Deep DiveEU

EU ePrivacy Directive Cookies and Consent

How to implement Article 5(3) as an engineering and evidence system.

Focus: exemptions test, analytics/ads trackers, CMP configuration, and proof.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

Cookie compliance fails when teams treat consent as a UI pop-up instead of a controlled system. Article 5(3) requires a tracker-by-tracker decision: consent or exemption. WP29 guidance gives a practical test for the exemption criteria. This page shows how to operationalize that test, design a CMP that enforces outcomes, and maintain evidence that stands up to enforcement.

Section 1

Article 5(3) in practice: treat "terminal equipment access" as a tracker decision table

Start with a full inventory across web and apps (cookies, local storage, SDK identifiers, pixels, fingerprinting-like techniques).

For each tracker, you need a defensible "consent required vs exemption" decision and proof that implementation matches.

  • Inventory: every tag, cookie, SDK, and storage/access mechanism.
  • Fields: purpose, category, lifetime, who sets it, recipients, and markets.
  • Decision: consent required vs exemption; store reasoning and approvals.
Section 3

Analytics: the most common misclassification

Most analytics cookies/SDKs are not "strictly necessary" for providing the service explicitly requested by the user.

If you want a low-risk posture, treat analytics as consent-based unless you have a very specific, defensible exemption rationale.

  • Define analytics scope: first-party vs third-party, identifiers used, sharing, retention, and cross-site behavior.
  • Design measurement alternatives: server-side aggregated metrics or privacy-preserving analytics where appropriate.
  • Prove enforcement: analytics trackers must not fire until consent outcome is recorded.
Recommended next step

Use EU ePrivacy Directive Cookies and Consent as a cited research workflow

Research Copilot can take EU ePrivacy Directive Cookies and Consent from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU ePrivacy Directive Cookies and Consent

Start from EU ePrivacy Directive Cookies and Consent and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU ePrivacy Directive

Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Cookies and Consent.

Explore next step
Section 4

CMP implementation: design for proof

Your CMP must (1) collect a clear choice, (2) enforce it across all trackers, and (3) log enough to prove what happened.

Make your CMP configuration exportable and versioned so you can answer complaints quickly.

  • Enforcement: block non-exempt trackers pre-consent (web + app).
  • Versioning: store banner/CMP version, vendor list, purpose mapping, and locale-specific text per release.
  • Evidence: consent and withdrawal logs + automated tests of key flows.
Section 5

Evidence pack (what to keep so you can respond in days, not weeks)

Enforcement is evidence-driven. If you can't export your decisions and logs, you will struggle.

Build an evidence index and rehearse exports.

  • Tracker decision table (consent vs exemption) with reasoning and approvals.
  • CMP config snapshot exports + banner UX spec.
  • Consent/withdrawal log schema + sample exports.
  • Regression test results (UI + network-level) proving pre-consent blocking.
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata
A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)
A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits
A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map
A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?
A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence
A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.