Elgarde
Regulations

ePrivacy Directive — Cookie Consent

ePrivacy Directive 2002/58/EC, Art. 5(3)

In force since

2003 (directive); national transpositions vary

Scope

Any website that stores or accesses information on a user's terminal equipment (cookies, localStorage, pixels, fingerprinting)

Primary source

Official text

Enforcement bodies

NL Autoriteit Persoonsgegevens (AP) — Cookie consent enforcement
PT CNPD + ANACOM — CNPD for consent quality; ANACOM for electronic communications

What this regulation requires

The ePrivacy Directive Art. 5(3) establishes a simple rule: storing or accessing information on a user’s terminal equipment requires prior consent, unless one of two narrow exemptions applies.

This applies to any information — not just personal data. A tracking pixel that stores no personal data still falls under Art. 5(3) because the regulation covers “information,” not “personal data.” The GDPR’s legitimate-interest basis (Art. 6(1)(f)) does not override Art. 5(3), because the ePrivacy Directive is lex specialis.

The two exemptions

Art. 5(3) permits storage/access without consent only when it is:

  1. For the sole purpose of carrying out a transmission over an electronic communications network, or
  2. Strictly necessary for a service the user explicitly requested.

Analytics, advertising, A/B testing, and social-media widgets do not qualify under either exemption. This is consistent guidance from the EDPB (Guidelines 2/2023), national DPAs, and CJEU case law.

How this applies in the Netherlands

Telecommunicatiewet art. 11.7a transposes Art. 5(3) into Dutch law. The operative rule:

Storing or accessing information on a user’s terminal equipment via electronic communication networks is only permitted when the user has been provided with clear and complete information and has given consent.

Two NL-specific points:

  • Art. 11.7a(3)(b) contains a narrow analytics carve-out: analytics that are “strictly necessary for the requested service” and cause “little or no privacy impact” may proceed without consent. Google Analytics in default configuration does not meet this test (AP position) because data is transmitted to the US and re-used by Google.

  • Art. 11.7a(4) creates a statutory presumption that cross-service profiling constitutes personal-data processing, short-circuiting “no personal data” arguments.

Enforcer: Autoriteit Persoonsgegevens (AP).

How this applies in Portugal

Lei n.º 41/2004, art. 5.º transposes Art. 5(3):

O armazenamento de informações e a possibilidade de acesso à informação armazenada no equipamento terminal de um assinante ou utilizador apenas são permitidos se estes tiverem dado o seu consentimento prévio, com base em informações claras e completas.

The two exemptions in art. 5.º(2) map directly onto the Directive’s text.

Enforcers: CNPD (consent quality, data protection) + ANACOM (electronic communications).

What Elgarde checks

The scanner loads a site in a real browser, rejects all cookies via the CMP, and monitors network traffic for:

  • Pre-consent tracking: requests to known tracking domains that fire before any consent interaction.
  • Post-rejection tracking: requests that persist after the user clicks “Reject all.”

Each detected tracker is classified by category (advertising, analytics, social, fingerprinting) and phase (pre-consent, post-rejection), with severity determined by the combination.

Sources

Check your website's compliance

Free scan — no registration required. See your compliance grade in 30 seconds.

Scan now
← All regulations