---
title: "ePrivacy cookie consent vs DSA ads obligations: source-limited comparison"
canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads"
source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads"
author: "Sorena AI"
description: "Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU ePrivacy Directive"
  - "Article 5(3)"
  - "cookies"
  - "tracking"
  - "consent"
  - "cookie banners"
  - "DSA ads"
  - "digital advertising"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ePrivacy cookie consent vs DSA ads obligations: source-limited comparison

Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.

*Artifact Guide* *EU*

## ePrivacy cookie consent vs DSA ads obligations

Use this source-limited comparison to separate ePrivacy rules for storing or accessing information on terminal equipment from DSA ads-transparency work that must be checked against DSA sources before implementation.

The concrete citations on this page are ePrivacy sources: Article 5(3) technical scope, GDPR-standard consent guidance, cookie-banner taskforce findings, cookie-exemption analysis, and Commission ePrivacy material.

Advertising teams often put cookie consent and ad transparency in the same launch checklist. Keep them separate. ePrivacy Article 5(3) asks whether a site, app, SDK, pixel, identifier, or similar technology stores information on, or gains access to information already stored in, a user's terminal equipment. DSA ads obligations may also matter for online-platform advertising, but the ePrivacy grounding set used for this artifact does not contain detailed DSA source material, so this page treats DSA as a separate workstream to verify rather than a source of detailed claims.

## ePrivacy cookie consent vs DSA ads obligations

Use these rows to keep terminal-equipment consent, ads transparency, and shared evidence distinct. The DSA side is deliberately high-level because this artifact's grounding folder contains ePrivacy sources, not DSA source material.

- **ePrivacy cookie and tracking consent**: Decides whether advertising, analytics, or measurement technology stores information on, or gains access to information already stored in, terminal equipment, and whether consent or a narrow Article 5(3) exemption supports that operation.
- **DSA ads workstream**: Separate ads-transparency review that must be validated against DSA sources before relying on detailed triggers, duties, deadlines, repositories, penalties, or authority routes.

| Dimension | ePrivacy cookie and tracking consent | DSA ads workstream | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Storage of information on terminal equipment or access to information already stored there, including non-cookie tracking techniques when the Article 5(3) criteria are met. | Potential online-platform advertising transparency or disclosure work; detailed DSA trigger not stated here because no DSA grounding source was present in the ePrivacy folder. | Run the ePrivacy technical trigger before tags, pixels, SDKs, or identifiers fire. Open a DSA-specific source check for platform ad disclosures instead of using this page as DSA authority. | [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.<br>[European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here. |
| Covered actors | If consent is required, it must meet GDPR-standard consent quality: freely given, specific, informed, unambiguous, affirmative, demonstrable, and withdrawable as easily as it was given. | A DSA ad disclosure or transparency artifact should not be treated as consent for terminal-equipment storage or access unless a separate ePrivacy consent test is satisfied. | Keep consent buttons, preference centers, and consent logs separate from ad labels, sponsor disclosures, or transparency records, even if they are reviewed in the same launch gate. | [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Grounds consent quality and withdrawal expectations for ePrivacy-referenced consent.<br>[EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds cookie-banner evidence expectations, including reject options, pre-ticked boxes, misleading choices, and withdrawal.<br>[Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Grounds the need to treat terminal-equipment access separately from other advertising disclosures. |
| Trigger | Third-party advertising cookies and operational advertising cookies are not within the consent exemptions described by WP29; analytics needs a separate purpose and safeguard assessment. | DSA ads work may use the same inventory to understand advertising flows, but this page does not validate DSA-specific repository, targeting, recommender, or platform-category duties. | Reuse the factual inventory, not the legal conclusion. The same tag map can support ePrivacy consent review and a later DSA ads review, but each obligation needs its own source. | [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports the inventory distinction between advertising, analytics, and strictly necessary purposes. |
| Core obligations | Tracker inventory, purpose map, Article 5(3) classification, exemption analysis, consent UX screenshots, CMP settings, consent logs, reject and withdrawal tests, and proof that consent-requiring tools do not fire before consent. | Ad-disclosure screenshots, ad journey facts, sponsor or advertiser fields, targeting or measurement descriptions, and the DSA source used for any platform-specific conclusion once attached. | Label shared records with the obligation they support. An ad journey screenshot may help both teams, but it does not supersede consent logs or a DSA citation. | [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports evidence separation for cookie placement or reading and later processing.<br>[EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the need to classify technical storage and access operations. |
| Evidence record | If the ad stack stores or reads terminal-equipment information and no narrow exemption applies, block the tag until consent is obtained and withdrawal is available. | If the team asserts a DSA ads obligation, require a DSA source in the record before naming the duty, deadline, repository, role, or enforcement path. | Do not merge the sign-off. ePrivacy approves or blocks terminal-equipment access; a DSA review should separately approve source-linked ad transparency. | [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Grounds the Article 5(3) terminal-equipment rule used for the launch decision.<br>[WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Grounds strict review of consent exemptions before relying on a no-consent path.<br>[European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Supports the source-limited framing: this artifact is grounded in ePrivacy material. |
| Timing and deadlines | Set the ePrivacy check before launch, because tags and pixels should not start collecting until the terminal-equipment question and any required consent path have been resolved. | Treat DSA ads timing as a separate workstream that starts only after the relevant DSA source is attached and the platform-duty question is confirmed. | If the tracker can run now, the ePrivacy review comes first; if the disclosure is still hypothetical, park the DSA question for source-based follow-up rather than mixing the two on one deadline. | [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.<br>[European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here. |
| Enforcement | Use the ePrivacy file to determine whether a tracker may launch at all, and keep the consent evidence ready for audit or complaint review. | Use the DSA file only after a DSA source is attached, so any enforcement or supervisory question is tied to a cited DSA obligation rather than a generic ads label. | The practical question differs: ePrivacy asks whether collection is allowed now, while DSA asks whether the advertising disclosure record is supported by the right source. | [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.<br>[European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here. |
| Overlap and reuse | Reuse the tracker map, consent records, and screenshots for ePrivacy because they show what runs on the device and whether consent was captured. | Reuse only the same factual inventory for DSA until a DSA source is added; the legal answer and the evidence standard still have to be checked separately. | Shared materials can move between teams, but the legal test does not: facts can be reused, conclusions cannot. | [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.<br>[European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here. |
| Practical decision rule | If the launch depends on a cookie, pixel, SDK, or identifier touching terminal equipment, make the ePrivacy call first. | If the remaining question is ads disclosure on an online-platform workflow, send it to DSA review only after a DSA source is in the file. | Start with the rule that can actually be proved from the record. Here, that is ePrivacy; DSA stays a follow-up unless the source set changes. | [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.<br>[European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here. |

Sources for Scope boundary - ePrivacy cookie and tracking consent:

- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.
  - Quote: "gaining of access or storage"

Sources for Scope boundary - operational implication:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
  - Quote: "online privacy"

Sources for Covered actors - ePrivacy cookie and tracking consent:

- [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Grounds consent quality and withdrawal expectations for ePrivacy-referenced consent.
  - Quote: "freely given, specific, informed and unambiguous"
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds cookie-banner evidence expectations, including reject options, pre-ticked boxes, misleading choices, and withdrawal.
  - Quote: "withdraw consent at any time"

Sources for Covered actors - operational implication:

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Grounds the need to treat terminal-equipment access separately from other advertising disclosures.
  - Quote: "terminal equipment"

Sources for Trigger - ePrivacy cookie and tracking consent:

- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Grounds the non-exemption analysis for third-party advertising cookies, operational advertising purposes, and analytics caveats.
  - Quote: "third party advertising cookies cannot be exempted"

Sources for Trigger - operational implication:

- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports the inventory distinction between advertising, analytics, and strictly necessary purposes.
  - Quote: "purpose and the specific implementation"

Sources for Core obligations - ePrivacy cookie and tracking consent:

- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds practical cookie-banner and withdrawal evidence expectations.
  - Quote: "easily accessible solutions"
- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the need to classify technical storage and access operations.
  - Quote: "key elements for the applicability"

Sources for Core obligations - operational implication:

- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports evidence separation for cookie placement or reading and later processing.
  - Quote: "placement or reading of cookies"

Sources for Evidence record - ePrivacy cookie and tracking consent:

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Grounds the Article 5(3) terminal-equipment rule used for the launch decision.
  - Quote: "terminal equipment"
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Grounds strict review of consent exemptions before relying on a no-consent path.
  - Quote: "strictly necessary"

Sources for Evidence record - operational implication:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Supports the source-limited framing: this artifact is grounded in ePrivacy material.
  - Quote: "ePrivacy area"

Sources for Timing and deadlines - ePrivacy cookie and tracking consent:

- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.
  - Quote: "technical scope of Art. 5(3)"

Sources for Timing and deadlines - operational implication:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
  - Quote: "online privacy"

Sources for Enforcement - ePrivacy cookie and tracking consent:

- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.
  - Quote: "gaining of access or storage"

Sources for Enforcement - operational implication:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
  - Quote: "online privacy"

Sources for Overlap and reuse - ePrivacy cookie and tracking consent:

- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.
  - Quote: "gaining of access or storage"

Sources for Overlap and reuse - operational implication:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
  - Quote: "online privacy"

Sources for Practical decision rule - ePrivacy cookie and tracking consent:

- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy trigger for storage, access, information, terminal equipment, and non-cookie tracking scenarios.
  - Quote: "gaining of access or storage"

Sources for Practical decision rule - operational implication:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
  - Quote: "online privacy"

### How should teams use this comparison?

- Make the ePrivacy call first when a tracker, tag, or identifier may touch terminal equipment.
- Use the DSA column only after a DSA source is attached and the ads question is still separate from consent.
- Reuse the same inventory and screenshots as facts, but do not treat them as proof that both legal tests are satisfied.
- Stop launch if a consent-requiring tracker is ready to fire or if a DSA ads conclusion has no cited source.

Sources for the practical decision rule:

- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy technical decision rule for tracking technologies.
  - Quote: "storage or access"
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds the consent UX and withdrawal checks used before launch.
  - Quote: "valid consent"

## What the ePrivacy side decides

For ePrivacy, start with the technical act. The EDPB describes Article 5(3) as applying when operations involve information, terminal equipment, a public electronic-communications-network context, and either storage or gaining access. That analysis is broader than browser cookies: URL and pixel tracking, local processing, IP-only tracking scenarios, IoT reporting, and unique identifiers can require review.

The ePrivacy decision is therefore not whether an ad is transparent. It is whether the advertising, analytics, measurement, attribution, frequency-capping, anti-fraud, or audience-building setup stores or reads information on terminal equipment, and whether consent or a narrow necessity exemption supports that operation.

- Inventory cookies, pixels, SDK calls, local storage, mobile identifiers, hashed identifiers, and server calls that read device-side values.
- Classify whether each operation stores information, gains access to stored information, or does both.
- Separate strictly necessary service functions from advertising, analytics, profiling, attribution, and measurement purposes.
- Record the user-facing purpose, technical mechanism, third parties, retention, consent state, withdrawal path, and source citation.

Sources for this answer:

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Legal source for Article 5(3), which governs storing information or gaining access to information already stored in terminal equipment.
- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Explains Article 5(3) criteria and applies them to tracking pixels, local processing, IP-only tracking, IoT reporting, and unique identifiers.

## What the DSA side can and cannot decide here

The ePrivacy grounding folder does not contain DSA source material. This artifact therefore does not state detailed DSA triggers, platform categories, deadlines, repositories, penalties, or national supervisory rules.

Use the DSA column only as a reminder that advertising transparency can be a separate obligation from cookie or tracking consent. A product can need ePrivacy consent before an ad-tracking technology runs, and also need DSA ads review if DSA-sourced platform-advertising duties apply. Do not treat a DSA disclosure as consent for terminal-equipment access, and do not treat ePrivacy consent as proof that DSA ad-transparency duties are complete.

- Mark DSA conclusions as source-limited until a DSA source is attached.
- Do not import DSA role, threshold, repository, or enforcement claims into this artifact without DSA grounding.
- Keep the shared facts narrow: ad journey, tracking technology, advertiser or sponsor data, targeting or measurement purpose, user-facing disclosures, and evidence owner.
- Escalate to a DSA-specific review when the service presents ads through an online-platform interface or uses an ads-transparency workflow.

Sources for this answer:

- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission material used only for the ePrivacy context and source limits of this comparison.

## Consent quality is an ePrivacy evidence issue

When ePrivacy requires consent for advertising or tracking access, the consent record should show more than a banner screenshot. EDPB consent guidance links valid consent to a freely given, specific, informed and unambiguous indication by clear affirmative action, with withdrawal available as easily as consent was given.

The Cookie Banner Taskforce report gives practical risk signals for this evidence review: no default setting of consent-requiring cookies, no pre-ticked boxes, understandable purpose information, reject options that are not hidden or misleading, and accessible withdrawal after consent has been collected.

- Keep the consent prompt copy, first-layer and second-layer screenshots, purpose labels, vendor list, consent-string configuration, and timestamped consent logs.
- Test accept, reject, granular choice, no-choice, and withdrawal paths before release.
- Check whether the banner clearly separates ePrivacy read/write consent from later personal-data processing choices.
- Retain proof that consent-requiring cookies, pixels, SDKs, or identifiers do not run before the required positive action.

Sources for this answer:

- [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent-quality source for freely given, specific, informed, unambiguous consent and withdrawal requirements.
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Practical source for cookie-banner findings, including reject options, pre-ticked boxes, misleading design, essential-cookie classification, and withdrawal access.

## Advertising and analytics caveats

The WP29 cookie-exemption opinion is especially useful for ad stacks because it warns against treating operational advertising cookies as strictly necessary. It says third-party advertising cookies are not exempt from consent and extends that consent view to operational advertising purposes such as frequency capping, financial logging, ad affiliation, click-fraud detection, research, market analysis, product improvement, and debugging.

Analytics also needs careful classification. The same opinion distinguishes first-party aggregated analytics with safeguards from third-party analytics that tracks users across sites, and says first-party analytics were not within the two Article 5(3) exemptions even if they may present lower privacy risk when safeguarded.

- Do not classify an advertising or measurement cookie as strictly necessary merely because the business needs it for monetization or reporting.
- Keep a purpose-by-purpose assessment when one tag supports security, measurement, fraud checks, attribution, and targeting.
- For analytics, record whether the implementation is first-party or third-party, aggregated or user-level, cross-site or same-site, and whether opt-out and anonymization safeguards exist.
- For DSA work, reuse only the factual inventory and disclosure screenshots until a DSA source validates the legal obligation.

Sources for this answer:

- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Explains the Article 5(3) consent exemptions and why third-party advertising cookies and operational advertising cookies are not exempt.
- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports review of non-cookie tracking techniques used in advertising and measurement stacks.

*Recommended next step*

*Placement: before sources*

## Turn this comparison into a cited advertising launch check

Sorena can help map cookies, pixels, SDKs, consent UX, withdrawal paths, and ads-disclosure evidence while keeping DSA conclusions source-limited until DSA material is attached.

- [Open Research Copilot for ePrivacy](/solutions/research-copilot.md): Ask source-linked questions about Article 5(3), cookie consent, banner evidence, and tracking technologies using the cited ePrivacy sources.
- [Talk through implementation](/contact.md): Review your advertising, analytics, and consent evidence before treating DSA ads work as complete.

## Primary sources

- [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219&ref=sorena.io) - Grounds the Article 5(3) terminal-equipment rule used for the launch decision.
  - Quote: "terminal equipment"
- [EDPB Guidelines 2/2023 on the technical scope of Article 5(3)](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Grounds the ePrivacy technical decision rule for tracking technologies.
  - Quote: "storage or access"
- [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Grounds consent quality and withdrawal expectations for ePrivacy-referenced consent.
  - Quote: "freely given, specific, informed and unambiguous"
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds the consent UX and withdrawal checks used before launch.
  - Quote: "valid consent"
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Grounds strict review of consent exemptions before relying on a no-consent path.
  - Quote: "strictly necessary"
- [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Used to identify the ePrivacy source scope and explain why DSA detail is source-limited here.
  - Quote: "online privacy"

## Related Topic Guides

- [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
- [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
- [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
- [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
- [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
- [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
- [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
- [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
- [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
- [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
- [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
- [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
- [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
- [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
- [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
- [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
- [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
- [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
- [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
- [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
- [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
- [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
- [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
- [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
- [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
- [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
- [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
- [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
- [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
- [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads