Use this test to decide whether an EU ePrivacy rule is triggered by an electronic communications service, confidentiality of communications, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, or direct marketing.
Designed for privacy, product, marketing, analytics, web, mobile, CRM, and legal teams that need a documented scope decision before launch or change approval.
Structured answer sets in this page tree.
Cited legal and guidance references.
The ePrivacy applicability question is not just "do we use cookies?" Test the workflow against four buckets: whether the service sits in the electronic communications context, whether communications or related traffic data are protected, whether anything is stored on or read from terminal equipment, and whether the contact channel is used for direct marketing. If the answer is yes, record the ePrivacy rule first, then document any GDPR processing that happens after the access, storage, or communication event.
Start with the actual user journey, not the vendor category. A website tag, mobile SDK, email pixel, in-app analytics event, connected-device telemetry flow, communications feature, or CRM campaign can each trigger different ePrivacy questions.
Mark the flow in scope when it involves a publicly available electronic communications service or network, confidentiality of communications and related traffic data, storage or access on a user's terminal equipment, or direct marketing by electronic mail, automated calling, fax, SMS, or comparable electronic message channels.
For cookies, SDKs, pixels, local storage, app identifiers, device APIs, and similar techniques, apply Article 5(3) as a technical test. The EDPB frames the test around information, terminal equipment, a public electronic communications context, and storage or gaining access.
Do not limit the review to personal data. The EDPB guidance treats "information" as broader than personal data, and Article 5(3) can apply even where the value read from or written to a device is technical, transient, locally generated, or originally stored by another party.
If Article 5(3) applies, classify the technology by purpose. Consent is normally required unless the storage or access is solely for carrying out the transmission of a communication, or is strictly necessary to provide an information society service explicitly requested by the user.
Treat analytics, advertising, affiliate tracking, behavioural profiling, social plug-in tracking, product improvement, market research, and cross-site measurement as non-exempt unless the grounding evidence supports a narrower conclusion. First-party or session status alone is not enough; the purpose controls the answer.
Where consent is required, test the interface before any non-exempt access or storage happens. A valid consent flow needs a real choice, a clear affirmative action, purpose-specific information, and a withdrawal route that is as easy to use as the grant route.
Cookie-banner review should include both the first layer and deeper settings. The EDPB taskforce material flags common risk patterns: no reject option where consent is requested, pre-ticked boxes, misleading link or color design, confusing legitimate-interest presentation for cookie placement or reading, overbroad essential labels, and hidden withdrawal controls.
Do not collapse ePrivacy into a GDPR-only assessment. For cookie placement or reading, the taskforce report describes the ePrivacy framework for the placement or reading step and the GDPR framework for subsequent personal-data processing. Opinion 5/2019 also treats Articles 5(3) and 13 as extended ePrivacy scope areas that can overlap with GDPR.
For marketing, test Article 13 on its own. Prior consent is the baseline for automated calling systems, fax, and electronic mail for direct marketing. The existing-customer exception is narrower: the same sender may market its own similar products or services when it obtained the electronic contact details in the context of a sale and gives a clear, free, easy objection opportunity at collection and in each message.
No. Record the Article 5(3) storage or access analysis first. GDPR consent conditions inform consent quality, and GDPR governs later personal-data processing, but the placement or reading of non-exempt cookies and similar technologies remains an ePrivacy scope question under national transposition.
No. The Article 5(3) test covers storage or access to information in terminal equipment, not only RFC-style cookies. Local storage, SDK identifiers, tracking pixels, device values, and locally generated data sent back over a network can be in scope.
Keep a dated data-flow map, cookie and SDK inventory, before-consent network trace, CMP configuration, consent and withdrawal logs, essential-cookie rationale, direct-marketing basis, suppression-list test, GDPR overlap note, source citations, approver, and reassessment triggers for product, vendor, country, or purpose changes.
Sorena can convert this applicability test into a product-specific evidence pack with a tracker inventory, consent-state tests, direct-marketing basis records, GDPR overlap notes, and cited source support.
Ask source-linked questions about Article 5(3), cookies, SDKs, pixels, consent UX, GDPR overlap, and direct-marketing scope using the cited sources on this page.
Review a product launch, marketing campaign, tracker inventory, or CMP configuration against the EU ePrivacy applicability test.
"direct marketing"
"placement or reading of cookies"
"clear affirmative action"
"information"
"co-existence"
"confidentiality of electronic communications"
"strictly necessary"