---
title: "Do Analytics Cookies Require Consent under the EU ePrivacy Directive?"
canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/analytics-cookies"
source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/analytics-cookies"
author: "Sorena AI"
description: "FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU ePrivacy Directive"
  - "analytics cookies"
  - "Article 5(3)"
  - "cookie consent"
  - "CNIL analytics exemption"
  - "WP29 cookie exemptions"
  - "consent logs"
  - "ePrivacy"
  - "cookie banner"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# Do Analytics Cookies Require Consent under the EU ePrivacy Directive?

FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.

*FAQ* *EU*

## Do Analytics Cookies Require Consent?

Usually yes: analytics cookies and similar tracers need consent when they store or access information on a user's device, unless a narrow national analytics exemption applies.

Use this FAQ to separate consent-required analytics from tightly limited audience-measurement setups, and to keep the product, configuration, banner, and log evidence needed for review.

Analytics cookies under the EU ePrivacy Directive are not automatically exempt because the site operator wants measurement. Article 5(3) looks at storing or accessing information on terminal equipment; national implementation and regulator guidance then determine whether a limited analytics exemption is available.

## Do analytics cookies require consent under Article 5(3)?

In most EU analytics implementations, yes. Article 5(3) of the ePrivacy Directive covers storing information on, or gaining access to information already stored in, the terminal equipment of a subscriber or user. EDPB technical-scope guidance treats cookies, JavaScript instructions that send browser data, tracking pixels, tracked URLs, local processing results sent to a server, and unique identifier collection as potential Article 5(3) access or storage scenarios.

The answer does not turn on the vendor label "analytics". A product team should classify the real mechanism: which cookie, SDK, pixel, script, local-storage item, app identifier, or server-side measurement flow is used; what identifier or event data leaves the device; whether a third party receives or reuses it; and whether the user can use the requested service without it.

WP29 guidance says first-party analytics cookies are often useful to website operators but are not strictly necessary to provide a functionality explicitly requested by the user. That means the ordinary position is consent, unless the implementation fits a specific exemption path in the applicable national law or supervisory-authority guidance.

- Treat analytics consent as required when the tool tracks users across sites, shares identifiers with advertising or attribution systems, uses third-party cookies or common identifiers, combines analytics with customer files, or uses the same tracer for multiple non-exempt purposes.
- Do not rely on legitimate interests as the basis for the placement or reading of consent-required cookies; the EDPB cookie-banner taskforce states that Article 5(3) compliance must come first.
- Where consent is required, set the analytics category off by default, avoid pre-ticked choices, provide a real reject path, and make withdrawal accessible from a visible privacy or cookie-settings control.
- Keep GDPR analysis separate but connected: ePrivacy governs the placement or reading of the cookie or similar technology, while later personal-data processing may also need a GDPR legal basis, transparency, retention, and processor or controller analysis.

Sources for this answer:

- [Directive 2002/58/EC, Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary ePrivacy Directive text for storage or access to terminal-equipment information and the narrow transmission or strictly necessary exceptions.
- [EDPB Guidelines 2/2023 on Article 5(3) technical scope](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports classifying analytics scripts, pixels, URLs, local processing, and identifiers by the actual storage or access operation, not by product label.
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Explains why first-party analytics cookies are not generally covered by the Article 5(3) strictly necessary or transmission exemptions.

## When can a limited analytics exemption apply?

A limited analytics exemption is not an EU-wide blanket rule in the Directive text. The CNIL analytics sheet is useful grounded national guidance: it says audience-measurement tracers generally require consent unless they fall exactly within its defined perimeter, and it warns that the position may vary by national law and local data protection authority guidance.

Under CNIL's conditions, the implementation must inform users, give them the ability to object, limit purposes to audience measurement or A/B testing, avoid cross-checking with customer files or statistics from other sites, limit the tracer to one site or application editor, truncate the last byte of the IP address, and limit tracker lifetime to 13 months. A third-party processor can support multiple publishers only if data and trackers are collected, processed, stored, and kept independent for each publisher.

Product and privacy teams should therefore treat the exemption as a configuration-dependent claim. If the analytics product cannot prove independent per-publisher storage, no cross-site identifier, purpose limitation, IP truncation, short tracker lifetime, opt-out availability, and no advertising or customer-file reuse, use consent instead of presenting the tracer as exempt.

- Require product evidence: the exact analytics property, tag or SDK version, cookie names, storage locations, event schema, identifier behavior, IP handling, retention settings, and whether any advertising, remarketing, attribution, or product-improvement integrations are enabled.
- Require configuration evidence: screenshots or exports showing IP truncation, disabled data sharing, disabled cross-domain tracking where relevant, independent publisher property separation, tracker expiration, and the user opt-out control.
- Require supplier evidence: processor terms or technical documentation showing that the supplier does not reuse the analytics data for its own purposes and keeps one publisher's data and trackers independent from another publisher's data and trackers when the exemption depends on that separation.
- Block exemption claims for broad analytics suites where the grounding cannot support the claim; CNIL notes that most large audience-measurement offerings do not fall within its exemption perimeter regardless of configuration.

Sources for this answer:

- [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - National regulator guidance for a limited audience-measurement exemption, including purpose limits, opt-out, IP truncation, tracker lifetime, supplier separation, and national-variation caveats.
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Provides the Article 5(3) exemption framework and cautions that first-party analytics were not exempt under the two Directive criteria, though low-risk safeguards were discussed.
- [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Commission material explaining the device-control policy context for cookie consent and the continued relevance of national fragmentation in ePrivacy rules.

## What evidence should teams keep?

Keep two evidence bundles: one for the Article 5(3) classification and one for the consent or exemption implementation. The classification file should show whether the analytics technology stores information, gains access to stored information, or instructs a browser or app to send identifiers or event data over a network.

For consent-required analytics, keep the consent banner configuration, the versioned consent text shown to the user, the category mapping that places the analytics tag behind the analytics toggle, proof that tags do not fire before consent, accept and reject UI evidence, and consent logs with timestamp, jurisdiction or locale, banner version, choice, withdrawal events, and the tag state applied after the choice.

For exemption-based analytics, keep the product and configuration evidence showing every exemption condition actually met, plus the national source used for the exemption decision. Recheck the file when the analytics vendor, SDK version, tag manager rule, data sharing setting, retention period, cookie lifetime, country rollout, or measurement purpose changes.

- Cookie and storage inventory: cookie names, local-storage keys, SDK identifiers, pixel URLs, tracked URL parameters, expiration, domain, party status, and firing condition.
- Tag-control proof: tag manager exports, network traces, automated test reports, and screenshots showing no analytics storage or access before consent when consent is required.
- Consent-log fields: user or pseudonymous consent ID, timestamp, country or locale, banner version, purpose category, accept or reject state, withdrawal state, and downstream tag state.
- Exemption file: national source, product configuration, opt-out mechanism, IP truncation evidence, purpose limitation, retention or tracker lifetime evidence, and supplier separation terms.
- Review triggers: new analytics vendor, new domain or app, cross-domain measurement, advertising linkage, customer-file enrichment, A/B testing change, consent-banner redesign, or Member State guidance change.

Sources for this answer:

- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports keeping evidence for no pre-consent firing, reject options, classification of essential cookies, withdrawal access, and the split between ePrivacy cookie access and GDPR downstream processing.
- [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports consent-log evidence because controllers must be able to demonstrate valid, granular, informed consent and provide withdrawal mechanisms.
- [EDPB Guidelines 2/2023 on Article 5(3) technical scope](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports the technical inventory for cookies, JavaScript, tracking pixels, tracked URLs, local processing, IP-related tracking, and unique identifiers.
- [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Supports keeping configuration evidence for any CNIL-style audience-measurement exemption claim.

## What caveats should be documented?

Document the country caveat every time the answer depends on an analytics exemption. The ePrivacy Directive is implemented through national laws, and the EDPB cookie-banner taskforce report frames cookie placement and reading complaints under national laws transposing the Directive. CNIL's exemption conditions are grounded French supervisory-authority guidance, not a universal rule for every Member State.

Document the source caveat too: WP29 Opinion 04/2012 says first-party analytics cookies are not exempt under the Directive's two classic criteria, while CNIL guidance describes a conditional national opt-out path for tightly constrained audience measurement. If those sources point in different practical directions for a rollout country, escalate to local counsel or the local supervisory authority's guidance instead of inventing a country rule.

Do not add penalties, country-by-country rules, or enforcement outcomes unless the grounding source for that exact jurisdiction supports them. This FAQ supports the analytics consent and exemption decision, not a penalty table.

- State whether the decision is EU-level Article 5(3) scope, CNIL-specific exemption guidance, or a local-law conclusion for a named Member State.
- State whether the analytics tool is consent-based, exemption-based, or blocked pending evidence from the vendor or local guidance.
- State which facts would reverse the decision, especially advertising reuse, cross-site identifiers, data sharing, customer-file matching, longer tracker lifetime, missing opt-out, or pre-consent firing.

Sources for this answer:

- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds the national-law caveat and the need to assess cookie placement or reading under national ePrivacy transposition rules.
- [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - Grounds the caveat that analytics guidance may be subject to national variation and should be checked against the local data protection authority position.
- [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Provides Commission context for ePrivacy device-control policy and the relationship between ePrivacy confidentiality and GDPR personal-data rules.

## Primary sources

- [Directive 2002/58/EC, Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary ePrivacy Directive text for terminal-equipment storage or access, consent, information, refusal, and the transmission or strictly necessary exceptions.
  - Quote: "store information or to gain access"
- [EDPB Guidelines 2/2023 on Article 5(3) technical scope](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Technical scope source for cookies, scripts, tracking pixels, tracked URLs, local processing, IP-related tracking, and unique identifiers.
  - Quote: "technical scope of Art. 5(3)"
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Source for Article 5(3) cookie exemptions and the first-party analytics analysis.
  - Quote: "Cookie Consent Exemption"
- [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - National regulator source for a conditional analytics opt-out exemption path and its configuration limits.
  - Quote: "Use analytics on your websites and applications"
- [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent-quality source for demonstrating consent, clear affirmative action, granularity, and withdrawal.
  - Quote: "free, specific, informed and unambiguous"
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Cookie-banner source for reject options, pre-ticked boxes, essential-cookie classification, withdrawal access, national-law caveats, and GDPR downstream-processing interplay.
  - Quote: "Cookie Banner Taskforce"
- [European Commission ePrivacy factsheet](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Commission source for ePrivacy device-control context and the relationship between ePrivacy confidentiality and GDPR.
  - Quote: "Users must be in control"

## Topic Guides

- [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
- [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
- [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
- [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
- [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
- [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
- [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
- [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
- [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
- [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
- [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
- [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
- [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
- [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
- [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
- [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
- [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
- [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
- [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
- [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
- [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
- [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
- [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
- [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
- [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
- [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
- [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
- [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
- [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.
- [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.

*Recommended next step*

*Placement: before sources*

## Review analytics consent, exemption claims, and logs against ePrivacy sources

Sorena can map each analytics tag, SDK, pixel, and cookie to the cited ePrivacy sources, then produce consent or exemption evidence requests for privacy, product, and web teams.

- [Open Research Copilot for EU ePrivacy](/solutions/research-copilot.md): Ask source-linked questions about analytics cookies, Article 5(3), consent banners, exemptions, and evidence records using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your analytics stack, consent logs, exemption assumptions, and national-source gaps with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/analytics-cookies