--- title: "EU ePrivacy Directive Metadata and Location Data Guide" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/metadata-and-location-data" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/metadata-and-location-data" author: "Sorena AI" description: "source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "traffic data" - "location data" - "metadata" - "Article 6 ePrivacy" - "Article 9 ePrivacy" - "value added services" - "anonymisation" - "consent" - "Article 6" - "Article 9" - "Article 5(3)" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy Directive Metadata and Location Data Guide source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. *Artifact Guide* *EU* ## EU ePrivacy Directive Metadata and Location Data A focused guide to the ePrivacy Directive rules for communications metadata: traffic data, location data other than traffic data, anonymisation, consent, value-added services, and national-law limits. Built for privacy, telecom, product, analytics, engineering, legal, and compliance teams that need to separate service-necessary processing from consent-based or national-law processing. The ePrivacy Directive treats communications metadata as more than ordinary analytics exhaust. Article 5 protects confidentiality of communications and related traffic data; Article 6 limits traffic-data processing; Article 9 covers location data other than traffic data; and Article 15 leaves only bounded space for Member State restrictions. This page turns those source rules into a practical classification and evidence record without adding country-specific retention or interception details. ## Classify the metadata before choosing a rule Start by separating traffic data, location data that is also traffic data, and location data other than traffic data. The Directive defines traffic data as data processed for conveying a communication or billing it, and defines location data as data indicating the geographic position of terminal equipment. That distinction matters because location information needed to transmit a communication can be traffic data under Article 6, while more precise or additional location data used for a value-added service is handled under Article 9. - Record whether the data is routing, duration, time, volume, protocol, network, connection, billing, or terminal-location data used to carry the communication. - Mark location data as Article 6 traffic data when it is necessary for transmission or billing, not just because it contains a geographic signal. - Treat precise location features, navigation, location-based alerts, and location-based advertising as likely Article 9 or Article 5(3) issues unless the facts show they are strictly transmission-only. - Keep a data-flow note showing the service, provider, subscriber or user group, data fields, purpose, duration, recipient, and withdrawal or refusal control. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Defines traffic data, location data, value-added services, confidentiality, and the Article 6 and Article 9 processing rules for communications metadata. - [Directive 2009/136/EC amendments to the ePrivacy Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Shows the amended Article 5(3) terminal-equipment rule and prior-consent wording for traffic-data marketing or value-added services. ## Apply Article 6 to traffic data For traffic data stored by a public communications network or publicly available electronic communications service provider, the default control is erasure or anonymisation when the data is no longer needed to transmit the communication. The Directive allows narrower processing for subscriber billing and interconnection payments until the bill can no longer lawfully be challenged or payment pursued. It also allows processing for marketing electronic communications services or value-added services only to the extent and duration necessary, and only where the subscriber or user has consented. - Document the transmission need and the point at which that need ends for each traffic-data field. - For billing or interconnection data, record the billing purpose and the lawful challenge or payment-pursuit window without inventing a universal EU retention period. - For marketing electronic communications services or value-added services, keep proof of prior consent, the data fields covered, the duration, and the withdrawal route. - Restrict access to authorised people handling billing, traffic management, customer enquiries, fraud detection, marketing electronic communications services, or the value-added service. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 6 sets the erasure/anonymisation default, billing exception, consent-based marketing/value-added-service rule, notice duty, and access restrictions for traffic data. - [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Explains that GDPR consent conditions apply where ePrivacy rules rely on consent, including free, specific, informed, unambiguous consent and easy withdrawal. ## Apply Article 9 to location data other than traffic data Article 9 is the rule for location data other than traffic data. It allows processing only when the data is anonymised or when users or subscribers consent, and only to the extent and for the duration necessary for a value-added service. Consent is not enough by itself. Before obtaining it, the service provider must tell users or subscribers what type of location data will be processed, the purposes and duration, and whether the data will be transmitted to a third party for the value-added service. - Keep the anonymisation assessment separate from pseudonymisation or aggregation claims, and do not treat identifiable precise location as anonymous. - When relying on consent, store the notice text, purpose, duration, recipient or third-party transmission disclosure, consent event, and withdrawal evidence. - Provide a simple, free way to temporarily refuse location-data processing for each network connection or communication after consent has been obtained. - Limit access to persons acting under the authority of the network/service provider or the third-party value-added-service provider, and only as necessary for that service. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 9 provides the anonymisation-or-consent rule, notice content, temporary refusal right, and access restriction for location data other than traffic data. - [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports consent-quality evidence, including prior consent, demonstrability, purpose specificity, and withdrawal as easily as consent was given. ## Check confidentiality and Article 5(3) overlap Metadata and location features often implicate more than one ePrivacy rule. Article 5 protects confidentiality of communications and related traffic data; Article 5(3) adds a separate rule when a service stores information on, or gains access to information already stored in, terminal equipment. For apps, web SDKs, connected devices, tracking links, pixels, local storage, mobile sensors, or IP-derived identifiers, test whether the location or metadata feature involves terminal-equipment storage or access before treating it only as traffic or location data. - Flag client-side code, SDKs, pixels, local storage, device identifiers, sensor reads, and IoT reporting where terminal equipment is instructed to send information back over a network. - Record whether Article 5(3) applies to storage/access, Article 6 or 9 applies to subsequent communications metadata, and GDPR applies to later personal-data processing not covered by a special ePrivacy rule. - Do not use a generic cookie-banner decision as evidence for traffic or location-data processing unless it names the metadata field, purpose, duration, recipient, and withdrawal control. - Where information stays entirely inside the device, record why no network access or storage instruction brings Article 5(3) into play. Sources for this answer: - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Explains the technical scope of terminal-equipment storage and access, including pixels, URLs, local processing, identifiers, and IoT reporting. - [European Commission ePrivacy factsheet](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission material describes ePrivacy as protecting confidentiality of electronic communications and device integrity alongside GDPR personal-data rules. ## Handle national-law restrictions without inventing local rules Article 15 lets Member States restrict certain ePrivacy rights and obligations, including Articles 5, 6, and 9, only through legislative measures that are necessary, appropriate, and proportionate for listed public-interest purposes. That is not a blank cheque for product analytics, marketing, or routine internal retention. CJEU case-law in the grounding material confirms that general and indiscriminate retention or transmission of traffic and location data is tightly limited. The practical evidence record should therefore identify the specific national law or authority instruction relied on, but this page does not state country-by-country retention rules, interception powers, or penalties. - Escalate any retention, disclosure, interception, law-enforcement, national-security, emergency-service, or nuisance-call use case to local counsel before implementation. - Keep national-law evidence separate from ordinary Article 6 billing, fraud, traffic-management, marketing, or value-added-service evidence. - Do not generalise a lawful national-security or serious-crime retention measure into a broad business retention schedule. - Record the legal source, issuing authority or competent body, data categories, affected service, duration limit, safeguards, and review/expiry trigger when a national-law restriction is relied on. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 15 provides the limited Member State restriction mechanism for specified ePrivacy rights and obligations. - [CJEU Press Release No 123/20 on traffic and location data retention](https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-10/cp200123en.pdf?ref=sorena.io) - Summarises CJEU limits on general and indiscriminate retention or transmission of traffic and location data and the narrow conditions for serious public-interest measures. ## Evidence checklist for metadata and location-data reviews A useful review record should prove the classification, legal rule, data minimisation, notice, consent or anonymisation route, access restriction, and national-law boundary for each traffic or location-data use case. Use this checklist when launching telecom services, messaging or call features, connected-device features, location-based services, communications analytics, billing logs, fraud-detection workflows, or marketing based on communications metadata. - Classification: traffic data, location data that is traffic data, location data other than traffic data, terminal-equipment storage/access, and later GDPR personal-data processing are separated. - Necessity: each field has a transmission, billing, interconnection, traffic-management, customer-enquiry, fraud-detection, marketing, or value-added-service purpose. - Retention: erasure, anonymisation, billing challenge/payment window, or national-law duration is documented without a made-up universal retention period. - Consent: consent evidence identifies the user or subscriber group, purpose, data type, duration, third-party transfer, date/time, interface, and withdrawal or temporary-refusal mechanism. - Access: only authorised personnel or value-added-service providers can access the data, and access logs map to the permitted purpose. - Change triggers: new data fields, countries, suppliers, SDKs, device sensors, product purposes, emergency-service uses, public-authority requests, or retention instructions reopen review. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary source for the Article 5, Article 6, Article 9, and Article 15 evidence elements used in this checklist. - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Supports the terminal-equipment storage/access checks for SDKs, pixels, local processing, identifiers, and connected-device reporting. - [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Supports evidence for valid consent, demonstrability, prior consent, and easy withdrawal where Articles 6 or 9 rely on consent. *Recommended next step* *Placement: before sources* ## Classify traffic and location-data processing before launch Sorena can help convert the rules on this page into traffic-data maps, location-data consent checks, Article 5(3) technical-scope reviews, and evidence requests for your services. - [Open Research Copilot for EU ePrivacy Directive](/solutions/research-copilot.md): Ask source-linked questions about traffic data, location data, consent, anonymisation, value-added services, and national-law limits using the cited sources on this page. - [Talk through implementation](/contact.md): Review your metadata or location-data workflow, source gaps, and evidence plan with Sorena. ## Primary sources - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Primary legal source for traffic data, location data, confidentiality, erasure/anonymisation, consent-based processing, value-added services, and Article 15 restrictions. - Quote: "Traffic data" - [Directive 2009/136/EC amendments to the ePrivacy Directive](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02009L0136-20201221&ref=sorena.io) - Source for amended Article 5(3) terminal-equipment wording and amended prior-consent wording for Article 6(3) traffic-data processing. - Quote: "terminal equipment" - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Technical-scope guidance for storage or access to terminal equipment, including pixels, tracked URLs, identifiers, local processing, IP-address scenarios, and IoT reporting. - Quote: "gaining of access" - [EDPB Guidelines 05/2020 on consent](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Guidance used for consent quality, demonstrability, prior consent, purpose specificity, and withdrawal where the ePrivacy Directive relies on consent. - Quote: "free, specific" - [European Commission ePrivacy factsheet](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission ePrivacy material used for the relationship between electronic-communications confidentiality, device integrity, and GDPR personal-data protection. - Quote: "confidentiality" - [CJEU Press Release No 123/20 on traffic and location data retention](https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-10/cp200123en.pdf?ref=sorena.io) - Official CJEU summary used only for high-level Article 15 national-law limits on traffic and location-data retention or transmission. - Quote: "location data" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [EU ePrivacy Strictly Necessary Cookie Exemptions](/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions.md): source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/metadata-and-location-data