---
title: "Cookies & Consent (ePrivacy Directive Article 5(3))"
canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/cookies-and-consent"
source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/cookies-and-consent"
author: "Sorena AI"
description: "An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "cookie consent EU"
  - "ePrivacy Directive cookies"
  - "Article 5(3) cookie consent"
  - "strictly necessary cookies exemption"
  - "cookie consent exemption WP29 WP194"
  - "analytics cookies consent"
  - "CMP implementation EU"
  - "cookie banner compliance"
  - "Article 5(3)"
  - "cookie consent"
  - "strictly necessary cookies"
  - "analytics cookies"
  - "CMP"
  - "cookie banner enforcement"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Cookies & Consent (ePrivacy Directive Article 5(3))

An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.

*Deep Dive* *EU*

## EU ePrivacy Directive Cookies and Consent

How to implement Article 5(3) as an engineering and evidence system.

Focus: exemptions test, analytics/ads trackers, CMP configuration, and proof.

Cookie compliance fails when teams treat consent as a UI pop-up instead of a controlled system. Article 5(3) requires a tracker-by-tracker decision: consent or exemption. WP29 guidance gives a practical test for the exemption criteria. This page shows how to operationalize that test, design a CMP that enforces outcomes, and maintain evidence that stands up to enforcement.

## Article 5(3) in practice: treat "terminal equipment access" as a tracker decision table

Start with a full inventory across web and apps (cookies, local storage, SDK identifiers, pixels, fingerprinting-like techniques).

For each tracker, you need a defensible "consent required vs exemption" decision and proof that implementation matches.

- Inventory: every tag, cookie, SDK, and storage/access mechanism.
- Fields: purpose, category, lifetime, who sets it, recipients, and markets.
- Decision: consent required vs exemption; store reasoning and approvals.

## Consent exemptions test (WP29): transmission vs strictly necessary

WP29 Opinion 04/2012 analyzes the two exemption criteria and emphasizes narrow interpretation.

Use the test below as an internal acceptance checklist before classifying anything as exempt.

- Transmission exemption: the transmission of the communication must not be possible without the cookie/technique ("sole purpose" is restrictive).
- Strictly necessary exemption: required to provide a service explicitly requested by the user (not merely useful, not "nice to have").
- Exempt does not mean uncontrolled: document, monitor, and keep it stable across releases.

## Analytics: the most common misclassification

Most analytics cookies/SDKs are not "strictly necessary" for providing the service explicitly requested by the user.

If you want a low-risk posture, treat analytics as consent-based unless you have a very specific, defensible exemption rationale.

- Define analytics scope: first-party vs third-party, identifiers used, sharing, retention, and cross-site behavior.
- Design measurement alternatives: server-side aggregated metrics or privacy-preserving analytics where appropriate.
- Prove enforcement: analytics trackers must not fire until consent outcome is recorded.

*Recommended next step*

*Placement: after the scope or definition section*

## Use EU ePrivacy Directive Cookies and Consent as a cited research workflow

Research Copilot can take EU ePrivacy Directive Cookies and Consent from clarifying scope and applicability with cited answers to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Research Copilot for EU ePrivacy Directive Cookies and Consent](/solutions/research-copilot.md): Start from EU ePrivacy Directive Cookies and Consent and answer scope, timing, and interpretation questions with cited outputs.
- [Talk through EU ePrivacy Directive](/contact.md): Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Cookies and Consent.

## CMP implementation: design for proof

Your CMP must (1) collect a clear choice, (2) enforce it across all trackers, and (3) log enough to prove what happened.

Make your CMP configuration exportable and versioned so you can answer complaints quickly.

- Enforcement: block non-exempt trackers pre-consent (web + app).
- Versioning: store banner/CMP version, vendor list, purpose mapping, and locale-specific text per release.
- Evidence: consent and withdrawal logs + automated tests of key flows.

## Evidence pack (what to keep so you can respond in days, not weeks)

Enforcement is evidence-driven. If you can't export your decisions and logs, you will struggle.

Build an evidence index and rehearse exports.

- Tracker decision table (consent vs exemption) with reasoning and approvals.
- CMP config snapshot exports + banner UX spec.
- Consent/withdrawal log schema + sample exports.
- Regression test results (UI + network-level) proving pre-consent blocking.

## Primary sources

- [Directive 2002/58/EC (ePrivacy Directive) - consolidated text (EUR-Lex)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219&ref=sorena.io) - Article 5(3) terminal equipment access framework.
- [WP29 Opinion 04/2012 on Cookie Consent Exemption (WP194)](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Detailed exemptions test and examples for Article 5(3).
- [EDPB Report - Cookie Banner Taskforce (Jan 2023)](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Common enforcement pain points for cookie banners and consent implementation.

## Related Topic Guides

- [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
- [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
- [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
- [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
- [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
- [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
- [ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
- [ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
- [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
- [ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map](/artifacts/eu/eprivacy-directive/requirements.md): A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
- [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
- [ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement](/artifacts/eu/eprivacy-directive/faq.md): High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
- [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
- [EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/cookies-and-consent