ePrivacy Directive

ePrivacy vs GDPR — different rules, often confused

ePrivacy and GDPR are two separate frameworks that frequently apply to the same processing. GDPR governs “the processing of personal data” — any information relating to an identified or identifiable person. ePrivacy governs “storage and access” on a user’s device, regardless of whether the data is personal. Analytics that sets a cookie engages both: the cookie is storage on the device (ePrivacy) and the data it carries is typically personal (GDPR).

Article 5(3) — the consent rule

Art. 5(3) requires that the user has given consent “having been provided with clear and comprehensive information” before any information is stored on or accessed from their terminal device. The classic example is a cookie. The carve-outs are narrow: strictly necessary cookies (cart, session) and — in most member states’ interpretation — anonymous audience measurement that does not allow cross-site tracking. The CNIL, AEPD, DSK and ICO have all published explicit exemption criteria for the latter.

Why cookieless analytics sits outside Art. 5(3)

Art. 5(3) triggers on storage of or access to terminal-device information. Cookieless analytics writes no cookie, reads no localStorage, generates no fingerprint. There is nothing on the terminal device to trigger the consent requirement. The data path is first-party server-side, the events are aggregated anonymously, and the architecture meets the exemption criteria the authorities have published. See the full legal walk-through on the consentless analytics pillar.

The 2026 ePrivacy Regulation

The proposed ePrivacy Regulation (intended to replace the Directive) has been in draft since 2017. The Digital Omnibus 2026 brought some of its enforcement clarifications into force via amendments to GDPR — including formalised reject-all banner parity and harmonised dark-pattern enforcement. The carve-out for anonymous, non-tracking analytics survived intact.