---
title: "ePrivacy Directive Requirements (2002/58/EC)"
canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/requirements"
source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/requirements"
author: "Sorena AI"
description: "A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3))."
published_at: "2026-02-21"
updated_at: "2026-02-21"
keywords:
  - "ePrivacy Directive requirements"
  - "Directive 2002/58/EC requirements"
  - "Article 5(3) cookie consent"
  - "cookie consent exemptions strictly necessary"
  - "ePrivacy metadata rules"
  - "ePrivacy direct marketing Article 13"
  - "ePrivacy vs GDPR requirements"
  - "cookie banner compliance evidence"
  - "Directive 2002/58/EC"
  - "Article 5(3)"
  - "cookies"
  - "direct marketing"
  - "metadata"
  - "evidence map"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ePrivacy Directive Requirements (2002/58/EC)

A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)).

*Requirements Guide* *EU*

## EU ePrivacy Directive Requirements

A requirements breakdown you can implement: controls, UX, and evidence.

Focus: Article 5(3) device access + Article 13 marketing + GDPR interplay.

ePrivacy compliance works when it is engineered like a system: inventory -> legal model -> UX and controls -> logs and evidence -> continuous monitoring. This page breaks ePrivacy into implementable workstreams and shows what "done looks like" for cookie stacks, communications confidentiality/metadata, and direct marketing.

## Terminal equipment access (Article 5(3)) - the cookie/SDK decision table

Article 5(3) is the center of most product ePrivacy work. It requires a clear mapping of each tracker/technique to consent or an exemption.

The fastest way to reduce risk is to build a tracker-by-tracker decision table and keep it versioned.

- Inventory everything: cookies, pixels, local storage, mobile SDK identifiers, and fingerprinting-like techniques.
- For each: purpose, necessity, lifetime, who sets it, recipients, and markets.
- Decision: consent required vs exemption (transmission / strictly necessary) with documented reasoning.

## Cookie consent exemptions - "strictly necessary" is narrower than teams think

WP29 guidance provides a practical test for the two main exemption criteria and emphasizes how narrow "sole purpose" and "strictly necessary" should be interpreted.

Treat exemptions as a legal decision with acceptance criteria, not a product preference.

- Transmission exemption: the communication must not be possible without the cookie/technique.
- Strictly necessary exemption: needed to provide a service explicitly requested by the user (not merely useful/efficient).
- Even when exempt, information duties and governance still matter (document and monitor).

## Direct marketing (Article 13) - operational rules + proof

Direct marketing compliance is an operational system: consent capture, opt-out, and suppression lists.

Design evidence so you can answer: who consented, when, to what wording, and how withdrawal was honored.

- Consent model + soft opt-in model (where applicable) documented per channel and market.
- Opt-out in every message + suppression list governance (never re-add without documented reason).
- Evidence: consent logs, wording versioning, withdrawal logs, and vendor/processor controls.

## GDPR interplay - ePrivacy for device access, GDPR for subsequent processing

A common pattern: ePrivacy national law governs placement/reading; GDPR governs subsequent processing of personal data derived from that access.

Your documentation should explicitly separate these layers and keep consent conditions aligned where GDPR consent is used.

- Layer A: placement/reading (ePrivacy) - tracker mapping table and banner/CMP behavior.
- Layer B: subsequent processing (GDPR) - lawful basis, transparency, retention, and data subject rights.
- Evidence: show consistency between banner choices and downstream processing purposes.

## Evidence map (requirement -> owner -> artifact)

Build a single evidence index. It is the fastest way to respond to regulators, auditors, and partner due diligence.

Aim for coherence, not volume.

- Tracker inventory + decision table (consent vs exemption) with approvals and version history.
- Banner UX spec + CMP configuration export + automated regression tests (key flows).
- Consent logs (timestamp, locale, purposes, vendors, banner version) + withdrawal logs.
- Direct marketing evidence pack: consent capture flows, suppression list controls, vendor controls.
- Enforcement response pack: how to export evidence quickly and consistently.

*Recommended next step*

*Placement: after the requirement breakdown*

## Turn EU ePrivacy Directive Requirements into an operational assessment

Assessment Autopilot can take EU ePrivacy Directive Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open Assessment Autopilot for EU ePrivacy Directive Requirements](/solutions/assessment.md): Start from EU ePrivacy Directive Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints.
- [Talk through EU ePrivacy Directive](/contact.md): Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Requirements.

## Primary sources

- [Directive 2002/58/EC (ePrivacy Directive) - consolidated text (EUR-Lex)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02002L0058-20091219&ref=sorena.io) - Directive framework for communications privacy, terminal equipment access (Article 5(3)), and direct marketing (Article 13).
- [WP29 Opinion 04/2012 on Cookie Consent Exemption (WP194)](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Detailed analysis of Article 5(3) consent exemption criteria.
- [EDPB Opinion 5/2019 on ePrivacy Directive and GDPR interplay](https://edpb.europa.eu/sites/edpb/files/files/file1/201905_edpb_opinion_eprivacydir_gdpr_interplay_en.pdf?ref=sorena.io) - Interplay model and enforcement competence when ePrivacy and GDPR intersect.
- [EDPB Report - Cookie Banner Taskforce (Jan 2023)](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Common denominator positions from coordinated handling of cookie banner complaints.

## Related Topic Guides

- [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data.
- [Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage.
- [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control.
- [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed.
- [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting.
- [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions).
- [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design.
- [ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment.
- [ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX.
- [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC).
- [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality.
- [ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement](/artifacts/eu/eprivacy-directive/faq.md): High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194).
- [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing.
- [EU Cookie Banner Requirements | ePrivacy Directive + GDPR Consent (EDPB) | UX Patterns + Test Cases](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/requirements