---
title: "What should CMP consent logs retain under the EU ePrivacy Directive?"
canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs"
source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs"
author: "Sorena AI"
description: "FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "EU ePrivacy Directive"
  - "ePrivacy"
  - "CMP consent logs"
  - "cookies"
  - "Article 5(3)"
  - "consent banner"
  - "consent withdrawal"
  - "terminal equipment"
  - "withdrawal of consent"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# What should CMP consent logs retain under the EU ePrivacy Directive?

FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats.

*FAQ* *EU*

## EU ePrivacy Directive CMP Consent Logs

CMP consent logs should prove what the user was asked, what choice they made, which cookies or vendors that choice covered, and whether refusal or withdrawal was honored.

Use the log as supporting evidence for Article 5(3) storage or access and GDPR-standard consent, not as a substitute for a lawful banner, accurate cookie inventory, or Member State legal review.

For EU ePrivacy cookie and tracker consent, a CMP consent log should retain enough information to replay the consent moment without collecting unnecessary extra tracking data. The useful record links the user's choice to the banner text, purposes, vendors, cookie inventory, and withdrawal path that existed when storage or access to terminal equipment occurred.

## What should CMP consent logs retain?

Retain the consent event, refusal event, and withdrawal event at purpose level, tied to the exact banner or preference-centre version shown to the user. Article 5(3) is triggered by storing information on, or gaining access to information in, terminal equipment; the log therefore needs to connect the user's choice to the cookies, pixels, SDKs, local storage, identifiers, or similar technologies deployed at that time.

The minimum useful record is: timestamp, jurisdiction or site/app surface, pseudonymous user or device/session key where needed, consent status, purpose and category, vendor or recipient list version, cookie/tracker inventory version, banner language/version, policy text version, consent string or preference payload, and whether optional storage or access was blocked until consent.

- Keep affirmative consent, refusal, no-choice/default state, later preference changes, and withdrawal as separate events.
- Store the banner and preference-centre version that presented the choice, including the accept, reject, settings, and withdrawal routes available at that time.
- Link each consent purpose to the live vendor, cookie, pixel, SDK, local-storage, or identifier inventory used by the site or app.
- Record whether strictly necessary items were separated from analytics, advertising, personalisation, and other optional purposes.
- Retain only the proof needed to demonstrate the consent workflow; avoid expanding the consent log into a separate behavioural tracking dataset.

Sources for this answer:

- [Directive 2002/58/EC, Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Grounds the need to connect CMP records to storage of, or access to, information in user terminal equipment.
- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports including non-cookie technologies such as pixels, local storage, identifiers, and similar terminal-equipment access in the consent-log scope.
- [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports keeping enough records to demonstrate valid consent without excessive additional data collection.

## Which validity signals should the log preserve?

A log is useful only if it captures consent quality, not just a positive flag. Preserve signals showing that the user saw clear purpose information, made a granular affirmative choice, could refuse optional cookies or trackers, and could later withdraw without undue effort.

For review, keep the evidence that the CMP did not rely on silence, pre-ticked boxes, scrolling, inactivity, or a design that made acceptance look mandatory. If the banner changed, keep the old versioned proof because later screenshots do not prove what a user saw earlier.

- Consent was recorded by a clear affirmative action for named purposes rather than by inactivity or a preselected default.
- Purpose-level and vendor-level choices match the CMP configuration and the cookie or tracker inventory active at the timestamp.
- Reject, continue-without-consenting, or equivalent refusal handling was available where the banner requested consent.
- Withdrawal was available through a visible, accessible route and was not materially harder than the original consent action.
- The CMP blocked or suppressed optional tags, pixels, SDK calls, and storage until the relevant consent state allowed them.

Sources for this answer:

- [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Grounds the validity checks for freely given, specific, informed, unambiguous consent and easy withdrawal.
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports checking reject options, pre-ticked boxes, misleading banner design, essential-cookie classification, and withdrawal routes.
- [CJEU Planet49 judgment](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62017CJ0673&ref=sorena.io) - Supports treating pre-ticked cookie consent as insufficient and preserving the information provided to users for cookie consent.

## How should consent logs connect to vendor and cookie inventories?

The CMP log should not stand alone. It should point to the inventory that explains which cookies, pixels, SDKs, local-storage entries, tags, or identifiers were present, which were strictly necessary, which required consent, and which vendor or controller received resulting data.

When vendors, purposes, cookies, scripts, consent strings, or banner text change, version the inventory and the CMP configuration together. That versioning lets reviewers distinguish a historical valid choice from a later deployment that needs fresh consent or a new assessment.

- Keep inventory version, CMP configuration version, tag-manager container version, and banner text version in the same evidence trail.
- Map each optional vendor or tracker to purpose, category, storage/access type, data recipient, and consent dependency.
- Document why each strictly necessary item fits the narrow exemption instead of placing it in the consented-purpose bucket.
- Run periodic scans or deployment checks, but require owner documentation for purposes because scanner output alone cannot prove essentiality.
- Trigger review when a vendor, purpose, country rollout, cookie lifetime, SDK behaviour, or withdrawal flow changes.

Sources for this answer:

- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports maintaining cookie lists and documenting purpose and essentiality rather than relying only on scanning tools.
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports separating strictly necessary cookies from cookies that need consent under Article 5(3).
- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports covering tracking pixels, tracked URLs, unique identifiers, local processing, and IP-based tracking scenarios where Article 5(3) can apply.

## What are the limits of CMP consent-log proof?

A CMP log proves that the system recorded a stated choice under a particular configuration. It does not by itself prove that consent was valid, that the banner was lawful, that all trackers were disclosed, that optional tags were actually blocked, or that the right national authority would accept the implementation.

Use the log with screenshots or rendered banner copies, CMP settings, tag-manager release records, cookie scans, vendor lists, policy text, and withdrawal test results. Keep the national-law caveat explicit: cookie placement or reading is governed by Member State laws transposing the ePrivacy Directive, while subsequent personal-data processing may also be assessed under the GDPR.

- Do not treat a consent string as proof that the banner was clear, balanced, or granular.
- Do not use consent logs to justify setting optional cookies before the user chooses.
- Do not infer country-specific penalties or regulator positions from the EU-level sources alone.
- Escalate for national-law review when deploying in a new Member State, changing refusal or withdrawal design, or relying on an exemption.
- Delete or aggregate proof when it is no longer needed for accountability, dispute handling, audit, or legal limitation purposes.

Sources for this answer:

- [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Supports the distinction between national ePrivacy rules for terminal-equipment access and GDPR assessment of later personal-data processing.
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Supports the caveat that taskforce positions are a minimum threshold and do not replace case-by-case authority analysis or national requirements.
- [European Commission factsheet, Stronger privacy rules for electronic communications](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Provides Commission context that device information and electronic-communications privacy are complementary to GDPR personal-data protection.

## Primary sources

- [Directive 2002/58/EC, Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary legal source for consent before storage of, or access to, information in terminal equipment, subject to the transmission and strictly necessary exemptions.
  - Quote: "terminal equipment"
- [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Used to frame CMP logs around Article 5(3) technical scope beyond cookies, including pixels, identifiers, local storage, and similar access or storage operations.
  - Quote: "technical scope"
- [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Used for consent validity, controller proof, data-minimised recordkeeping, and withdrawal being as easy as giving consent.
  - Quote: "burden of proof"
- [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Used for banner implementation checks on reject options, pre-ticked boxes, misleading design, withdrawal routes, cookie inventories, and national-law caveats.
  - Quote: "Cookie Banner Taskforce"
- [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Used for the distinction between strictly necessary cookies and cookies or trackers that require consent.
  - Quote: "strictly necessary"
- [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://www.edpb.europa.eu/sites/default/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Used for the caveat that ePrivacy terminal-equipment rules and GDPR processing rules can both matter, with national law controlling ePrivacy enforcement competence.
  - Quote: "co-existence"
- [European Commission factsheet, Stronger privacy rules for electronic communications](https://ec.europa.eu/digital-single-market/en/news/eurobarometer-eprivacy?ref=sorena.io) - Used for Commission context on device-information control, cookie permission, and the relationship between ePrivacy and GDPR.
  - Quote: "Stronger privacy rules"

## Topic Guides

- [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats.
- [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats.
- [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations.
- [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence.
- [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs.
- [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps.
- [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence.
- [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence.
- [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay.
- [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs.
- [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence.
- [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs.
- [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats.
- [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up.
- [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records.
- [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats.
- [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay.
- [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats.
- [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits.
- [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence.
- [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice.
- [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits.
- [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits.
- [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing.
- [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing.
- [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence.
- [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks.
- [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats.
- [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks.
- [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats.
- [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions.

*Recommended next step*

*Placement: before sources*

## Use this FAQ to check CMP evidence before audits or banner changes

Sorena can map your CMP logs, banner versions, cookie inventory, vendor list, and withdrawal flow into a source-linked evidence review for EU ePrivacy work.

- [Open Research Copilot for EU ePrivacy](/solutions/research-copilot.md): Ask source-linked questions about CMP consent logs, Article 5(3) scope, banner evidence, withdrawal proof, and national-law caveats using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your CMP evidence model, consent-validity signals, inventory versioning, and source gaps with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs