Comparison GuideEU

EU ePrivacy Directive vs UK PECR

Use this comparison to separate EU ePrivacy evidence from UK PECR follow-up where the available source set only grounds the EU side.

The grounded rows cover cookies, terminal-equipment access, direct marketing, consent quality, soft opt-in logic, and evidence limits without inventing UK-specific rules or penalties.

Back to main artifact Review sources

Author

Sorena AI

Published

May 9, 2026

Updated

May 9, 2026

Sections

Structured answer sets in this page tree.

Primary sources

Cited legal and guidance references.

Publication metadata

Sorena AI

Published May 9, 2026

Updated May 9, 2026

Overview

This page compares EU ePrivacy Directive requirements with a UK PECR workstream only where the supplied source set supports the point. The EU side is grounded in the ePrivacy Directive, Article 5(3) technical guidance, consent guidance, GDPR/ePrivacy interplay guidance, and Commission material. The UK PECR side is deliberately marked as source-limited because this grounding set does not include a PECR primary text or UK regulator PECR guidance.

Side-by-side comparison

EU ePrivacy Directive vs UK PECR: grounded rows and source limits

Use the EU column for sourced ePrivacy rules. Use the PECR column as a source-gap handoff where this artifact does not contain UK primary or regulator grounding.

Review all sources

First framework

EU ePrivacy Directive

Grounded in the supplied EU ePrivacy sources for Article 5(3), direct marketing, consent, soft opt-in logic, and GDPR/ePrivacy interplay.

Second framework

UK PECR

Source-limited in this artifact: no PECR primary text or UK PECR regulator guidance is present in the supplied grounding folder, so UK conclusions need separate sourcing.

EU ePrivacy Directive vs UK PECR: grounded rows and source limits
Dimension	EU ePrivacy Directive	UK PECR	Operational implication
Scope boundary	Article 5(3) covers storing information or gaining access to information already stored in a subscriber's or user's terminal equipment; EDPB guidance frames the test around information, terminal equipment, storage, and access, and it is not limited to ordinary cookies. Directive 2002/58/EC (ePrivacy Directive)Sources 1 EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 2	Treat PECR cookie and terminal-equipment analysis as a parallel review, but do not state the UK rule from this source set. Attach UK PECR primary or regulator support before finalizing the UK conclusion.	Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation. EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
Covered actors	EU cookie consent exemptions are narrow: the cookie must be solely for transmitting a communication, or strictly necessary for a specific information-society service explicitly requested by the user. WP29 Opinion 04/2012 on cookie consent exemptionSources 1	Do not assume the same exemption wording, regulator interpretation, or examples for PECR from this artifact. Use the EU test as a prompt for UK validation.	For each claimed exemption, record the requested service, why the function fails without the tracker, and whether the exemption is EU-supported or PECR-unvalidated. WP29 Opinion 04/2012 on cookie consent exemptionSources 1
Trigger	Article 13 requires prior consent for electronic mail direct marketing, subject to the customer-contact rule for the sender's own similar products or services with a clear, easy, free opportunity to object at collection and in every later message. Directive 2002/58/EC (ePrivacy Directive)Sources 1	Keep PECR marketing conclusions provisional unless the campaign record includes UK PECR support for the channel, recipient type, consent or soft opt-in basis, sender identity, and opt-out wording.	Shared campaign evidence can include source of contact, sale context, product similarity, message copy, sender identity, unsubscribe path, suppression result, and source label. Directive 2002/58/EC (ePrivacy Directive)Sources 1
Core obligations	EU consent evidence should show real choice, clear information, an affirmative action, ability to demonstrate consent, and withdrawal without detriment; scrolling or similar passive activity is not enough for unambiguous consent. EDPB Guidelines 05/2020 on consentSources 1	Use the same operational evidence categories for PECR review, but do not state PECR-specific consent guidance from this EU-only source set.	CMP and campaign logs should capture notice version, purposes, positive action, timestamp, withdrawal route, and proof that refusal or withdrawal does not penalize the user. EDPB Guidelines 05/2020 on consentSources 1
Evidence record	EU evidence can be reused across cookie, analytics, consent, and marketing reviews only when each record says which Article 5(3), Article 13, consent, or GDPR/ePrivacy interplay point it supports. Directive 2002/58/EC (ePrivacy Directive)Sources 1 Directive 2002/58/EC (ePrivacy Directive)Sources 2	PECR evidence can share the same inventory and logs, but the UK conclusion remains blocked until a PECR source is attached.	Use one evidence pack with two source columns: EU source attached, PECR source missing or attached. Do not let a blank PECR source column become an approval. Directive 2002/58/EC (ePrivacy Directive)Sources 1
Timing and deadlines	EDPB Opinion 5/2019 explains that Articles 5(3) and 13 can apply to website operators and other businesses, and that ePrivacy-specific rules can coexist with GDPR where personal data is involved. Directive 2002/58/EC (ePrivacy Directive)Sources 1	Do not use GDPR analysis alone to close a PECR question. Keep the PECR statutory or regulator check separate from any UK GDPR analysis.	A DPIA, lawful-basis record, or privacy notice does not supersede the cookie, terminal-equipment, or direct-marketing source check. Directive 2002/58/EC (ePrivacy Directive)Sources 1
Enforcement	Article 5(3) covers storing information or gaining access to information already stored in a subscriber's or user's terminal equipment; EDPB guidance frames the test around information, terminal equipment, storage, and access, and it is not limited to ordinary cookies. Directive 2002/58/EC (ePrivacy Directive)Sources 1 EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 2	Treat PECR cookie and terminal-equipment analysis as a parallel review, but do not state the UK rule from this source set. Attach UK PECR primary or regulator support before finalizing the UK conclusion.	Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation. EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
Overlap and reuse	Article 5(3) covers storing information or gaining access to information already stored in a subscriber's or user's terminal equipment; EDPB guidance frames the test around information, terminal equipment, storage, and access, and it is not limited to ordinary cookies. Directive 2002/58/EC (ePrivacy Directive)Sources 1 EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 2	Treat PECR cookie and terminal-equipment analysis as a parallel review, but do not state the UK rule from this source set. Attach UK PECR primary or regulator support before finalizing the UK conclusion.	Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation. EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1
Practical decision rule	Article 5(3) covers storing information or gaining access to information already stored in a subscriber's or user's terminal equipment; EDPB guidance frames the test around information, terminal equipment, storage, and access, and it is not limited to ordinary cookies. Directive 2002/58/EC (ePrivacy Directive)Sources 1 EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 2	Treat PECR cookie and terminal-equipment analysis as a parallel review, but do not state the UK rule from this source set. Attach UK PECR primary or regulator support before finalizing the UK conclusion.	Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation. EDPB Guidelines 2/2023 on the technical scope of Article 5(3)Sources 1

Comparison row 1

Scope boundary

EU ePrivacy Directive

Article 5(3) covers storing information or gaining access to information already stored in a subscriber's or user's terminal equipment; EDPB guidance frames the test around information, terminal equipment, storage, and access, and it is not limited to ordinary cookies.

Directive 2002/58/EC (ePrivacy Directive)EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

UK PECR

Treat PECR cookie and terminal-equipment analysis as a parallel review, but do not state the UK rule from this source set. Attach UK PECR primary or regulator support before finalizing the UK conclusion.

Operational implication

Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

Comparison row 2

Covered actors

EU ePrivacy Directive

EU cookie consent exemptions are narrow: the cookie must be solely for transmitting a communication, or strictly necessary for a specific information-society service explicitly requested by the user.

WP29 Opinion 04/2012 on cookie consent exemption

UK PECR

Do not assume the same exemption wording, regulator interpretation, or examples for PECR from this artifact. Use the EU test as a prompt for UK validation.

Operational implication

For each claimed exemption, record the requested service, why the function fails without the tracker, and whether the exemption is EU-supported or PECR-unvalidated.

WP29 Opinion 04/2012 on cookie consent exemption

Comparison row 3

Trigger

EU ePrivacy Directive

Article 13 requires prior consent for electronic mail direct marketing, subject to the customer-contact rule for the sender's own similar products or services with a clear, easy, free opportunity to object at collection and in every later message.

Directive 2002/58/EC (ePrivacy Directive)

UK PECR

Keep PECR marketing conclusions provisional unless the campaign record includes UK PECR support for the channel, recipient type, consent or soft opt-in basis, sender identity, and opt-out wording.

Operational implication

Shared campaign evidence can include source of contact, sale context, product similarity, message copy, sender identity, unsubscribe path, suppression result, and source label.

Directive 2002/58/EC (ePrivacy Directive)

Comparison row 4

Core obligations

EU ePrivacy Directive

EU consent evidence should show real choice, clear information, an affirmative action, ability to demonstrate consent, and withdrawal without detriment; scrolling or similar passive activity is not enough for unambiguous consent.

EDPB Guidelines 05/2020 on consent

UK PECR

Use the same operational evidence categories for PECR review, but do not state PECR-specific consent guidance from this EU-only source set.

Operational implication

CMP and campaign logs should capture notice version, purposes, positive action, timestamp, withdrawal route, and proof that refusal or withdrawal does not penalize the user.

EDPB Guidelines 05/2020 on consent

Comparison row 5

Evidence record

EU ePrivacy Directive

EU evidence can be reused across cookie, analytics, consent, and marketing reviews only when each record says which Article 5(3), Article 13, consent, or GDPR/ePrivacy interplay point it supports.

Directive 2002/58/EC (ePrivacy Directive)Directive 2002/58/EC (ePrivacy Directive)

UK PECR

PECR evidence can share the same inventory and logs, but the UK conclusion remains blocked until a PECR source is attached.

Operational implication

Use one evidence pack with two source columns: EU source attached, PECR source missing or attached. Do not let a blank PECR source column become an approval.

Directive 2002/58/EC (ePrivacy Directive)

Comparison row 6

Timing and deadlines

EU ePrivacy Directive

EDPB Opinion 5/2019 explains that Articles 5(3) and 13 can apply to website operators and other businesses, and that ePrivacy-specific rules can coexist with GDPR where personal data is involved.

Directive 2002/58/EC (ePrivacy Directive)

UK PECR

Do not use GDPR analysis alone to close a PECR question. Keep the PECR statutory or regulator check separate from any UK GDPR analysis.

Operational implication

A DPIA, lawful-basis record, or privacy notice does not supersede the cookie, terminal-equipment, or direct-marketing source check.

Directive 2002/58/EC (ePrivacy Directive)

Comparison row 7

Enforcement

EU ePrivacy Directive

Directive 2002/58/EC (ePrivacy Directive)EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

UK PECR

Operational implication

Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

Comparison row 8

Overlap and reuse

EU ePrivacy Directive

Directive 2002/58/EC (ePrivacy Directive)EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

UK PECR

Operational implication

Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

Comparison row 9

Practical decision rule

EU ePrivacy Directive

Directive 2002/58/EC (ePrivacy Directive)EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

UK PECR

Operational implication

Build one tracker inventory, then label each conclusion separately: EU Article 5(3) supported here, PECR pending UK source validation.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

Practical decision rule

How should teams decide what is grounded?

Use this page to make EU ePrivacy decisions for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
Open a separate PECR source task before approving UK cookie or marketing conclusions.
Do not cite PECR penalties, UK regulator powers, or PECR-specific guidance from this artifact.
Reuse inventories and logs only when each item carries an EU source label and a separate PECR source label or source-gap marker.

Directive 2002/58/EC (ePrivacy Directive)EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

Section 1

Use the comparison as an evidence boundary, not a UK legal summary

Start with the EU ePrivacy rule and the product fact pattern: storage or access on terminal equipment, cookies or similar technologies, direct marketing by electronic mail, consent quality, customer-contact reuse, and proof that consent can be demonstrated or withdrawn.

For UK PECR, do not copy the EU conclusion unless a UK source has been checked outside this artifact. Treat the UK column as a control handoff: it identifies the same operational evidence that a PECR review usually needs, but it does not state UK-specific penalties, regulator powers, or detailed statutory wording.

Keep EU evidence labelled with the EU source that supports it.
Mark PECR decisions as pending UK source validation when the only available source is EU ePrivacy material.
Do not merge EU Member State implementation notes with UK PECR conclusions.
Escalate before launch when cookies, analytics, marketing channels, consent screens, suppression logic, or withdrawal paths change.

Sources for this answer

Directive 2002/58/EC (ePrivacy Directive)

Grounds EU rules on confidentiality, terminal-equipment storage/access, traffic and location data, and unsolicited communications.

EDPB Guidelines 2/2023 on the technical scope of Article 5(3)

Grounds the Article 5(3) test for information, terminal equipment, storage, and access beyond ordinary cookies.

Section 2

What EU facts can be compared with PECR follow-up?

Article 5(3) is the cookie and terminal-equipment anchor: storing information or gaining access to information already stored in a user's terminal equipment requires consent unless a narrow transmission or strictly necessary service-request exemption applies.

Article 13 is the direct-marketing anchor: automated calling systems, fax, or electronic mail for direct marketing require prior consent, while customer electronic contact details can be reused for the same person's own similar products or services only with a clear, easy, free objection opportunity at collection and in every later message.

Classify each tracker by storage/access operation, purpose, party, duration, and whether the requested service fails without it.
Record direct-marketing source, customer relationship, similar-product rationale, opt-out language, suppression behavior, and message-level unsubscribe test.
Keep consent evidence that shows the user had a real choice, received clear information, gave an affirmative indication, and can withdraw without detriment.
For PECR, use these same evidence categories as a review checklist, then attach UK-specific source support before treating the answer as final.

Sources for this answer

Directive 2002/58/EC (ePrivacy Directive)

Supports the EU direct-marketing consent rule, customer-contact exception, and Article 5(3) terminal-equipment rule.

WP29 Opinion 04/2012 on cookie consent exemption

Explains the narrow Article 5(3) exemptions for transmission-only cookies and strictly necessary cookies requested by the user.

EDPB Guidelines 05/2020 on consent

Supports evidence expectations for freely given, informed, affirmative, demonstrable, and withdrawable consent.

Section 3

Where the comparison stops

This artifact does not state PECR penalty amounts, UK enforcement powers, UK regulator guidance positions, or PECR-specific statutory wording because those facts are not present in the supplied EU ePrivacy grounding folder.

The useful output is therefore a split record: an EU ePrivacy conclusion that can be traced to the sources on this page, plus a PECR validation task that names the missing UK source, owner, and decision deadline.

Blocked PECR facts should be labelled as source gaps, not filled from memory.
EU Article 5(3), Article 13, consent, and GDPR/ePrivacy interplay points can be used immediately for EU scoping.
PECR conclusions should remain provisional until a UK primary or regulator source is attached.
Shared evidence can be reused only after each jurisdiction-specific conclusion is separately sourced.

Sources for this answer

Directive 2002/58/EC (ePrivacy Directive)

Supports keeping ePrivacy-specific obligations separate because the Directive particularises and complements general data-protection rules for electronic communications.

European Commission ePrivacy overview

Explains the Commission view that ePrivacy protects electronic communications and device confidentiality alongside GDPR.

Recommended next step

Use this ePrivacy and PECR comparison as a validation checklist

Sorena can turn the EU-sourced rows into owner assignments, evidence requests, and PECR source-gap follow-ups without merging unsupported jurisdiction-specific claims.

Research workflow

Open Research Copilot for ePrivacy

Ask source-linked questions about Article 5(3), direct marketing, consent evidence, and PECR source gaps using the cited sources on this page.

Explore next step

Talk to Sorena

Talk through implementation

Review cookie, analytics, marketing, consent, and PECR validation records before product or campaign launch.

Explore next step

Primary sources