Use this test when a website, app, SDK, tag, connected device, email pixel, or analytics script stores information on a user's device or reads information already there.
Grounded in Article 5(3), EDPB technical-scope guidance, consent guidance, the cookie-banner taskforce report, and WP29 exemption analysis.
Structured answer sets in this page tree.
Cited legal and guidance references.
Article 5(3) is triggered by the technical act of storing information on terminal equipment or gaining access to information already stored there. The test is broader than ordinary cookie wording: it can cover cookies, local storage, SDK identifiers, tracking pixels, URL identifiers, browser APIs, device sensor outputs, IoT reporting, and other instructions that make a user device return information over a network.
Start with the operation, not the label used by the vendor. EDPB Guidelines 2/2023 identify four Article 5(3) elements: information, terminal equipment of a subscriber or user, a public electronic communications network context, and storage or gaining access. Storage and access are separate triggers, so the same assessment should catch both writing an identifier and reading a value that another party, the user, the device maker, or software already placed on the device.
Information is not limited to personal data. The test should therefore cover analytics IDs, advertising IDs, cached values, HTTP headers used for tracking, ETags, HSTS abuse, authentication tokens, MAC or IP-derived identifiers where they originate from the terminal equipment, device sensor results, and values generated locally by scripts or apps.
Tracking pixels and tracked URLs are in scope when they are distributed over a public communications network and instruct the user's client to request a resource or send an identifier. The same logic applies when JavaScript or app code dynamically constructs a pixel or URL identifier.
Local processing is not automatically outside Article 5(3). If information stays strictly inside the device, the EDPB says Article 5(3) does not apply on that basis; when the information or a derived value is sent back through a communications network, the access trigger may apply. For IoT, direct reporting from a connected device and mediated reporting through a relay device must both be mapped because the relay can become the terminal equipment that stores and sends the data onward.
Consent is not required only where the storage or access is for the sole purpose of carrying out or facilitating transmission over an electronic communications network, or where it is strictly necessary to provide an information society service explicitly requested by the subscriber or user. WP29 Opinion 04/2012 treats the second exception as a high test: the user must have requested a clearly defined functionality, and that functionality must fail without the storage or access.
Purpose controls the answer. A first-party session cookie for a shopping basket, authentication during a logged-in session, user-centric login security, multimedia playback during a session, load balancing, or short-lived user-interface preference may qualify when the stated conditions are met. Behavioural advertising, cross-site tracking, social plug-in tracking, most third-party advertising operations, and analytics are not strictly necessary merely because the operator wants measurement or monetisation.
Where no Article 5(3) exception applies, storage or access should wait for valid consent. EDPB consent guidance ties ePrivacy consent to the GDPR standard: freely given, specific, informed, unambiguous, and expressed through a clear affirmative action. Consent records should show the version of the notice, the purposes, the user action, and the time of the signal without collecting more proof data than needed.
The EDPB cookie-banner taskforce report is useful for testing common failure patterns. By default, cookies that require consent should not be set before consent. Pre-ticked boxes do not produce valid consent. Banner designs that hide refusal, make refusal look unavailable, push users toward accept, use confusing legitimate-interest layers for read/write operations, or make withdrawal harder than giving consent create evidence and enforcement risk.
The evidence record should let a reviewer reproduce the Article 5(3) classification without relying on memory. For each technology, store the observed technical behaviour, purpose, recipient, legal classification, consent or exception basis, and test result.
Do not collapse the ePrivacy and GDPR records. The ePrivacy record should answer whether storage or access is allowed and on what basis. A separate processing record can then address any subsequent personal-data processing, including controller roles, lawful basis, transparency, retention, and data-subject rights.
No. EDPB Guidelines 2/2023 say Article 5(3) covers storage of, or access to, information in terminal equipment and is not limited to cookies. The same test can cover pixels, tracked URLs, local storage, SDK identifiers, device API reads, IoT reporting, and locally generated values sent back over a network.
WP29 Opinion 04/2012 says first-party analytics cookies are not strictly necessary to provide a functionality explicitly requested by the user, even though they may present lower risk when limited to first-party aggregated statistics with safeguards. Treat analytics as requiring consent unless a specific grounded exception is available.
Keep the technical trace, the user-requested functionality, why the storage or access is solely for transmission or strictly necessary for that functionality, the lifespan and purpose limits, source citations, owner approval, and retest evidence showing non-exempt purposes do not run under the same identifier.
Sorena can help convert cookies, pixels, SDKs, local identifiers, and device API calls into cited Article 5(3) classifications, consent checks, exception evidence, and retest triggers.
Ask source-linked questions about Article 5(3), terminal-equipment storage/access, consent quality, and strictly necessary exceptions using the cited sources on this page.
Review your cookie, pixel, SDK, and local-storage inventory against the Article 5(3) terminal-equipment test.
"strictly necessary"
"demonstrate the essentiality"
"clear affirmative action"
"gaining of access"
"online privacy"
"explicitly requested by the user"