BlueprintEU

ePrivacy + GDPR How to Align the Stack

Turn consent into a system that actually controls what your product does.

Focus: UX -> configuration -> runtime enforcement -> processing purposes -> audit evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

The fastest way to fail "ePrivacy vs GDPR" is to build a nice banner that does not control runtime behavior. The enforcement mindset is simple: if consent was required and you didn't get valid consent, the placement/reading is unlawful and the downstream processing is not safe either. This page gives you a practical blueprint for aligning ePrivacy (device access + communications confidentiality) with GDPR (subsequent processing) so you can prove outcomes with logs and tests.

Section 1

Blueprint overview: 6 layers to keep consistent

Think in layers. Each layer has an owner, an artifact, and a test. If any layer is missing, you'll have "consent theater".

  • Layer 1 (Inventory): tracker + SDK + storage inventory with markets, purposes, and vendors.
  • Layer 2 (Legal model): ePrivacy decision table (consent vs exemption) + GDPR processing-purpose map.
  • Layer 3 (UX): banner and settings UI that makes refusal and withdrawal realistic and understandable.
  • Layer 4 (Enforcement): CMP config + tag manager rules + SDK gating to prevent pre-consent firing.
  • Layer 5 (Logging): consent and withdrawal logs that link to banner version and purpose/vendor choices.
  • Layer 6 (Evidence export): repeatable export pack for audits and regulator inquiries.
Section 2

Aligning choices to runtime behavior (the part regulators and auditors actually care about)

Most findings are caused by mismatches between "what the banner says" and "what scripts did". Solve that with a deterministic mapping from consent choices to runtime outcomes.

The Cookie Banner Taskforce positions highlight common issues: lack of reject option, confusing flows, pre-consent placement, and withdrawal friction.

  • Define acceptance criteria: "no consent = no firing" for consent-requiring trackers, verified via network traces.
  • Implement hard blocks: do not rely only on vendor promises; enforce in tag manager and SDK initialization.
  • Keep geo rules explicit: EU vs non-EU experiences must be intentional and testable.
  • Make withdrawal easy: persistent entry point to settings and immediate effect on firing.
Section 4

Audit evidence: what "good" looks like (practical checklist)

If you can produce the list below quickly and consistently, you're ahead of most teams.

Treat evidence as product output - generated, not manually assembled.

  • Tracker decision table (ePrivacy): consent vs exemption per tracker, with rationale and approvals.
  • CMP export: purposes/vendors, default states, UI layers, and geo rules.
  • Runtime proof: automated tests and traces demonstrating "no pre-consent firing" and correct withdrawal behavior.
  • Consent/withdrawal logs: timestamp, locale, purpose/vendor selections, banner version, and change history.
  • GDPR processing map: purposes, lawful basis, recipients, retention, transfers, and DPIA/records where needed.
Recommended next step

Use ePrivacy + GDPR How to Align the Stack as a cited research workflow

Research Copilot can take ePrivacy + GDPR How to Align the Stack from how this topic compares with adjacent regulations or standards to a reusable workflow inside Sorena. Teams working on ePrivacy + GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for ePrivacy + GDPR How to Align the Stack

Start from ePrivacy + GDPR How to Align the Stack and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through ePrivacy + GDPR

Review your current process, evidence gaps, and next steps for ePrivacy + GDPR How to Align the Stack.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation
An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata
A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)
A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits
A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map
A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).
ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?
A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.