EU ePrivacy Directive Member State cookie rules

The baseline question is not limited to browser cookies. The EDPB frames Article 5(3) around four elements: information, terminal equipment, the electronic communications context, and either storage or gaining access. That means local storage, pixels, SDK identifiers, device signals, and similar techniques may need review when they involve terminal equipment access.

The amended directive text requires Member States to ensure that this storage or access is allowed only after consent with clear and comprehensive information, unless the activity is for transmission over an electronic communications network or is strictly necessary for a service explicitly requested by the user or subscriber.

A directive is implemented through national law, so a cookie review cannot stop at the EU text. For placement or reading of cookies, teams need the applicable national transposition rule and any binding or persuasive guidance from the authority that enforces that rule in the relevant market.

To pick the applicable Member State rule in practice, start with the market that the site or app is actually serving, then check where the publisher, controller, or local entity is established, and then confirm which national law or authority guidance covers the specific technology and purpose. If more than one country could apply, use the law or guidance for the country tied to the targeted users and the deployment you are documenting, and record why that source was selected.

The supplied national-authority grounding supports only a limited example: CNIL guidance for audience measurement on websites and apps. It confirms the practical point that analytics rules can be subject to national variation and that teams should check the local data protection agency position before relying on an exemption.

Evidence should show both the technical facts and the national-law basis for the conclusion. A reviewer should be able to see what the technology does, why consent or an exemption was chosen, which national source was checked, and how the deployed banner or preference control matches that conclusion.

For analytics, the CNIL source gives a concrete example of the detail needed before relying on a national exemption position: purpose limits, opt-out operation, separation from other processing, single-editor scope, IP truncation, and tracker lifetime. Those details should be captured only where the relevant national source supports them.

The supplied grounding can support the EU Article 5(3) baseline, the technical breadth of terminal-equipment access, the need to check national transposition and authority practice, and one national analytics example from CNIL. It can also support the general implementation and enforcement point that Member States set penalties and competent authorities have enforcement powers under national provisions.

The supplied grounding cannot support a reliable country-by-country cookie table. It does not provide usable public URLs for every national authority, every national cookie law, country-specific penalty amounts, or a complete comparison of banner requirements across Member States.

Use this checklist before launching a new site, app, tag manager rule, analytics tool, advertising pixel, consent-management-platform change, or market expansion. The goal is to prevent an EU-level rule from being documented while the national implementation question is left blank.

If the team cannot identify the applicable national source, do not convert that gap into a rule. Mark the country-specific conclusion as unresolved and route it for legal or local authority review.