The ePrivacy Directive and cookie consent
The ePrivacy Directive (2002/58/EC, amended 2009) regulates confidentiality of communications and, critically for analytics, the storing or accessing of information on a user's device. That clause is why setting non-essential cookies in the EU generally requires prior consent, sitting alongside the GDPR rather than being replaced by it. This is an educational overview, not legal advice.
What this means
The ePrivacy Directive, often called the 'cookie law', governs confidentiality in electronic communications. Article 5(3) requires consent before storing information on, or gaining access to information already stored in, a user's terminal equipment — unless it is strictly necessary to provide a service the user requested. That covers cookies, local storage, and similar techniques.
How it relates to GDPR
ePrivacy and the GDPR operate together. ePrivacy decides whether you may store/access something on the device (the consent trigger); the GDPR governs the processing of any personal data that results. So a non-essential analytics cookie typically needs ePrivacy consent regardless of whether the data is personal, and then GDPR rules apply to the data itself. National laws transpose the Directive, so specifics vary by country.
- Article 5(3): consent to store/access on the device
- Strictly-necessary storage is exempt
- ePrivacy and GDPR apply in parallel, not instead
How it appears in analytics and logs
If your analytics writes or reads anything on the device that is not strictly necessary, the ePrivacy 'consent to store/access' rule is likely engaged, independent of GDPR.
Diagnostic use case
Understand that the cookie-consent requirement comes from ePrivacy, not GDPR, and applies to any storage/access on the device — not just to personal data.
What WebmasterID can help detect
WebmasterID does not write non-essential cookies or local storage for tracking, so the ePrivacy 'store or access information' trigger is largely not engaged.
Common mistakes
- Thinking GDPR alone covers cookie consent.
- Assuming the rule applies only to personal data.
- Ignoring that national transpositions differ.
Privacy and accuracy notes
ePrivacy targets device storage/access itself. WebmasterID avoids non-essential storage on the device, which is why it sidesteps much of the cookie-consent trigger.
Related pages
- Consent banners and analytics
A consent banner (or CMP) is the interface that asks visitors to accept or refuse non-essential storage and processing. For consent to be valid under EU rules it must be freely given, specific, informed, and unambiguous — which rules out pre-ticked boxes and 'accept-only' dark patterns. Reducing what needs consent in the first place is the cleaner path. This is educational, not legal advice.
- GDPR and web analytics: the practical picture
The GDPR governs processing of personal data of people in the EU. For analytics that means: identifiers and IP addresses can be personal data, consent is often required for cookie-based tracking, and minimisation matters. Cookieless, first-party, anonymised measurement reduces the surface — but this is a factual overview, not legal advice.
- Lawful basis for analytics processing
The GDPR requires a lawful basis for processing personal data. For analytics the realistic candidates are consent and legitimate interests, each with conditions: consent must be valid and is often required where ePrivacy applies to cookies, while legitimate interests demands a balancing test and grants the visitor a right to object. Picking and documenting the basis is the operator's job. This is educational, not legal advice.
- Privacy-first analytics
No non-essential device storage to consent to.
Sources and verification notes
- EUR-Lex — ePrivacy Directive 2002/58/ECPrimary text. Educational, not legal advice.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.