EU ePrivacy Directive Cookie Scope Classifier Workflow

Start with an implementation inventory, not the banner labels. Article 5(3) analysis turns on whether the operation stores information or gains access to information already stored in terminal equipment, and the EDPB stresses that the term is broader than personal data.

Create one row for each mechanism that can touch a browser, app, connected device, relay device, or other terminal equipment. Include first-party cookies, third-party cookies, local storage, session storage, SDK-generated IDs, OS or browser identifiers, pixels in web pages or email, tracked URLs, IP-only tracking designs, and IoT or app telemetry that is cached locally before being sent.

For each inventory row, classify the technical operation before debating purpose. Article 5(3) can apply where storage and access are separate operations, where different entities store and receive information, and where the information was originally created by the user, manufacturer, operating system, browser, sensor, or local software.

Do not treat non-cookie mechanisms as out of scope merely because no browser cookie is set. The EDPB guidance covers JavaScript instructions, pixels and tracked URLs, local storage and browser APIs, device or authentication identifiers, IP-only tracking where the IP originates from terminal equipment, unique identifiers collected in websites or mobile apps, and IoT reporting through direct or relay connections.

If the row is in Article 5(3) scope, decide whether consent is required or a narrow exemption can be evidenced. The Directive preserves two routes without consent: technical storage or access for the sole purpose of carrying out transmission over an electronic communications network, or what is strictly necessary to provide an information society service explicitly requested by the user.

Apply the exemption to each distinct purpose, not to the technology name. A cookie or SDK used for both authentication and advertising cannot inherit the authentication exemption for the advertising purpose.

Classify analytics separately because website operators often label analytics as necessary even where the user can use the site or app without it. WP29 states that first-party analytics cookies are not within the two Article 5(3) exemptions, while recognizing lower privacy risk when safeguards are present. CNIL guidance describes a narrower national analytics exemption model with conditions and warns that most large audience-measurement offerings do not fit it.

Do not generalize the CNIL analytics conditions into an EU-wide country rule. Use them as a documented analytics exemption checklist only where local legal review confirms that the applicable national implementation recognizes the approach.

Where the classifier returns consent required, the consent mechanism must be designed and evidenced before the mechanism runs. The EDPB consent guidance requires consent to be freely given, specific, informed, and unambiguous, and the cookie banner taskforce report identifies common banner patterns that fail those requirements.

Close the workflow only when the technical scan, legal classification, consent configuration, and release control all point to the same result. A banner category label is not enough evidence if the tag, SDK, or pixel fires before consent or does something different from the documented purpose.