--- title: "EU ePrivacy Cookie Scope Classifier Workflow" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow" author: "Sorena AI" description: "Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 5(3)" - "cookie scope classifier" - "tracking pixels" - "local storage" - "SDK identifiers" - "analytics cookies" - "consent exemptions" - "cookies" - "analytics consent" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy Cookie Scope Classifier Workflow Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. *Article 5(3) classifier* *EU* ## EU ePrivacy Directive Cookie Scope Classifier Workflow Classify whether a cookie, pixel, SDK, local storage object, device identifier, or analytics tracer stores or accesses information on terminal equipment, then decide whether consent or a narrow exemption applies. Use the workflow with privacy, legal, product, web engineering, mobile engineering, analytics, marketing operations, consent-management, and evidence owners before releases that add or change client-side tracking. Use this classifier before deploying or changing cookies, pixels, SDKs, local storage, app identifiers, fingerprinting signals, tracked URLs, or analytics tags. The output is a per-technology scope decision showing whether Article 5(3) is triggered, whether a strictly necessary exemption is supportable, what consent mechanism is needed, and what evidence must be retained. ## Classifier input: one row per client-side mechanism Start with an implementation inventory, not the banner labels. Article 5(3) analysis turns on whether the operation stores information or gains access to information already stored in terminal equipment, and the EDPB stresses that the term is broader than personal data. Create one row for each mechanism that can touch a browser, app, connected device, relay device, or other terminal equipment. Include first-party cookies, third-party cookies, local storage, session storage, SDK-generated IDs, OS or browser identifiers, pixels in web pages or email, tracked URLs, IP-only tracking designs, and IoT or app telemetry that is cached locally before being sent. - Inventory fields: mechanism name, domain or SDK vendor, first-party or third-party context, storage location, read/write action, identifier value, lifetime, purpose, user action that triggers it, and network endpoint receiving the data. - Scope trigger fields: does the mechanism place information on the terminal equipment, read information from it, instruct client-side code to send information, or collect a locally generated value or derivation. - Terminal-equipment fields: browser, mobile app, connected car, connected TV, IoT device, relay phone, dedicated hub, or other equipment directly or indirectly connected to a public communications network. - Purpose fields: transmission, user input, authentication, user-centric security, multimedia playback, load balancing, UI preference, social plug-in sharing, advertising, analytics, market research, product improvement, debugging, or another stated purpose. - Evidence fields: tag manager export, SDK list, network trace, cookie/storage scan, consent-management configuration, vendor contract limits, product requirement, and reviewer approval. Sources for this answer: - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports the classifier inputs because the technical scope test covers information, terminal equipment, storage, and gaining access, including pixels, local processing, IP-based tracking, IoT reporting, and unique identifiers. - [Directive 2009/136/EC amendment to Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Provides the Article 5(3) wording on storing information or gaining access to information already stored in terminal equipment. - [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Commission material frames ePrivacy as protecting user control over device information, including consent before tracking cookies are stored. ## Scope decision: storage, access, or out of Article 5(3) For each inventory row, classify the technical operation before debating purpose. Article 5(3) can apply where storage and access are separate operations, where different entities store and receive information, and where the information was originally created by the user, manufacturer, operating system, browser, sensor, or local software. Do not treat non-cookie mechanisms as out of scope merely because no browser cookie is set. The EDPB guidance covers JavaScript instructions, pixels and tracked URLs, local storage and browser APIs, device or authentication identifiers, IP-only tracking where the IP originates from terminal equipment, unique identifiers collected in websites or mobile apps, and IoT reporting through direct or relay connections. - In scope: setting a cookie, writing to local storage, caching an identifier, creating an SDK identifier, or otherwise placing information on terminal equipment. - In scope: instructing a browser, app, SDK, or device to send stored or locally generated information back over the network. - In scope: a tracking pixel or tracked URL that causes the client to send an identifier or other targeted information, including in email or web content. - In scope: collection of a persistent or unique identifier from a website or mobile app when client-side code sends the value to the collector. - Potentially in scope: IP-only tracking unless the operator can evidence that the IP address does not originate from the user's terminal equipment. - Out of this Article 5(3) classifier: information used strictly inside the terminal equipment that does not leave the device through a communication network; still route any personal-data processing question to the GDPR analysis. Sources for this answer: - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports the technical scope branches for cookies, JavaScript, pixels, tracked URLs, local processing, IP-based tracking, IoT reporting, and unique identifiers. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Confirms that Article 5(3) is not limited to RFC6265 cookies and applies to related technologies storing or accessing terminal-device information. ## Exemption decision: narrow strictly necessary tests If the row is in Article 5(3) scope, decide whether consent is required or a narrow exemption can be evidenced. The Directive preserves two routes without consent: technical storage or access for the sole purpose of carrying out transmission over an electronic communications network, or what is strictly necessary to provide an information society service explicitly requested by the user. Apply the exemption to each distinct purpose, not to the technology name. A cookie or SDK used for both authentication and advertising cannot inherit the authentication exemption for the advertising purpose. - Transmission exemption evidence: show the communication cannot be carried out without the mechanism, such as routing, ordering data items, detecting transmission errors, or maintaining a load-balancing session endpoint. - Explicitly requested service evidence: identify the exact functionality the user requested and show the mechanism is needed because the functionality will not work if it is disabled. - Likely exempt when limited to the supporting purpose: user-input session IDs for multi-step forms or shopping carts, session authentication cookies, user-centric security cookies, multimedia player session cookies, load-balancing session cookies, short-term UI preference cookies, and logged-in social plug-in sharing cookies. - Not exempt on this basis: behavioural advertising, frequency capping, ad affiliation, cross-site social plug-in tracking, market research, product improvement, debugging, and third-party analytics or advertising identifiers. - Escalate if the row has mixed purposes, persistent identifiers, third-party tracking, cross-site use, or a user-visible feature that still works when the mechanism is disabled. Sources for this answer: - [Directive 2009/136/EC amendment to Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Provides the consent condition and the two Article 5(3) exemption routes for transmission and strictly necessary requested services. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports the exemption use cases and the rule that strict necessity is assessed from the user's requested functionality, not the operator's business convenience. ## Analytics branch: consent, opt-out, or blocked exemption Classify analytics separately because website operators often label analytics as necessary even where the user can use the site or app without it. WP29 states that first-party analytics cookies are not within the two Article 5(3) exemptions, while recognizing lower privacy risk when safeguards are present. CNIL guidance describes a narrower national analytics exemption model with conditions and warns that most large audience-measurement offerings do not fit it. Do not generalize the CNIL analytics conditions into an EU-wide country rule. Use them as a documented analytics exemption checklist only where local legal review confirms that the applicable national implementation recognizes the approach. - Default analytics decision: consent required before depositing or reading the analytics tracer unless a documented national analytics exemption applies. - CNIL-style exemption evidence: user information, ability to object, audience measurement or A/B testing only, no cross-checking with customer files or other sites, one site or app editor, last-byte IP truncation, tracker lifetime limited to 13 months, and independent data/tracker separation when a processor serves multiple publishers. - Blocked exemption: cross-site analytics, third-party common identifiers, enrichment with CRM or advertising data, product improvement beyond audience measurement or A/B testing, or vendor use for its own purposes. - Consent banner mapping: analytics rows that require consent must remain off by default until consent, must be separately understandable from advertising, and must have a withdrawal path that is as easy as giving consent. - Evidence output: analytics tool configuration, IP truncation proof, retention setting, opt-out or consent setting, vendor purpose limits, and reviewer note explaining whether the row is consent-required or exemption-supported. Sources for this answer: - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports the default position that first-party analytics cookies are not within the Article 5(3) consent exemptions, while identifying safeguards for lower-risk analytics. - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Supports the analytics-specific conditions for a consent exemption model, including audience measurement limits, objection, IP truncation, tracker lifetime, and independent processing by processors. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports consent-banner controls for consent-required analytics rows, including no default placement before consent and withdrawal accessibility. ## Consent controls and evidence outputs Where the classifier returns consent required, the consent mechanism must be designed and evidenced before the mechanism runs. The EDPB consent guidance requires consent to be freely given, specific, informed, and unambiguous, and the cookie banner taskforce report identifies common banner patterns that fail those requirements. Close the workflow only when the technical scan, legal classification, consent configuration, and release control all point to the same result. A banner category label is not enough evidence if the tag, SDK, or pixel fires before consent or does something different from the documented purpose. - Consent evidence: purpose text shown to users, category mapping, default-off configuration for consent-required rows, reject option, consent timestamp or signal record, and withdrawal mechanism. - Banner quality checks: no pre-ticked opt-in boxes, no consent-required cookies set before consent, no confusing legitimate-interest layer for Article 5(3) read/write operations, no reject link hidden in paragraph text, and no visual design that clearly pushes acceptance. - Technical evidence: pre-consent and post-consent network traces, storage snapshots, tag manager rules, SDK initialization gates, email-pixel deployment controls, and local storage or identifier lifetime settings. - Decision output per row: out of Article 5(3), in scope and exempt with reason, in scope and consent required, in scope but blocked pending vendor facts, or escalate for national-law review. - Reopen triggers: new SDK, new pixel or email tracking, new analytics vendor, changed identifier lifetime, cross-site enrichment, new mobile or IoT telemetry path, consent-management redesign, or authority/customer challenge. Sources for this answer: - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports the consent-quality requirements used when Article 5(3) consent is needed. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports banner evidence checks for reject options, pre-ticked boxes, default placement before consent, withdrawal accessibility, and misleading banner design. - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports keeping technical evidence on client-side instructions, storage, access, and terminal-equipment data flows aligned with the legal classification. *Recommended next step* *Placement: before sources* ## Classify every cookie, pixel, SDK, and analytics tracer before launch Sorena can convert this workflow into a row-level scope register, consent-gating checks, exemption evidence, and release review notes for EU ePrivacy work. - [Open Research Copilot for EU ePrivacy](/solutions/research-copilot.md): Ask source-linked questions about Article 5(3), terminal-equipment scope, cookie exemptions, analytics consent, and banner evidence. - [Review an ePrivacy tracking inventory](/contact.md): Work through cookies, pixels, SDK identifiers, local storage, analytics, and consent gaps with Sorena. ## Primary sources - [Directive 2009/136/EC amendment to Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Binding amendment text for Article 5(3) consent, storage/access, terminal equipment, and the two narrow consent exemptions. - Quote: "terminal equipment" - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Primary technical-scope guidance for classifying cookies, pixels, local storage, SDK identifiers, IP-based tracking, IoT reporting, and unique identifiers. - Quote: "technical scope" - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Primary exemption guidance for strictly necessary cookies, transmission cookies, social plug-ins, advertising cookies, and first-party analytics. - Quote: "Cookie Consent Exemption" - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Analytics-specific guidance for consent, opt-out, audience-measurement limits, IP truncation, tracker lifetime, and processor separation. - Quote: "analytics" - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent quality guidance used for consent-required cookie, pixel, SDK, and analytics rows. - Quote: "unambiguous" - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Common enforcement-position report for cookie-banner evidence checks, including reject options, pre-ticked boxes, withdrawal, and misleading design. - Quote: "Cookie Banner Taskforce" - [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Commission background on ePrivacy device protection and user control over information stored on or accessed from devices. - Quote: "privacy protection online" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow