--- title: "Strictly Necessary Cookies under the EU ePrivacy Directive" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies" author: "Sorena AI" description: "FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 5(3)" - "strictly necessary cookies" - "cookie consent" - "terminal equipment" - "analytics cookies" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Strictly Necessary Cookies under the EU ePrivacy Directive FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. *EU ePrivacy Directive FAQ* *Article 5(3)* ## Strictly Necessary Cookies EU ePrivacy FAQ A cookie can be treated as strictly necessary only when Article 5(3)'s transmission exemption or user-requested service exemption is actually met. Use this answer to separate essential session, basket, authentication, and user-centric security cookies from analytics, advertising, tracking, and convenience uses that normally need consent or a jurisdiction-specific analysis. Under EU ePrivacy Article 5(3), storing information on a user's device or accessing information already stored there generally requires consent. The strictly-necessary label is narrow: it covers technical storage or access needed solely to transmit a communication, or storage or access strictly necessary to provide an information society service the user explicitly requested. ## When can a cookie be treated as strictly necessary? Treat the exemption as a cookie-by-cookie, purpose-by-purpose test. For the transmission exemption, the communication must not be possible without the cookie or similar storage/access operation; a cookie that merely helps, speeds up, measures, or improves the service is not enough. For the user-requested service exemption, the user must have taken a positive action to request a clearly defined service or feature, and the cookie must be strictly needed for that feature to work. The test is from the user's point of view, not from the website operator's preference for measurement, monetization, personalization, or operational convenience. - Transmission exemption: routing, ordered data exchange, or error/loss detection needed to carry the communication over the network. - Service-request exemption: a cookie needed to deliver a specific feature the user requested, such as a multi-page form, shopping basket, authenticated session, or user-centric login security. - Purpose separation: if the same cookie supports both essential and non-essential purposes, the exemption applies only if every distinct purpose independently qualifies. - Technical scope: Article 5(3) is not limited to classic cookies; storage or access through local storage, pixels, client-side code, identifiers, or other terminal-equipment techniques can also fall in scope. Sources for this answer: - [Directive 2009/136/EC amendment to ePrivacy Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Provides the Article 5(3) consent rule and the two exemptions for transmission and strictly necessary user-requested services. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Explains the high threshold for the transmission and user-requested service exemptions, including the user-perspective test. - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Shows that Article 5(3) covers storage or access to terminal-equipment information beyond classic cookies. ## Which examples are grounded as usually essential? WP29 treats first-party user-input session cookies as a core example where the user has requested the feature, such as filling a form over several pages or adding items to a shopping basket. The cookie should be tied to the action and expire when no longer needed, with only limited persistence where that is justified by the user's reasonable expectation, such as recovering a recently closed basket. Session authentication cookies can also qualify where they are needed to keep the user authenticated across page requests for a service the user logged into. User-centric security cookies can qualify when they protect that requested login service, such as detecting repeated failed login attempts. Those examples do not authorize secondary uses such as behavioral monitoring, advertising, or cross-site tracking. - Shopping basket or multi-page form cookies: keep only the input or basket state needed for the user-requested transaction. - Session authentication cookies: use them for the authenticated service, not for advertising, profiling, or behavioral monitoring. - User-centric security cookies: limit them to protecting the requested login or account service from abuse. - Persistent login or remember-me cookies: do not assume exemption; WP29 distinguishes them from ordinary session authentication and points to consent for persistence. Sources for this answer: - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Grounds the shopping basket, user-input session, authentication, persistent login, and user-centric security examples. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Warns against classifying cookies as essential when their purposes are not strictly necessary and highlights the need to demonstrate essentiality. ## How should analytics and evidence records be handled? Do not classify analytics cookies as strictly necessary under the general Article 5(3) exemptions merely because the site operator needs measurement. WP29 states that first-party analytics are often useful but are not strictly necessary for a user-requested website feature because the user can still access the site when those cookies are disabled. Some national implementations or regulator guidance may create narrower analytics approaches or safeguards, but this page does not state country-specific exemptions. Before relying on analytics without consent, check the Member State law and competent authority guidance that applies to the website, the user group, and the deployment. - Keep a cookie inventory with name, provider, domain, first-party or third-party status, purpose, duration, storage/access method, and data sent from the terminal equipment. - For each claimed exemption, record the requested user action, the exact service feature, why the feature fails without the cookie, and why the duration is no longer than needed. - Separate essential purposes from analytics, ads, social plug-ins, A/B testing, personalization, attribution, fraud measurement for advertising, and product-improvement purposes. - Keep evidence of banner behavior for non-essential cookies: no consent-required cookies before consent, no pre-ticked boxes, a real reject path, and consent withdrawal that is as easy as giving consent. - Refresh the assessment when cookie features, vendors, retention periods, domains, user journeys, Member State coverage, or terminal-equipment access techniques change. Sources for this answer: - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Supports the analytics caveat and the principle that doubts should be resolved by seeking consent rather than stretching an exemption. - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Grounds the quality standard for consent where a cookie does not fit an Article 5(3) exemption. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds evidence expectations for essentiality, banner behavior, reject options, legitimate-interest confusion, withdrawal, and national-law caveats. - [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission context for the ePrivacy framework and protection of privacy in electronic communications. ## Primary sources - [Directive 2009/136/EC amendment to ePrivacy Article 5(3)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Primary legal text for the Article 5(3) cookie consent rule and the transmission and strictly necessary service exemptions. - Quote: "technical storage or access" - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Primary guidance used for the exemption tests, shopping basket, authentication, user-centric security, persistence, third-party, multi-purpose, and analytics caveats. - Quote: "Cookie Consent Exemption" - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - EDPB technical-scope guidance for storage or access to terminal equipment, including non-cookie techniques. - Quote: "technical scope" - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent quality source for cookies and similar technologies that do not fit an Article 5(3) exemption. - Quote: "unambiguous indication" - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Source for cookie-banner enforcement themes, essentiality documentation, reject/withdrawal design, and the need to apply national implementing laws and regulator guidance. - Quote: "Cookie Banner Taskforce" - [European Commission ePrivacy overview](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission overview used for ePrivacy policy context and the confidentiality/privacy framework. - Quote: "future-proof legal framework" ## Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. *Recommended next step* *Placement: before sources* ## Turn each essential-cookie claim into a documented Article 5(3) assessment Sorena can help map cookie purposes, identify non-essential tracking, collect evidence for claimed exemptions, and prepare source-linked review records for EU ePrivacy work. - [Open Research Copilot for EU ePrivacy Directive](/solutions/research-copilot.md): Ask source-linked questions about Article 5(3), cookie exemptions, consent, analytics, and evidence using the cited sources on this page. - [Talk through cookie consent implementation](/contact.md): Review your cookie inventory, strictly necessary claims, consent paths, and national-law questions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies