/version, withdrawal logs, and suppression list controls.
Section 4

Step 4 - Where does GDPR fit (the "after the cookie" layer)?

A common compliance failure is mixing ePrivacy and GDPR layers. As a simplified model: ePrivacy often governs the device access/reading layer; GDPR often governs subsequent processing of personal data.

Your documentation should explicitly separate these layers and show how you ensure consent validity and information duties.

  • Document the split: (A) placement/reading (ePrivacy national law) vs (B) subsequent processing (GDPR).
  • Map which authority/enforcement model applies and whether one-stop-shop mechanisms apply (often not for ePrivacy).
  • Align consent UX with GDPR consent conditions and information requirements where GDPR is the legal basis.
Section 5

Output: an exportable ePrivacy decision memo

Make your outcome auditable: a 1 - 2 page memo that explains what applies, why, and what you did about it.

Keep it updated as your tracking stack and marketing workflows change.

  • Scope: products, domains/apps, audiences, markets, vendors, and tracking technologies.
  • Article 5(3) mapping: tracker-by-tracker consent vs exemption decisions with reasoning.
  • Banner/CMP design choices and evidence strategy (logs, versions, tests).
  • Direct marketing model and evidence pack (consent, opt-out, suppression).
  • Links to deeper subpages for implementation and enforcement readiness.
Recommended next step

Turn EU ePrivacy Directive Applicability Test into an operational assessment

Assessment Autopilot can take EU ePrivacy Directive Applicability Test from deciding whether these obligations apply in practice to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU ePrivacy Directive Applicability Test

Start from EU ePrivacy Directive Applicability Test and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU ePrivacy Directive

Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Applicability Test.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation
An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)
A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits
A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map
A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?
A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence
A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.