--- title: "ePrivacy FAQ (Directive 2002/58/EC)" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq" author: "Sorena AI" description: "High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194)." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "ePrivacy FAQ" - "cookie consent FAQ EU" - "strictly necessary cookies exemption FAQ" - "cookie walls EDPB" - "ePrivacy vs GDPR cookie consent" - "ePrivacy one stop shop" - "ePrivacy enforcement cookie banner complaints" - "cookie consent" - "strictly necessary cookies" - "cookie walls" - "Article 13" - "enforcement" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ePrivacy FAQ (Directive 2002/58/EC) High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194). *FAQ* *EU* ## EU ePrivacy Directive FAQ Fast answers with practical next steps and evidence guidance. Grounded in ePrivacy Directive text plus EDPB/WP29 enforcement learnings. This FAQ is written for teams shipping products. Each answer focuses on what to do next and what evidence to keep. Always validate against national implementation and counsel. ## Do analytics cookies require consent? In many implementations, analytics trackers are treated as requiring consent because they are not strictly necessary to provide the service explicitly requested by the user. If you want a low-risk posture, treat analytics as consent-based unless you have a narrow, defensible exemption rationale. - Document analytics purpose, data, recipients, and retention. - Prove enforcement: analytics must not fire pre-consent. - Keep evidence: CMP config snapshots + consent logs + tests. ## What does "strictly necessary" mean for cookie exemptions? WP29 guidance emphasizes narrow interpretation: "useful" or "improves performance" is not the same as strictly necessary. Treat exemptions as a legal decision with acceptance criteria and approvals. - Transmission exemption: communication must not be possible without the cookie/technique. - Strictly necessary: required to provide the service explicitly requested by the user. - Exempt trackers still need governance and monitoring. ## Do cookie walls invalidate consent? Consent validity can be challenged when access to a service is conditioned on consent to non-essential tracking. Treat cookie walls as high-risk and require explicit legal review and alternatives. - Document conditionality risk and alternative access paths (if any). - Make choices and consequences transparent. - Store rationale and approvals in the evidence index. ## ePrivacy vs GDPR: what law applies when? A common model: ePrivacy national law governs placement/reading of trackers; GDPR governs subsequent processing of personal data collected via those trackers. Your documentation should separate these layers and ensure consent conditions and information duties are aligned. - Layer A (ePrivacy): tracker decision table + banner behavior. - Layer B (GDPR): lawful basis and transparency for subsequent processing. - Enforcement: one-stop-shop often does not apply to ePrivacy matters. ## What should we be able to export during a complaint/inquiry? Enforcement is evidence-driven. Your capability is "exportability": can you produce coherent proof quickly? Build an export pack and rehearse it annually. - Tracker decision table + CMP config snapshot + consent log schema + sample exports. - Automated test results proving pre-consent blocking and withdrawal propagation. - Marketing evidence pack: consent capture, withdrawals, suppression governance, vendor list. *Recommended next step* *Placement: after the FAQ section* ## Use EU ePrivacy Directive FAQ as a cited research workflow Research Copilot can take EU ePrivacy Directive FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Research Copilot for EU ePrivacy Directive FAQ](/solutions/research-copilot.md): Start from EU ePrivacy Directive FAQ and answer scope, timing, and interpretation questions with cited outputs. - [Talk through EU ePrivacy Directive](/contact.md): Review your current process, evidence gaps, and next steps for EU ePrivacy Directive FAQ. ## Primary sources - [Directive 2002/58/EC (ePrivacy Directive) - consolidated text (EUR-Lex)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219&ref=sorena.io) - Directive framework including Article 5(3) and Article 13. - [WP29 Opinion 04/2012 on Cookie Consent Exemption (WP194)](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Exemption criteria analysis for Article 5(3). - [EDPB Report - Cookie Banner Taskforce (Jan 2023)](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Enforcement learnings from coordinated cookie banner complaints. ## Related Topic Guides - [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data. - [Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage. - [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control. - [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed. - [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting. - [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions). - [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design. - [ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment. - [ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX. - [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC). - [ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map](/artifacts/eu/eprivacy-directive/requirements.md): A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)). - [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality. - [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing. - [EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/faq