Compliance PlaybookEU

EU ePrivacy Directive Compliance Program

A repeatable operating cadence for cookies, consent UX, and direct marketing evidence.

Focus: evidence-first governance and change control for your tracking stack.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

ePrivacy compliance breaks when trackers change faster than governance. The best programs treat the banner/CMP and tracker inventory as controlled systems with QA gates, automated tests, and exportable evidence. This playbook shows how to operationalize Article 5(3) and Article 13 controls across product teams, marketing, and vendors.

Section 1

Program setup: define scope, owners, and the system of record

Start with clear owners and a single system-of-record for tracker decisions, CMP config, and evidence exports.

Most "non-compliance" starts as an ownership problem.

  • Assign owners: privacy lead, web/app engineering lead, marketing ops, tag manager owner, vendor manager.
  • Create a single evidence index: decision table, CMP config snapshots, consent logs, test results.
  • Set change triggers: new vendor/tag/SDK, new purpose, new market -> requires review and release gate.
Section 2

Article 5(3) system: tracker inventory -> decision table -> release gate

Treat the tracker decision table as a release gate that blocks production changes until mapped to consent/exemption.

Version it like code.

  • Inventory continuously: tag manager exports + mobile SDK registry + network scan evidence.
  • Decision table: consent required vs exemption with documented reasoning and approvals.
  • Release gate: prevent non-exempt trackers from firing before consent; prove with tests.
Section 3

Banner/CMP implementation: design for proof (not just UX)

Banner UX must produce a clear, logged outcome and enforce it across all trackers.

Build both UI-level tests and network-level tests.

  • UX: accept/reject parity, granularity, clear purposes, easy withdrawal, no dark patterns.
  • CMP config management: snapshot exports; vendor lists and purposes versioned per release.
  • Testing: automated regression tests across locales and devices; canary checks after deploy.
Section 4

Marketing controls (Article 13): consent model + suppression governance

Direct marketing controls should be measurable: opt-out performance, suppression integrity, and vendor propagation.

Treat suppression lists as safety-critical data.

  • Define consent vs soft opt-in approach per channel/market and document it.
  • Proof: consent wording versions, capture events, withdrawals, and suppression list audit logs.
  • Vendor enforcement: contracts + audits; ensure suppression is honored across tools.
Section 5

Enforcement readiness: build an export pack and rehearse it

The fastest way to reduce enforcement risk is to be able to export coherent evidence quickly.

Treat this like incident readiness.

  • Export pack: tracker decision table + CMP snapshot + consent log schema + sample exports + test results.
  • Complaint workflow: triage -> reproduce user experience -> extract evidence -> remediate and re-test.
  • Continuous improvement: quarterly review of exemptions, banner UX, and vendor ecosystem.
Recommended next step

Turn EU ePrivacy Directive Compliance Program into an operational assessment

Assessment Autopilot can take EU ePrivacy Directive Compliance Program from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU ePrivacy Directive Compliance Program

Start from EU ePrivacy Directive Compliance Program and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU ePrivacy Directive

Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Compliance Program.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation
An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata
A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits
A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map
A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?
A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence
A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.