EU ePrivacy Directive Compliance Checklist

List every operation that stores information on, or gains access to information from, a user's or subscriber's terminal equipment. Do not limit the inventory to browser cookies: include pixels, tracked URLs, local storage, SDK identifiers, app permissions that send device-derived values back over a network, IoT reporting, and similar access patterns.

For each entry, record the product surface, domain or app package, triggering event, first or third party, information read or written, purpose, duration, recipient, vendor, and whether the operation starts before the user has made a consent choice.

For each inventory row, decide whether the operation needs prior consent or fits one of the narrow Article 5(3) exemptions: technical storage or access solely for transmitting a communication, or storage or access that is strictly necessary to provide an information society service explicitly requested by the user or subscriber.

Document the purpose from the user's point of view. A first-party session cookie used for a shopping basket or login session may be easier to justify than a persistent third-party identifier, but purpose and implementation decide the result.

Where consent is required, test the live banner and preference center, not only the CMP configuration. The user should understand the purpose of the request, be able to reject non-essential access, avoid pre-ticked opt-ins, and withdraw consent through an accessible route after giving it.

Block consent-requiring reads and writes until a positive consent action has been recorded. Do not rely on continued browsing, silence, hidden reject links, preselected categories, or a legitimate-interest toggle as the basis for Article 5(3) access.

Keep records that prove what the user saw, what choice they made, when the choice was made, what purposes and vendors it covered, and which technical operations were allowed as a result. A CMP event without the banner version, purpose taxonomy, and firing evidence is not enough for an audit trail.

When consent changes or is withdrawn, update downstream tags, SDKs, audiences, campaign tools, and data-processing pipelines so the later processing reflects the current choice.

Review every automated call, fax, email, SMS, and similar electronic-mail campaign before launch. Article 13 requires prior consent for direct marketing by automated calling systems, fax, or electronic mail, subject to the customer-contact soft opt-in for a seller's own similar products or services.

For soft opt-in, keep evidence that the contact details were obtained in the context of a sale, the sender is the same natural or legal person, the marketing concerns own similar products or services, and the customer had a clear, distinct, free, and easy objection opportunity at collection and in each message.

For communications services and features, review whether the service listens to, taps, stores, intercepts, monitors, records, analyzes, or otherwise accesses communications content or related traffic data. The ePrivacy Directive requires confidentiality of communications and related traffic data, subject to narrow exceptions such as user consent, legal authorization, technical storage necessary for conveyance, and lawful business recording for evidence of a commercial transaction or business communication.

For traffic data, location data, and value-added services, record the purpose, duration, user information, consent or anonymization basis, withdrawal route, and personnel restrictions. Do not reuse communications data for marketing, analytics, or value-added services without the required basis and transparency.

After Article 5(3) storage or access, map any personal-data processing that follows: analytics profiles, advertising audiences, attribution, product telemetry, security analytics, CRM enrichment, or data sharing. The ePrivacy access decision and the GDPR processing analysis are connected, but they are not the same record.

If Article 5(3) consent was required and was not validly obtained, do not assume the later GDPR processing can be repaired by legitimate interests. For personal-data processing that remains after lawful access, document the GDPR lawful basis, transparency, data minimization, retention, processor or controller role, transfer basis, and data-subject-rights handling.

Close the checklist only when the evidence pack can explain the technical fact pattern, the ePrivacy decision, the user interface, the consent or exemption basis, the marketing rule, the communications-data rule, and the GDPR follow-on analysis without relying on tribal knowledge.

Reopen the checklist when a tag, SDK, campaign tool, CMP template, app permission, connected-device telemetry flow, vendor, recipient, purpose, retention period, or marketing audience changes.