Classify Article 5(3) storage and access that can run without consent only when it fits the transmission exemption or the user-requested service exemption.
Use this page to separate essential cookies from consent-required cookies, document analytics limits, and keep evidence ready for national ePrivacy review.
Structured answer sets in this page tree.
Cited legal and guidance references.
Article 5(3) of the ePrivacy Directive allows storage of, or access to, information on a user's terminal equipment only with consent, except for two narrow cases: technical storage or access for the sole purpose of transmitting a communication, or storage/access that is strictly necessary to provide an information society service explicitly requested by the user. The exemption analysis should be done per cookie, SDK, local-storage item, pixel, identifier, or similar technical operation, not by broad labels such as essential, functional, security, or analytics.
The first exemption is the transmission exemption. WP29 explains that a cookie is not exempt merely because it assists, speeds up, or regulates transmission; the communication must not be possible without it. The examples WP29 ties to this logic include identifiers needed to route information, preserve packet order, or detect transmission errors or data loss.
The second exemption is the requested-service exemption. It requires both an explicit user request for a defined service or functionality and strict necessity for providing that service or functionality. If the user can use the requested functionality with the storage or access disabled, the exemption should not be used.
WP29 gives concrete examples that may qualify when they are limited to the exempt purpose and not reused for tracking, advertising, or broad analytics. User-input session cookies can keep a multi-page form or shopping basket coherent. Authentication session cookies can keep a user logged in to authorized content during the session. User-centric security cookies can protect the requested login service, for example by detecting repeated failed login attempts.
Other grounded examples include multimedia player session cookies needed for playback, load-balancing session cookies used to keep a user's requests on the correct server during a session, and short-lived user-interface customization cookies where the user has actively selected the setting. Persistent login, tracking, advertising, market research, product improvement, debugging, and cross-site profiling should not be folded into these examples.
Do not classify analytics as strictly necessary merely because the website owner needs measurement. WP29 says first-party analytics are not strictly necessary to provide a functionality explicitly requested by the user, even though limited first-party aggregated analytics may present lower privacy risk when safeguards are present. CNIL's national guidance describes a narrower audience-measurement exemption under specified conditions, including information, opt-out, limited purposes, no cross-checking, single publisher scope, IP truncation, and limited tracker lifetime.
Advertising, behavioral tracking, frequency capping, affiliate measurement, market analysis, product improvement, debugging, social plug-in tracking, and persistent login should not be treated as strictly necessary based on the sources reviewed. If consent is needed, the consent layer must meet GDPR-quality consent standards and avoid practices such as pre-ticked boxes, cookie walls that remove real choice, misleading link design, or confusing legitimate-interest framing for cookie placement.
The evidence record should prove the exemption, not simply state that the cookie is essential. The Cookie Banner Taskforce noted that website owners may need to maintain lists and provide documentation on purposes, and that tools can list placed cookies but do not determine their legal nature. Treat scanner output as the starting inventory, then add purpose, functionality, lifetime, controller or processor, and exemption reasoning.
Because ePrivacy is implemented through national law, the record should name the Member State rules or authority guidance checked for the launch market. The EDPB taskforce report also stresses that its positions are a minimum threshold and must be combined with national implementing laws and competent-authority guidance. Commission ePrivacy material likewise frames the device rule around user control over information stored on, or accessed from, devices.
Not by default. WP29 says first-party analytics do not meet the two Article 5(3) exemptions because users can access the website functionality without them. A narrow audience-measurement exemption may exist under national guidance only if the specific safeguards and national position are documented.
No. First-party session cookies are more likely to qualify, but WP29 says purpose and implementation decide the exemption. A first-party or session cookie still needs consent if it is used for tracking, advertising, analytics, or another non-exempt purpose.
Document the doubt, avoid firing the item before consent, and collect valid consent unless national guidance or legal review confirms the exemption. The exemption threshold is narrow and the evidence should show the user-requested function cannot work without the storage or access.
Sorena can help classify cookies, SDKs, local storage, pixels, and identifiers against the transmission and requested-service exemptions, then prepare source-linked evidence for CMP and regulator review.
Ask source-linked questions about Article 5(3), cookie exemptions, analytics caveats, and evidence records using the cited sources on this page.
Review your strictly necessary classification, CMP behavior, source gaps, and country-specific caveats with Sorena.
"may be subject to national variation"
"terminal equipment of a subscriber or user"
"provide documentation on their purposes"
"free, specific, informed and unambiguous"
"does not exclusively apply to cookies"
"future proof legal framework"
"first party analytics cookies are not exempt"