EU ePrivacy Directive Requirements

Classify the activity before assigning controls. Article 5 protects confidentiality of communications and related traffic data by requiring Member States to prohibit listening, tapping, storage, interception, or surveillance by persons other than users unless users consent or Article 15(1) lawfully authorizes the measure. Article 5(3) separately governs storing information on, or gaining access to information stored in, a subscriber's or user's terminal equipment.

The scope record should say whether the activity is communications carriage, terminal-equipment access, traffic-data processing, location-data processing, direct marketing, directory publication, calling-line functionality, or a national-law restriction. Do not collapse these into a single GDPR lawful-basis decision.

For communications providers, the baseline requirement is confidentiality. Technical storage needed to convey a communication is not prohibited, but the confidentiality principle still applies. A requirements file should identify who can access communications or related traffic data, why access is needed, whether users consented, and whether a legal authorization is being relied on.

Traffic data must be erased or made anonymous when no longer needed for transmission, subject to the Directive's stated exceptions. Billing and interconnection data may be processed only through the period in which the bill may lawfully be challenged or payment pursued. Processing traffic data for marketing electronic communications services or value-added services requires user or subscriber consent and must stay limited to what is necessary for that purpose. Location data other than traffic data may be processed only when anonymous or with consent, to the extent and for the duration necessary for the value-added service.

Article 5(3) is triggered by storage of information on terminal equipment or gaining access to information already stored there. EDPB guidance treats the relevant information broadly: it can be personal or non-personal, created by the user, stored by another party, produced by sensors, held in local storage, or accessed through instructions sent to software on the device.

Consent is not the only possible route, but the exemptions are narrow. The WP29 cookie-exemption opinion identifies two main consent exemptions: storage or access for the sole purpose of carrying out transmission over an electronic communications network, and storage or access that is strictly necessary to provide an information society service explicitly requested by the subscriber or user. The evidence should therefore explain the exact functionality, not just label a cookie or SDK as essential.

A requirements review should test the deployed banner, not just the policy text. The Cookie Banner Taskforce recorded that, by default, no consent-requiring cookies can be set before consent and that consent must be expressed through a positive action. It also identified common problem patterns: no reject option where a consent button is present, pre-ticked boxes, deceptive link design, misleading colour or contrast, confusing legitimate-interest layers, inaccurate essential-cookie classifications, and weak withdrawal access.

The artifact should preserve evidence that the banner state, tag firing, preference storage, and withdrawal route match the legal analysis. When a cookie or tracker is marked essential, keep the functionality-level justification and a test result showing what breaks if it is disabled.

Article 13 requires prior consent for direct marketing by automated calling systems without human intervention, fax, or electronic mail. The Directive defines electronic mail broadly as text, voice, sound, or image messages over a public communications network that can be stored in the network or in the recipient's terminal equipment until collected.

The soft opt-in is narrower than a general customer-relationship exception. Where a natural or legal person obtains electronic contact details from customers in the context of a sale, it may use those details for direct marketing of its own similar products or services if customers are clearly and distinctly given a free and easy opportunity to object when the details are collected and in each subsequent message, unless they initially refused. Other direct-marketing channels and legal-person protections depend on national implementing law, so record the relevant country rule without inventing it.

The ePrivacy Directive and GDPR can apply to the same operation. EDPB Opinion 5/2019 explains that ePrivacy particularises and complements GDPR: where ePrivacy contains a specific rule, that rule takes precedence for that specific matter, while GDPR still applies to personal-data processing not specifically governed by ePrivacy. For cookies, the Taskforce report separates placement or reading under national law transposing Article 5(3) from subsequent personal-data processing under GDPR.

Because the Directive is implemented through Member State law, the requirements artifact should never state a single EU-wide penalty, retention period, authority route, direct-marketing call rule, or cookie-enforcement procedure unless a cited source supports it. Use the EU sources for the common requirement and attach the checked national rule as a separate jurisdictional note when needed.