EU ePrivacy Directive Cookies and Consent

Treat Article 5(3) as technology-neutral. The EDPB technical-scope guidance explains that cookies are only one example: tracking pixels, tracked URLs, JavaScript that makes the browser send data, local storage, fingerprinting-style signals, IoT reporting, and unique identifiers can also fall within the rule when information is stored on or accessed from terminal equipment.

Consent is needed before non-exempt storage or access. The assessment should be made per purpose, not merely per vendor or per technical label. A first-party cookie can still need consent if it is used for tracking or advertising, and a multipurpose cookie is exempt only if every purpose independently qualifies for an exemption.

The transmission exemption is narrow: the cookie or similar access must be used for the sole purpose of carrying out or facilitating communication over an electronic communications network. WP29 gives load-balancing session cookies as an example when the information only identifies a server endpoint needed to carry the communication.

The strictly necessary exemption is also narrow. The functionality must be part of an information society service explicitly requested by the user, and the storage or access must be necessary for that specific functionality. User-input session cookies, shopping-cart cookies, authentication cookies for the logged-in session, user-centric security cookies, multimedia-player session cookies, and short-lived user-interface preference cookies may qualify when implemented within those limits.

Cookie consent is not valid just because a banner is visible. EDPB consent guidance requires consent to be freely given, specific, informed, and unambiguous, and the controller must be able to demonstrate it. The Cookie Banner Taskforce report identifies common banner problems such as relying on pre-ticked options or deceptive designs that make refusal harder than acceptance.

The consent flow should let users accept or refuse non-essential purposes before storage or access occurs, choose granular purposes where purposes differ, and return later to change their choice. Withdrawal must be as easy as giving consent in practice, so a one-click banner acceptance should not require a call, email, account request, or hidden path to undo.

Consent evidence should prove both what the user chose and what the interface allowed at that time. The EDPB consent guidance says controllers should be able to show the session in which consent was expressed, the consent workflow, and the information presented. For cookies, that means saving CMP configuration, banner text and screenshots, purpose and vendor versions, tag-firing tests, and consent or refusal events without collecting excessive additional data.

Analytics requires a separate check. WP29 treats analytics and market-research tracking as non-exempt when tied to social plug-ins or similar tracking purposes, and national approaches to audience-measurement exemptions are not uniform. If relying on an analytics exemption, keep it narrow, document the technical limits, and avoid turning an audience-measurement tool into advertising, cross-site tracking, user-level profiling, or persistent identifier sharing.

The ePrivacy rule decides whether terminal-equipment storage or access is allowed. The GDPR can still apply to subsequent processing when the cookie, pixel, SDK, or identifier leads to personal-data processing. The EDPB Cookie Banner Taskforce report and Opinion 5/2019 both describe this coexistence: ePrivacy governs placement or reading, while the GDPR governs later personal-data processing and consent conditions where consent is used as the GDPR lawful basis.

Do not treat Article 5(3) consent as a full GDPR compliance answer. The cookie record should connect the storage/access decision to the GDPR record of processing, lawful basis, controller or joint-controller analysis, processor terms, transparency notices, data-subject rights handling, retention, international transfer checks, and security controls where personal data is processed.