Artifact GuideEU

ePrivacy cookie consent vs DSA ads obligations

Use this source-limited comparison to separate ePrivacy rules for storing or accessing information on terminal equipment from DSA ads-transparency work that must be checked against DSA sources before implementation.

The concrete citations on this page are ePrivacy sources: Article 5(3) technical scope, GDPR-standard consent guidance, cookie-banner taskforce findings, cookie-exemption analysis, and Commission ePrivacy material.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Advertising teams often put cookie consent and ad transparency in the same launch checklist. Keep them separate. ePrivacy Article 5(3) asks whether a site, app, SDK, pixel, identifier, or similar technology stores information on, or gains access to information already stored in, a user's terminal equipment. DSA ads obligations may also matter for online-platform advertising, but the ePrivacy grounding set used for this artifact does not contain detailed DSA source material, so this page treats DSA as a separate workstream to verify rather than a source of detailed claims.

Source-limited comparison

ePrivacy cookie consent vs DSA ads obligations

Use these rows to keep terminal-equipment consent, ads transparency, and shared evidence distinct. The DSA side is deliberately high-level because this artifact's grounding folder contains ePrivacy sources, not DSA source material.

Review all sources
First framework
ePrivacy cookie and tracking consent

Decides whether advertising, analytics, or measurement technology stores information on, or gains access to information already stored in, terminal equipment, and whether consent or a narrow Article 5(3) exemption supports that operation.

Second framework
DSA ads workstream

Separate ads-transparency review that must be validated against DSA sources before relying on detailed triggers, duties, deadlines, repositories, penalties, or authority routes.

Comparison row 1

Scope boundary

ePrivacy cookie and tracking consent

Storage of information on terminal equipment or access to information already stored there, including non-cookie tracking techniques when the Article 5(3) criteria are met.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
DSA ads workstream

Potential online-platform advertising transparency or disclosure work; detailed DSA trigger not stated here because no DSA grounding source was present in the ePrivacy folder.

Operational implication

Run the ePrivacy technical trigger before tags, pixels, SDKs, or identifiers fire. Open a DSA-specific source check for platform ad disclosures instead of using this page as DSA authority.

European Commission ePrivacy overviewSources 1
Comparison row 2

Covered actors

ePrivacy cookie and tracking consent

If consent is required, it must meet GDPR-standard consent quality: freely given, specific, informed, unambiguous, affirmative, demonstrable, and withdrawable as easily as it was given.

EDPB Guidelines 05/2020 on consentSources 1EDPB Cookie Banner Taskforce reportSources 2
DSA ads workstream

A DSA ad disclosure or transparency artifact should not be treated as consent for terminal-equipment storage or access unless a separate ePrivacy consent test is satisfied.

Operational implication

Keep consent buttons, preference centers, and consent logs separate from ad labels, sponsor disclosures, or transparency records, even if they are reviewed in the same launch gate.

Directive 2002/58/EC (ePrivacy Directive)Sources 1
Comparison row 3

Trigger

ePrivacy cookie and tracking consent

Third-party advertising cookies and operational advertising cookies are not within the consent exemptions described by WP29; analytics needs a separate purpose and safeguard assessment.

WP29 Opinion 04/2012 on Cookie Consent ExemptionSources 1
DSA ads workstream

DSA ads work may use the same inventory to understand advertising flows, but this page does not validate DSA-specific repository, targeting, recommender, or platform-category duties.

Operational implication

Reuse the factual inventory, not the legal conclusion. The same tag map can support ePrivacy consent review and a later DSA ads review, but each obligation needs its own source.

WP29 Opinion 04/2012 on Cookie Consent ExemptionSources 1
Comparison row 4

Core obligations

ePrivacy cookie and tracking consent

Tracker inventory, purpose map, Article 5(3) classification, exemption analysis, consent UX screenshots, CMP settings, consent logs, reject and withdrawal tests, and proof that consent-requiring tools do not fire before consent.

EDPB Cookie Banner Taskforce reportSources 1EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 2
DSA ads workstream

Ad-disclosure screenshots, ad journey facts, sponsor or advertiser fields, targeting or measurement descriptions, and the DSA source used for any platform-specific conclusion once attached.

Operational implication

Label shared records with the obligation they support. An ad journey screenshot may help both teams, but it does not supersede consent logs or a DSA citation.

EDPB Cookie Banner Taskforce reportSources 1
Comparison row 5

Evidence record

ePrivacy cookie and tracking consent

If the ad stack stores or reads terminal-equipment information and no narrow exemption applies, block the tag until consent is obtained and withdrawal is available.

Directive 2002/58/EC (ePrivacy Directive)Sources 1WP29 Opinion 04/2012 on Cookie Consent ExemptionSources 2
DSA ads workstream

If the team asserts a DSA ads obligation, require a DSA source in the record before naming the duty, deadline, repository, role, or enforcement path.

Operational implication

Do not merge the sign-off. ePrivacy approves or blocks terminal-equipment access; a DSA review should separately approve source-linked ad transparency.

European Commission ePrivacy overviewSources 1
Comparison row 6

Timing and deadlines

ePrivacy cookie and tracking consent

Set the ePrivacy check before launch, because tags and pixels should not start collecting until the terminal-equipment question and any required consent path have been resolved.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
DSA ads workstream

Treat DSA ads timing as a separate workstream that starts only after the relevant DSA source is attached and the platform-duty question is confirmed.

Operational implication

If the tracker can run now, the ePrivacy review comes first; if the disclosure is still hypothetical, park the DSA question for source-based follow-up rather than mixing the two on one deadline.

European Commission ePrivacy overviewSources 1
Comparison row 7

Enforcement

ePrivacy cookie and tracking consent

Use the ePrivacy file to determine whether a tracker may launch at all, and keep the consent evidence ready for audit or complaint review.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
DSA ads workstream

Use the DSA file only after a DSA source is attached, so any enforcement or supervisory question is tied to a cited DSA obligation rather than a generic ads label.

Operational implication

The practical question differs: ePrivacy asks whether collection is allowed now, while DSA asks whether the advertising disclosure record is supported by the right source.

European Commission ePrivacy overviewSources 1
Comparison row 8

Overlap and reuse

ePrivacy cookie and tracking consent

Reuse the tracker map, consent records, and screenshots for ePrivacy because they show what runs on the device and whether consent was captured.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
DSA ads workstream

Reuse only the same factual inventory for DSA until a DSA source is added; the legal answer and the evidence standard still have to be checked separately.

Operational implication

Shared materials can move between teams, but the legal test does not: facts can be reused, conclusions cannot.

European Commission ePrivacy overviewSources 1
Comparison row 9

Practical decision rule

ePrivacy cookie and tracking consent

If the launch depends on a cookie, pixel, SDK, or identifier touching terminal equipment, make the ePrivacy call first.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
DSA ads workstream

If the remaining question is ads disclosure on an online-platform workflow, send it to DSA review only after a DSA source is in the file.

Operational implication

Start with the rule that can actually be proved from the record. Here, that is ePrivacy; DSA stays a follow-up unless the source set changes.

European Commission ePrivacy overviewSources 1
Practical decision rule

How should teams use this comparison?

  • Make the ePrivacy call first when a tracker, tag, or identifier may touch terminal equipment.
  • Use the DSA column only after a DSA source is attached and the ads question is still separate from consent.
  • Reuse the same inventory and screenshots as facts, but do not treat them as proof that both legal tests are satisfied.
  • Stop launch if a consent-requiring tracker is ready to fire or if a DSA ads conclusion has no cited source.
EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1EDPB Cookie Banner Taskforce reportSources 2
Section 1

What the ePrivacy side decides

For ePrivacy, start with the technical act. The EDPB describes Article 5(3) as applying when operations involve information, terminal equipment, a public electronic-communications-network context, and either storage or gaining access. That analysis is broader than browser cookies: URL and pixel tracking, local processing, IP-only tracking scenarios, IoT reporting, and unique identifiers can require review.

The ePrivacy decision is therefore not whether an ad is transparent. It is whether the advertising, analytics, measurement, attribution, frequency-capping, anti-fraud, or audience-building setup stores or reads information on terminal equipment, and whether consent or a narrow necessity exemption supports that operation.

  • Inventory cookies, pixels, SDK calls, local storage, mobile identifiers, hashed identifiers, and server calls that read device-side values.
  • Classify whether each operation stores information, gains access to stored information, or does both.
  • Separate strictly necessary service functions from advertising, analytics, profiling, attribution, and measurement purposes.
  • Record the user-facing purpose, technical mechanism, third parties, retention, consent state, withdrawal path, and source citation.
Sources for this answer
Directive 2002/58/EC (ePrivacy Directive)
Legal source for Article 5(3), which governs storing information or gaining access to information already stored in terminal equipment.
EDPB Guidelines 2/2023 on the technical scope of Article 5(3)
Explains Article 5(3) criteria and applies them to tracking pixels, local processing, IP-only tracking, IoT reporting, and unique identifiers.
Section 2

What the DSA side can and cannot decide here

The ePrivacy grounding folder does not contain DSA source material. This artifact therefore does not state detailed DSA triggers, platform categories, deadlines, repositories, penalties, or national supervisory rules.

Use the DSA column only as a reminder that advertising transparency can be a separate obligation from cookie or tracking consent. A product can need ePrivacy consent before an ad-tracking technology runs, and also need DSA ads review if DSA-sourced platform-advertising duties apply. Do not treat a DSA disclosure as consent for terminal-equipment access, and do not treat ePrivacy consent as proof that DSA ad-transparency duties are complete.

  • Mark DSA conclusions as source-limited until a DSA source is attached.
  • Do not import DSA role, threshold, repository, or enforcement claims into this artifact without DSA grounding.
  • Keep the shared facts narrow: ad journey, tracking technology, advertiser or sponsor data, targeting or measurement purpose, user-facing disclosures, and evidence owner.
  • Escalate to a DSA-specific review when the service presents ads through an online-platform interface or uses an ads-transparency workflow.
Sources for this answer
European Commission ePrivacy overview
Commission material used only for the ePrivacy context and source limits of this comparison.
Section 4

Advertising and analytics caveats

The WP29 cookie-exemption opinion is especially useful for ad stacks because it warns against treating operational advertising cookies as strictly necessary. It says third-party advertising cookies are not exempt from consent and extends that consent view to operational advertising purposes such as frequency capping, financial logging, ad affiliation, click-fraud detection, research, market analysis, product improvement, and debugging.

Analytics also needs careful classification. The same opinion distinguishes first-party aggregated analytics with safeguards from third-party analytics that tracks users across sites, and says first-party analytics were not within the two Article 5(3) exemptions even if they may present lower privacy risk when safeguarded.

  • Do not classify an advertising or measurement cookie as strictly necessary merely because the business needs it for monetization or reporting.
  • Keep a purpose-by-purpose assessment when one tag supports security, measurement, fraud checks, attribution, and targeting.
  • For analytics, record whether the implementation is first-party or third-party, aggregated or user-level, cross-site or same-site, and whether opt-out and anonymization safeguards exist.
  • For DSA work, reuse only the factual inventory and disclosure screenshots until a DSA source validates the legal obligation.
Sources for this answer
WP29 Opinion 04/2012 on Cookie Consent Exemption
Explains the Article 5(3) consent exemptions and why third-party advertising cookies and operational advertising cookies are not exempt.
EDPB Guidelines 2/2023 on the technical scope of Article 5(3)
Supports review of non-cookie tracking techniques used in advertising and measurement stacks.
Recommended next step

Turn this comparison into a cited advertising launch check

Sorena can help map cookies, pixels, SDKs, consent UX, withdrawal paths, and ads-disclosure evidence while keeping DSA conclusions source-limited until DSA material is attached.

Research workflow
Open Research Copilot for ePrivacy

Ask source-linked questions about Article 5(3), cookie consent, banner evidence, and tracking technologies using the cited ePrivacy sources.

Explore next step
Talk to Sorena
Talk through implementation

Review your advertising, analytics, and consent evidence before treating DSA ads work as complete.

Explore next step
Primary sources

References and citations

EDPB Guidelines 05/2020 on consent
edpb.europa.eu
Referenced sections
  • Grounds consent quality and withdrawal expectations for ePrivacy-referenced consent.
"freely given, specific, informed and unambiguous"
European Commission ePrivacy overview
digital-strategy.ec.europa.eu
Referenced sections
  • Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
"online privacy"
Related guides

Explore more topics

Are cookie walls allowed under the EU ePrivacy Directive?
FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
Do Analytics Cookies Require Consent under the EU ePrivacy Directive?
FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence
Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
EU cookie banner requirements under the ePrivacy Directive
EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
EU ePrivacy analytics cookies: consent, exemption, and evidence guide
source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing
A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
EU ePrivacy Article 5(3) terminal equipment test
A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
EU ePrivacy Confidentiality of Communications: Article 5 controls
Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
EU ePrivacy consent-log evidence workflow for cookies and trackers
Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
EU ePrivacy cookie banner UX test cases
source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
EU ePrivacy Cookie Scope Classifier Workflow
Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
EU ePrivacy direct-marketing consent checklist
Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
EU ePrivacy Directive compliance calendar for cookies, consent, and marketing
source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
EU ePrivacy Directive Compliance Checklist
A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications
Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence
Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
EU ePrivacy Directive direct marketing rules for electronic mail
source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
EU ePrivacy Directive Enforcement and Fines
Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay
Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
EU ePrivacy Directive Member State Cookie Rules
How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
EU ePrivacy Directive Metadata and Location Data Guide
source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
EU ePrivacy Directive penalties and fines: national enforcement caveats
source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
EU ePrivacy Directive Requirements: cookies, communications and marketing
source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence
Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison
Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
EU ePrivacy soft opt-in FAQ for email marketing
When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
EU ePrivacy soft opt-in marketing checklist
source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
EU ePrivacy soft opt-in marketing review workflow
Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
EU ePrivacy Strictly Necessary Cookie Exemptions
source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
Is a reject-all button required for EU ePrivacy cookie consent?
Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
Strictly Necessary Cookies under the EU ePrivacy Directive
FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
What should CMP consent logs retain under the EU ePrivacy Directive?
FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.