---
title: "EU ePrivacy Article 5(3) terminal equipment test"
canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test"
source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test"
author: "Sorena AI"
description: "A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU ePrivacy Directive"
  - "Article 5(3)"
  - "terminal equipment"
  - "cookies"
  - "tracking pixels"
  - "local storage"
  - "device APIs"
  - "consent evidence"
  - "local identifiers"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EU ePrivacy Article 5(3) terminal equipment test

A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.

*Artifact Guide* *EU*

## EU ePrivacy Directive Article 5(3) terminal equipment test

Use this test when a website, app, SDK, tag, connected device, email pixel, or analytics script stores information on a user's device or reads information already there.

Grounded in Article 5(3), EDPB technical-scope guidance, consent guidance, the cookie-banner taskforce report, and WP29 exemption analysis.

Article 5(3) is triggered by the technical act of storing information on terminal equipment or gaining access to information already stored there. The test is broader than ordinary cookie wording: it can cover cookies, local storage, SDK identifiers, tracking pixels, URL identifiers, browser APIs, device sensor outputs, IoT reporting, and other instructions that make a user device return information over a network.

## Run the Article 5(3) trigger test

Start with the operation, not the label used by the vendor. EDPB Guidelines 2/2023 identify four Article 5(3) elements: information, terminal equipment of a subscriber or user, a public electronic communications network context, and storage or gaining access. Storage and access are separate triggers, so the same assessment should catch both writing an identifier and reading a value that another party, the user, the device maker, or software already placed on the device.

Information is not limited to personal data. The test should therefore cover analytics IDs, advertising IDs, cached values, HTTP headers used for tracking, ETags, HSTS abuse, authentication tokens, MAC or IP-derived identifiers where they originate from the terminal equipment, device sensor results, and values generated locally by scripts or apps.

- Identify every write operation: cookies, local storage, session storage, SDK storage, cache entries, tracking links, tracking pixels, and client-generated identifiers.
- Identify every read operation: cookie reads, browser or OS API calls, device identifiers, local files, sensor outputs, contact or location APIs, and locally generated profile or fingerprint values.
- Record whether client-side code, an SDK, email HTML, a tag manager, a browser API call, or an IoT instruction causes the device to send the value back over a network.
- Treat the Article 5(3) test as technical-scope analysis first; later personal-data processing may also need a GDPR assessment.

Sources for this answer:

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 5(3) sets the rule for storing information or gaining access to information stored in terminal equipment, subject to the transmission and strictly necessary service exceptions.
- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Defines the technical-scope elements for Article 5(3) and confirms that cookies are only one example of covered storage or access technologies.

## Classify pixels, URLs, local identifiers, APIs, and IoT flows

Tracking pixels and tracked URLs are in scope when they are distributed over a public communications network and instruct the user's client to request a resource or send an identifier. The same logic applies when JavaScript or app code dynamically constructs a pixel or URL identifier.

Local processing is not automatically outside Article 5(3). If information stays strictly inside the device, the EDPB says Article 5(3) does not apply on that basis; when the information or a derived value is sent back through a communications network, the access trigger may apply. For IoT, direct reporting from a connected device and mediated reporting through a relay device must both be mapped because the relay can become the terminal equipment that stores and sends the data onward.

- For web tags and email pixels, save the HTML or script, the requested resource URL, the identifier parameters, and the purpose assigned by the tag owner.
- For local identifiers, document whether the value comes from user input, device manufacturing, an OS or browser API, a sensor, cached storage, or client-side code.
- For SDKs and app APIs, list each permission, local value, derived value, endpoint, recipient, and purpose before deciding whether consent or an exception is available.
- For IoT products, separate direct device-to-server reporting from phone, hub, or gateway relay reporting, then test the onward network instruction separately.

Sources for this answer:

- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Applies Article 5(3) to URL and pixel tracking, local processing sent back over a network, IP-origin scenarios, IoT reporting, and unique identifier collection.
- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission material framing ePrivacy as the EU online-privacy framework modernised for digital communications and tracking technologies.

## Test the two Article 5(3) exceptions narrowly

Consent is not required only where the storage or access is for the sole purpose of carrying out or facilitating transmission over an electronic communications network, or where it is strictly necessary to provide an information society service explicitly requested by the subscriber or user. WP29 Opinion 04/2012 treats the second exception as a high test: the user must have requested a clearly defined functionality, and that functionality must fail without the storage or access.

Purpose controls the answer. A first-party session cookie for a shopping basket, authentication during a logged-in session, user-centric login security, multimedia playback during a session, load balancing, or short-lived user-interface preference may qualify when the stated conditions are met. Behavioural advertising, cross-site tracking, social plug-in tracking, most third-party advertising operations, and analytics are not strictly necessary merely because the operator wants measurement or monetisation.

- For the transmission exception, prove the value is solely needed to carry the communication, such as routing, session continuity, packet ordering, error detection, or load balancing.
- For the explicitly requested service exception, name the specific user-requested functionality and show that it will not work if the storage or access is disabled.
- Split multipurpose cookies or identifiers; an exempt purpose does not make a tracking, advertising, profiling, or analytics purpose exempt.
- Set lifespan and scope to the purpose: session or short-lived values are easier to justify than persistent or third-party values, but purpose remains decisive.

Sources for this answer:

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 5(3) contains the transmission and strictly necessary service exceptions.
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Explains the transmission and explicitly requested service criteria and applies them to user-input, authentication, security, media, load-balancing, preference, social plug-in, advertising, and analytics cookies.

## When consent is needed, test the consent mechanism

Where no Article 5(3) exception applies, storage or access should wait for valid consent. EDPB consent guidance ties ePrivacy consent to the GDPR standard: freely given, specific, informed, unambiguous, and expressed through a clear affirmative action. Consent records should show the version of the notice, the purposes, the user action, and the time of the signal without collecting more proof data than needed.

The EDPB cookie-banner taskforce report is useful for testing common failure patterns. By default, cookies that require consent should not be set before consent. Pre-ticked boxes do not produce valid consent. Banner designs that hide refusal, make refusal look unavailable, push users toward accept, use confusing legitimate-interest layers for read/write operations, or make withdrawal harder than giving consent create evidence and enforcement risk.

- Block non-exempt cookies, pixels, SDK reads, and local-storage writes until a valid consent signal exists for the relevant purpose.
- Make accept, reject, manage, and withdrawal paths testable; save screenshots or DOM snapshots for each layer and language version.
- Keep the CMP configuration, tag firing rules, consent string or log schema, vendor list, purpose mapping, and reject-all test results together.
- Retest after tag-manager releases, SDK upgrades, new marketing vendors, new markets, consent-banner redesigns, and changes to cookie or local-storage classifications.

Sources for this answer:

- [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Explains valid consent, consent demonstration, and withdrawal requirements used when Article 5(3) requires consent.
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Documents common cookie-banner assessment positions, including reject options, pre-ticked boxes, misleading design, essential-cookie classification, and withdrawal access.

## Evidence record for the terminal equipment decision

The evidence record should let a reviewer reproduce the Article 5(3) classification without relying on memory. For each technology, store the observed technical behaviour, purpose, recipient, legal classification, consent or exception basis, and test result.

Do not collapse the ePrivacy and GDPR records. The ePrivacy record should answer whether storage or access is allowed and on what basis. A separate processing record can then address any subsequent personal-data processing, including controller roles, lawful basis, transparency, retention, and data-subject rights.

- Inventory entry: technology name, owner, domain or package, storage location, value type, lifespan, first-party or third-party status, and public-network endpoint.
- Scope analysis: information type, terminal equipment involved, storage/access event, instruction source, recipient, and whether the value leaves the device.
- Basis decision: consent required, transmission exception, strictly necessary service exception, or blocked pending redesign, with source citation and reviewer approval.
- Validation pack: network capture, cookie/local-storage export, consent-banner screenshots, reject-all trace, tag firing report, vendor documentation, and change history.
- Review triggers: new tag, new SDK, new pixel, new API permission, new connected-device reporting path, new purpose, new vendor, new country launch, or banner redesign.

Sources for this answer:

- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports the technical evidence categories for storage, access, local processing, network return, IoT, and unique identifiers.
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports maintaining cookie lists, essentiality documentation, and consent/withdrawal testing records for regulator-facing review.

*Recommended next step*

*Placement: before sources*

## Map storage, access, consent, and exemptions before tags ship

Sorena can help convert cookies, pixels, SDKs, local identifiers, and device API calls into cited Article 5(3) classifications, consent checks, exception evidence, and retest triggers.

- [Open Research Copilot for EU ePrivacy Directive](/solutions/research-copilot.md): Ask source-linked questions about Article 5(3), terminal-equipment storage/access, consent quality, and strictly necessary exceptions using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your cookie, pixel, SDK, and local-storage inventory against the Article 5(3) terminal-equipment test.

## Primary sources

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Binding Article 5(3) text for terminal-equipment storage/access and the two consent exceptions.
  - Quote: "terminal equipment"
- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Primary technical-scope guidance for storage/access, pixels, URLs, local processing, IP-origin scenarios, IoT reporting, and unique identifiers.
  - Quote: "technical scope"
- [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent standard used when Article 5(3) requires consent for non-exempt storage or access.
  - Quote: "freely given, specific, informed and unambiguous"
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Cookie-banner enforcement coordination source for reject options, pre-ticked boxes, misleading design, essential-cookie classification, and withdrawal access.
  - Quote: "no cookies which require consent"
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Detailed analysis of Article 5(3) transmission and strictly necessary service exceptions.
  - Quote: "Cookie Consent Exemption"
- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission ePrivacy material used for the broader EU online-privacy framework context.
  - Quote: "future proof legal framework"

## Related Topic Guides

- [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
- [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
- [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
- [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
- [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
- [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
- [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
- [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
- [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
- [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
- [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
- [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
- [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
- [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
- [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
- [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
- [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
- [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
- [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
- [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
- [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
- [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
- [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
- [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
- [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
- [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
- [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
- [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
- [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
- [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test