--- title: "EU ePrivacy Strictly Necessary Cookie Exemptions" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions" author: "Sorena AI" description: "source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU ePrivacy Directive" - "Article 5(3)" - "strictly necessary cookies" - "cookie consent exemption" - "terminal equipment" - "WP29 Opinion 04/2012" - "cookie banner" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU ePrivacy Strictly Necessary Cookie Exemptions source-linked guide to the Article 5(3) ePrivacy exemptions for transmission cookies, requested-service cookies, analytics caveats, evidence, and national-law checks. *Artifact Guide* *EU* ## EU ePrivacy Directive Strictly Necessary Exemptions Classify Article 5(3) storage and access that can run without consent only when it fits the transmission exemption or the user-requested service exemption. Use this page to separate essential cookies from consent-required cookies, document analytics limits, and keep evidence ready for national ePrivacy review. Article 5(3) of the ePrivacy Directive allows storage of, or access to, information on a user's terminal equipment only with consent, except for two narrow cases: technical storage or access for the sole purpose of transmitting a communication, or storage/access that is strictly necessary to provide an information society service explicitly requested by the user. The exemption analysis should be done per cookie, SDK, local-storage item, pixel, identifier, or similar technical operation, not by broad labels such as essential, functional, security, or analytics. ## Two Article 5(3) exemptions to test The first exemption is the transmission exemption. WP29 explains that a cookie is not exempt merely because it assists, speeds up, or regulates transmission; the communication must not be possible without it. The examples WP29 ties to this logic include identifiers needed to route information, preserve packet order, or detect transmission errors or data loss. The second exemption is the requested-service exemption. It requires both an explicit user request for a defined service or functionality and strict necessity for providing that service or functionality. If the user can use the requested functionality with the storage or access disabled, the exemption should not be used. - Record which exemption is claimed: transmission only, or strictly necessary for a user-requested functionality. - Define the specific functionality from the user's perspective, not the operator's business or measurement interest. - Check whether the same cookie or identifier has any second purpose; a multi-purpose item is exempt only if every purpose is independently exempt. - Set the lifetime to what the exempt purpose needs; session or short-lived cookies are easier to justify than persistent identifiers. - Escalate unresolved doubts to consent instead of labeling the item essential by default. Sources for this answer: - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Article 5(3) states the consent rule and the two exemptions for transmission and requested information society services. - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Explains the high threshold for both exemption criteria and the need to test purpose and implementation, not cookie labels alone. ## Examples that can be exempt when tightly implemented WP29 gives concrete examples that may qualify when they are limited to the exempt purpose and not reused for tracking, advertising, or broad analytics. User-input session cookies can keep a multi-page form or shopping basket coherent. Authentication session cookies can keep a user logged in to authorized content during the session. User-centric security cookies can protect the requested login service, for example by detecting repeated failed login attempts. Other grounded examples include multimedia player session cookies needed for playback, load-balancing session cookies used to keep a user's requests on the correct server during a session, and short-lived user-interface customization cookies where the user has actively selected the setting. Persistent login, tracking, advertising, market research, product improvement, debugging, and cross-site profiling should not be folded into these examples. - User-input: form progress, checkout basket, or comparable user-entered state for the session or a short recovery period. - Authentication: session token for access to content or functions the user has logged in to use, excluding behavioral monitoring. - User-centric security: limited cookies protecting the requested login or account service from abuse. - Multimedia playback: session technical data needed for audio or video playback, without extra tracking fields. - Load balancing: session routing to the correct server endpoint where that routing is necessary for communication. - UI customization: language or display choices actively selected by the user, kept no longer than the choice requires. Sources for this answer: - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Lists exemptable use cases and limits them to the relevant session, functionality, or user-requested preference. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Recalled WP29 Opinion 04/2012 when discussing how authorities assess cookies classified as essential. ## Technical scope is broader than cookies The exemption test applies only after the team decides that Article 5(3) is technically triggered. EDPB Guidelines 2/2023 explain that Article 5(3) is not limited to classic browser cookies: it can cover stored or accessed information in terminal equipment, including information that is not personal data, information previously stored by another party, local storage, software instructions, URL and pixel tracking, local processing outputs sent over a network, certain IP-based tracking scenarios, IoT reporting, and unique identifiers. That breadth matters for essential-cookie registers. A tag, SDK, tracking pixel, mobile identifier, local-storage key, cache mechanism, or JavaScript instruction should not escape review because it is not named as a cookie. The exemption evidence should describe the exact storage or access operation and the receiving or instructing entity. - Inventory cookies, local storage, SDK identifiers, tracking pixels, tagged URLs, cache identifiers, and scripts that instruct the device to send information. - Document whether the operation stores information, gains access to stored information, or does both. - Identify the terminal equipment and whether the operation occurs in a public electronic communications network context. - Separate technical scope from exemption status: being in scope does not mean consent is required if an exemption applies, and being essential requires proof. - Review third-party and cross-domain components carefully because they often serve a separate service or controller purpose. Sources for this answer: - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Defines the technical scope of Article 5(3), including information, terminal equipment, gaining access, and storage. - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Baseline ePrivacy Directive source for terminal-equipment storage or access in Article 5(3). ## Analytics caveat and non-exempt purposes Do not classify analytics as strictly necessary merely because the website owner needs measurement. WP29 says first-party analytics are not strictly necessary to provide a functionality explicitly requested by the user, even though limited first-party aggregated analytics may present lower privacy risk when safeguards are present. CNIL's national guidance describes a narrower audience-measurement exemption under specified conditions, including information, opt-out, limited purposes, no cross-checking, single publisher scope, IP truncation, and limited tracker lifetime. Advertising, behavioral tracking, frequency capping, affiliate measurement, market analysis, product improvement, debugging, social plug-in tracking, and persistent login should not be treated as strictly necessary based on the sources reviewed. If consent is needed, the consent layer must meet GDPR-quality consent standards and avoid practices such as pre-ticked boxes, cookie walls that remove real choice, misleading link design, or confusing legitimate-interest framing for cookie placement. - Classify analytics as consent-required unless a specific national-law exemption and all required safeguards are documented. - Do not cross-check exempt audience measurement with customer files, cross-site statistics, advertising profiles, or other processing. - Keep audience-measurement trackers independent by publisher where a provider serves multiple publishers. - Avoid using an exempt security, authentication, or preference cookie as a shared identifier for analytics or personalization. - When consent is required, collect it before placement or reading and keep withdrawal as easy as giving consent. Sources for this answer: - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - States that first-party analytics are not exempt under the two Article 5(3) criteria while distinguishing lower-risk safeguarded analytics. - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - National regulator guidance showing that audience-measurement exemptions depend on specific safeguards and may vary by country. - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent guidance for free, specific, informed, unambiguous consent, prior consent, proof, and withdrawal. - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Summarizes common banner issues including missing reject options, pre-ticked boxes, misleading design, and inaccurate essential classifications. ## Evidence record for an essential classification The evidence record should prove the exemption, not simply state that the cookie is essential. The Cookie Banner Taskforce noted that website owners may need to maintain lists and provide documentation on purposes, and that tools can list placed cookies but do not determine their legal nature. Treat scanner output as the starting inventory, then add purpose, functionality, lifetime, controller or processor, and exemption reasoning. Because ePrivacy is implemented through national law, the record should name the Member State rules or authority guidance checked for the launch market. The EDPB taskforce report also stresses that its positions are a minimum threshold and must be combined with national implementing laws and competent-authority guidance. Commission ePrivacy material likewise frames the device rule around user control over information stored on, or accessed from, devices. - Identifier: cookie, SDK key, local-storage key, pixel, URL parameter, or other technical operation. - Article 5(3) scope: storage, access, terminal equipment, network context, and entity instructing or receiving the information. - Exemption claim: transmission or requested-service, with a short explanation of why the service fails without it. - Purpose guardrail: confirmation that the item is not reused for advertising, analytics, profiling, product improvement, or other non-exempt purposes. - Lifetime and placement: session, short-lived, or persistent duration with the reason and deletion behavior. - National-law check: launch countries, regulator guidance reviewed, unresolved country differences, and next review trigger. - Proof pack: scanner output, CMP configuration, tag-manager rule, code owner, release approval, test showing consent-required items do not fire before consent, and source citations. Sources for this answer: - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds evidence expectations for essential classifications and cautions that national implementing laws and authority guidance remain applicable. - [European Commission ePrivacyEU factsheet](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission ePrivacy material frames device access and storage around user control over information on devices. *Recommended next step* *Placement: before sources* ## Review essential cookies against Article 5(3) Sorena can help classify cookies, SDKs, local storage, pixels, and identifiers against the transmission and requested-service exemptions, then prepare source-linked evidence for CMP and regulator review. - [Open Research Copilot for EU ePrivacy Directive](/solutions/research-copilot.md): Ask source-linked questions about Article 5(3), cookie exemptions, analytics caveats, and evidence records using the cited sources on this page. - [Talk through implementation](/contact.md): Review your strictly necessary classification, CMP behavior, source gaps, and country-specific caveats with Sorena. ## Primary sources - [Directive 2002/58/EC (ePrivacy Directive)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058&ref=sorena.io) - Binding Article 5(3) source for terminal-equipment storage/access, the consent rule, and the two exemption grounds. - Quote: "as strictly necessary in order to provide" - [WP29 Opinion 04/2012 on Cookie Consent Exemption](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Primary guidance for applying the transmission and requested-service exemptions to common cookie scenarios. - Quote: "verify carefully if it fulfils" - [EDPB Guidelines 2/2023 on Article 5(3) ePrivacy Directive](https://www.edpb.europa.eu/system/files/2023-11/edpb_guidelines_202302_technical_scope_art_53_eprivacydirective_en.pdf?ref=sorena.io) - Technical-scope guidance for storage or access involving terminal equipment beyond classic cookies. - Quote: "store information or to gain access" - [EDPB Guidelines 05/2020 on consent](https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent-quality guidance used when an item does not fit an Article 5(3) exemption. - Quote: "statement or by a clear affirmative action" - [EDPB Cookie Banner Taskforce report](https://www.edpb.europa.eu/system/files/2023-01/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Grounds banner and evidence caveats for inaccurate essential classifications, reject options, consent validity, and national-law application. - Quote: "Inaccurately Classified Essential Cookies" - [CNIL Sheet 16: Use analytics on your websites and applications](https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications?ref=sorena.io) - National regulator source for the analytics caveat and the need to check national variation before relying on an audience-measurement exemption. - Quote: "Subject to a number of conditions" - [European Commission ePrivacyEU factsheet](https://digital-strategy.ec.europa.eu/en/library/eprivacyeu-towards-future-proof-legal-framework-online-privacy?ref=sorena.io) - Commission ePrivacy material supporting the broader device-control framing for storage and access on user devices. - Quote: "online privacy" ## Related Topic Guides - [Are cookie walls allowed under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cookie-walls.md): FAQ answer on cookie walls under the EU ePrivacy Directive, covering freely given consent, refusal and withdrawal paths, banner evidence, and national-law caveats. - [Do Analytics Cookies Require Consent under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/analytics-cookies.md): FAQ answer on analytics cookies under Article 5(3) ePrivacy, limited analytics exemptions, configuration evidence, consent logs, and national-law caveats. - [ePrivacy cookie consent vs DSA ads obligations: source-limited comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-dsa-ads.md): Compare ePrivacy cookie and tracking-consent duties with DSA ads workstreams without merging consent, transparency, and evidence obligations. - [ePrivacy Directive vs GDPR: cookies, communications, consent, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR across subject matter, lex specialis overlap, terminal equipment, communications confidentiality, marketing, consent, enforcement, and evidence. - [EU cookie banner requirements under the ePrivacy Directive](/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements.md): EU ePrivacy cookie banner requirements for non-exempt cookies and trackers: prior consent, reject choices, no pre-ticked boxes, withdrawal, analytics limits, cookie walls, and evidence logs. - [EU ePrivacy analytics cookies: consent, exemption, and evidence guide](/artifacts/eu/eprivacy-directive/analytics-cookies.md): source-linked guide to analytics cookies under EU ePrivacy: Article 5(3) scope, when consent is usually needed, limited analytics exemptions, consent records, and evidence gaps. - [EU ePrivacy Applicability Test for Cookies, SDKs, Pixels, Communications, and Marketing](/artifacts/eu/eprivacy-directive/applicability-test.md): A concrete EU ePrivacy Directive applicability test for electronic communications services, terminal-equipment storage or access, cookies, SDKs, pixels, local storage, direct marketing, GDPR overlap, and evidence. - [EU ePrivacy Article 5(3) terminal equipment test](/artifacts/eu/eprivacy-directive/article-5-3-terminal-equipment-test.md): A source-linked Article 5(3) test for cookies, pixels, local identifiers, device APIs, strictly necessary exceptions, and consent evidence. - [EU ePrivacy Confidentiality of Communications: Article 5 controls](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): Article 5 confidentiality guide for EU ePrivacy communications, traffic data, metadata, terminal-equipment access, consent limits, and GDPR interplay. - [EU ePrivacy consent-log evidence workflow for cookies and trackers](/artifacts/eu/eprivacy-directive/consent-log-evidence-workflow.md): Build an ePrivacy consent-log workflow that records cookie and tracker decisions, banner versions, consent signals, withdrawals, vendor evidence, and audit-ready outputs. - [EU ePrivacy cookie banner UX test cases](/artifacts/eu/eprivacy-directive/banner-ux-test-cases.md): source-linked cookie banner UX tests for Article 5(3) ePrivacy consent: reject all, pre-ticked boxes, withdrawal, cookie walls, analytics toggles, and consent evidence. - [EU ePrivacy Cookie Scope Classifier Workflow](/artifacts/eu/eprivacy-directive/cookie-scope-classifier-workflow.md): Classify cookies, pixels, SDKs, local storage, device identifiers, and analytics tracers under Article 5(3) ePrivacy rules, with consent and exemption evidence outputs. - [EU ePrivacy direct-marketing consent checklist](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): Checklist for ePrivacy Directive direct-marketing messages: consent, soft opt-in, sender identity, opt-out handling, proof records, suppression, and national-law caveats. - [EU ePrivacy Directive compliance calendar for cookies, consent, and marketing](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): source-linked ePrivacy calendar covering Directive milestones, Article 5(3) cookie reviews, consent evidence, direct marketing checks, and national-law follow-up. - [EU ePrivacy Directive Compliance Checklist](/artifacts/eu/eprivacy-directive/checklist.md): A concrete ePrivacy checklist for terminal equipment access, cookie consent, exemptions, banner UX, direct marketing, confidentiality, GDPR interplay, and evidence records. - [EU ePrivacy Directive Compliance Guide for Cookies, Marketing, and Communications](/artifacts/eu/eprivacy-directive/compliance.md): Practical ePrivacy Directive compliance checks for terminal equipment, communications confidentiality, cookie consent, exemptions, direct marketing, evidence, and national-law caveats. - [EU ePrivacy Directive Cookies and Consent: Article 5(3), exemptions, and banner evidence](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): Cookie consent guide for the EU ePrivacy Directive: Article 5(3) scope, strictly necessary and transmission exemptions, consent UX, withdrawal, logs, analytics caveats, and GDPR interplay. - [EU ePrivacy Directive direct marketing rules for electronic mail](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): source-linked guide to Article 13 ePrivacy Directive rules for electronic mail marketing, prior consent, customer soft opt-in, opt-out handling, sender identity, and Member State caveats. - [EU ePrivacy Directive Enforcement and Fines](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): Source-grounded guide to ePrivacy Directive enforcement, national penalties, competent authorities, GDPR interplay, cookie-banner risk, and evidence limits. - [EU ePrivacy Directive FAQ: cookies, consent, marketing, GDPR interplay](/artifacts/eu/eprivacy-directive/faq.md): Answers to recurring EU ePrivacy Directive questions on Article 5(3), terminal-equipment access, cookie consent, exemptions, analytics, direct marketing, GDPR interplay, national enforcement, and evidence. - [EU ePrivacy Directive Member State Cookie Rules](/artifacts/eu/eprivacy-directive/member-state-cookie-rules.md): How to evidence EU ePrivacy cookie compliance when Article 5(3) is implemented through Member State law and national authority practice. - [EU ePrivacy Directive Metadata and Location Data Guide](/artifacts/eu/eprivacy-directive/metadata-and-location-data.md): source-linked guide to EU ePrivacy Directive rules for traffic data, location data, anonymisation, consent, value-added services, Article 5(3) overlap, and national-law limits. - [EU ePrivacy Directive penalties and fines: national enforcement caveats](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): source-linked guide to ePrivacy Directive penalty exposure, national transposition caveats, cookie enforcement evidence, consent defects, and GDPR overlap limits. - [EU ePrivacy Directive Requirements: cookies, communications and marketing](/artifacts/eu/eprivacy-directive/requirements.md): source-linked map of EU ePrivacy Directive requirements for communications confidentiality, terminal-equipment access, consent, traffic and location data, and direct marketing. - [EU ePrivacy Directive vs GDPR: cookies, communications, marketing, and evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): Compare the EU ePrivacy Directive and GDPR by trigger, consent standard, lex specialis overlap, enforcement caveats, and evidence outputs for cookies, device access, communications, and marketing. - [EU ePrivacy Directive vs UK PECR: source-limited cookie and marketing comparison](/artifacts/eu/eprivacy-directive/eprivacy-vs-uk-pecr.md): Compare EU ePrivacy Directive rules with a source-limited UK PECR workstream for cookies, terminal equipment, direct marketing, consent, soft opt-in, and evidence. - [EU ePrivacy soft opt-in FAQ for email marketing](/artifacts/eu/eprivacy-directive/faq/soft-opt-in.md): When Article 13(2) soft opt-in can support EU customer email marketing, including existing-customer, similar-offer, opt-out, sender-identity, suppression-list, and national-law checks. - [EU ePrivacy soft opt-in marketing checklist](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing.md): source-linked checklist for using the EU ePrivacy Directive soft opt-in exception for customer email marketing, opt-outs, sender identity, suppression records, and national-law caveats. - [EU ePrivacy soft opt-in marketing review workflow](/artifacts/eu/eprivacy-directive/soft-opt-in-marketing-review-workflow.md): Review whether an EU electronic-mail marketing send can rely on the ePrivacy soft opt-in, with checks for customer relationship evidence, similar products, opt-out, sender identity, suppression records, and national-law caveats. - [Is a reject-all button required for EU ePrivacy cookie consent?](/artifacts/eu/eprivacy-directive/faq/reject-all-button.md): Standalone FAQ answer on EU ePrivacy reject-all and refuse options for cookie banners, including equal prominence, deceptive UX, consent evidence, withdrawal, and national-law caveats. - [Strictly Necessary Cookies under the EU ePrivacy Directive](/artifacts/eu/eprivacy-directive/faq/strictly-necessary-cookies.md): FAQ answer on when EU ePrivacy Article 5(3) allows cookies without consent, with grounded examples, analytics caveats, evidence records, and national-law cautions. - [What should CMP consent logs retain under the EU ePrivacy Directive?](/artifacts/eu/eprivacy-directive/faq/cmp-consent-logs.md): FAQ answer on CMP consent logs for EU ePrivacy cookie consent: retained fields, consent validity signals, banner versioning, refusal and withdrawal events, proof limits, and national-law caveats. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/strictly-necessary-exemptions