Requirements GuideEU

EU ePrivacy Directive Requirements

A requirements breakdown you can implement: controls, UX, and evidence.

Focus: Article 5(3) device access + Article 13 marketing + GDPR interplay.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

ePrivacy compliance works when it is engineered like a system: inventory -> legal model -> UX and controls -> logs and evidence -> continuous monitoring. This page breaks ePrivacy into implementable workstreams and shows what "done looks like" for cookie stacks, communications confidentiality/metadata, and direct marketing.

Section 1

Terminal equipment access (Article 5(3)) - the cookie/SDK decision table

Article 5(3) is the center of most product ePrivacy work. It requires a clear mapping of each tracker/technique to consent or an exemption.

The fastest way to reduce risk is to build a tracker-by-tracker decision table and keep it versioned.

  • Inventory everything: cookies, pixels, local storage, mobile SDK identifiers, and fingerprinting-like techniques.
  • For each: purpose, necessity, lifetime, who sets it, recipients, and markets.
  • Decision: consent required vs exemption (transmission / strictly necessary) with documented reasoning.
Section 2

Cookie consent exemptions - "strictly necessary" is narrower than teams think

WP29 guidance provides a practical test for the two main exemption criteria and emphasizes how narrow "sole purpose" and "strictly necessary" should be interpreted.

Treat exemptions as a legal decision with acceptance criteria, not a product preference.

  • Transmission exemption: the communication must not be possible without the cookie/technique.
  • Strictly necessary exemption: needed to provide a service explicitly requested by the user (not merely useful/efficient).
  • Even when exempt, information duties and governance still matter (document and monitor).
Section 3

Direct marketing (Article 13) - operational rules + proof

Direct marketing compliance is an operational system: consent capture, opt-out, and suppression lists.

Design evidence so you can answer: who consented, when, to what wording, and how withdrawal was honored.

  • Consent model + soft opt-in model (where applicable) documented per channel and market.
  • Opt-out in every message + suppression list governance (never re-add without documented reason).
  • Evidence: consent logs, wording versioning, withdrawal logs, and vendor/processor controls.
Section 4

GDPR interplay - ePrivacy for device access, GDPR for subsequent processing

A common pattern: ePrivacy national law governs placement/reading; GDPR governs subsequent processing of personal data derived from that access.

Your documentation should explicitly separate these layers and keep consent conditions aligned where GDPR consent is used.

  • Layer A: placement/reading (ePrivacy) - tracker mapping table and banner/CMP behavior.
  • Layer B: subsequent processing (GDPR) - lawful basis, transparency, retention, and data subject rights.
  • Evidence: show consistency between banner choices and downstream processing purposes.
Section 5

Evidence map (requirement -> owner -> artifact)

Build a single evidence index. It is the fastest way to respond to regulators, auditors, and partner due diligence.

Aim for coherence, not volume.

  • Tracker inventory + decision table (consent vs exemption) with approvals and version history.
  • Banner UX spec + CMP configuration export + automated regression tests (key flows).
  • Consent logs (timestamp, locale, purposes, vendors, banner version) + withdrawal logs.
  • Direct marketing evidence pack: consent capture flows, suppression list controls, vendor controls.
  • Enforcement response pack: how to export evidence quickly and consistently.
Recommended next step

Turn EU ePrivacy Directive Requirements into an operational assessment

Assessment Autopilot can take EU ePrivacy Directive Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU ePrivacy Directive Requirements

Start from EU ePrivacy Directive Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU ePrivacy Directive

Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Requirements.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap
A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation
An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists
A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists
A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata
A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence
An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)
A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits
A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence
An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls
Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?
A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement
High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence
A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases
A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.