EU ePrivacy Directive FAQ

Article 5(3) covers storing information on, or gaining access to information already stored in, the terminal equipment of a subscriber or user. The EDPB explains that the trigger is not limited to cookies and not limited to personal data: the relevant question is whether the operation involves information, terminal equipment, a public communications-network context, and storage or access.

Treat pixels, tracked URLs, local storage, browser or app APIs, software identifiers, IoT reporting, unique identifiers, and read-only values as review items when code or a service instructs a device to send back stored or generated information. Storage and access can be separate steps, and they do not need to be performed by the same actor.

Consent is the default route when Article 5(3) applies and no narrow exemption fits. Because the Directive's consent references now operate with GDPR consent conditions, the consent must be freely given, specific, informed, and unambiguous, with a clear affirmative action before non-exempt storage or access occurs.

Banner design matters. The Cookie Banner Taskforce identified risks such as setting consent-requiring cookies by default, offering an accept button without a comparable reject route, pre-ticked second-layer choices, deceptive reject links, obviously misleading button presentation, confusing legitimate-interest layers for cookie access, and withdrawal controls that are harder to find than the original consent action.

Article 5(3) has two narrow exemption routes: technical storage or access solely to carry out transmission of a communication, or storage or access that is strictly necessary to provide an information society service explicitly requested by the user or subscriber. The exemption is purpose-specific; a cookie or SDK used for both an exempt function and tracking, advertising, or profiling still needs consent for the non-exempt purpose.

WP29 guidance treats first-party session user-input cookies, session authentication cookies, user-centric security cookies, multimedia player session cookies, load-balancing session cookies, and short-term user-interface preference cookies as examples that can be exempt under conditions. Third-party advertising cookies, social-plugin tracking cookies, persistent login cookies, and first-party analytics cookies are not automatically exempt under that opinion.

Article 13 sets a channel-specific baseline for unsolicited direct marketing. Automated calling systems without human intervention, fax, and electronic mail for direct marketing require prior consent unless the narrow existing-customer electronic-mail exception applies.

The existing-customer route applies only where a seller obtained electronic contact details from its customer in the context of selling a product or service, uses them for its own similar products or services, and gave the customer a clear, distinct, free, easy opportunity to object when the details were collected and in every later message. Article 13 also prohibits direct-marketing electronic mail that disguises or conceals sender identity or lacks a valid address for cease requests.

The ePrivacy Directive particularises and complements the GDPR for electronic communications. Where the Directive has a special rule, such as Article 5(3) terminal-equipment storage/access, Article 6 traffic data, Article 9 location data, or Article 13 direct marketing, that special rule must be applied rather than replaced by a generic GDPR lawful basis.

GDPR still matters. It governs personal-data processing that is not specifically covered by the ePrivacy special rule, including later analysis, enrichment, sharing, retention, profiling, security logging, data-subject rights, controller and processor roles, international transfers, and accountability. If Article 5(3) consent is invalid, the later GDPR processing that depends on that collection may also be defective.

Evidence should prove both the legal classification and the implementation. A useful ePrivacy record links the source rule to a product fact: what was stored or accessed, why, by whom, on which terminal equipment, under which consent or exemption route, and what changed in production.

For national and enforcement caveats, the record should avoid unsupported country claims. Save the Member State checked, the competent authority guidance used, and the conclusion reached; if the grounding does not support a country rule or penalty amount, mark it unresolved rather than filling the gap.