ePrivacy Directive compliance

What the ePrivacy Directive requires

Article 5(3) is the core provision: websites must obtain prior, informed consent before storing or accessing any information on a user’s device. This applies to cookies, localStorage, sessionStorage, fingerprinting techniques, and tracking pixels — not just traditional HTTP cookies.

The only exception is for strictly necessary technologies — those essential for providing a service the user explicitly requested (e.g., session cookies for a shopping cart, authentication tokens).

Unlike GDPR which is a regulation with direct effect, the ePrivacy Directive is transposed into national law by each EU member state. This means enforcement varies — some countries (France, Germany, Italy) impose heavy fines, while others are less active. However, all EU/EEA countries require prior consent for non-essential cookies.

Key principles

• Prior consent (opt-in)

  Consent must be obtained before any non-essential cookie or tracker is set. No loading analytics on page load and asking forgiveness later.

• Informed consent

  Users must be told clearly what cookies are used, their purpose, and how long they persist — before they make their choice.

• Covers all device storage

  Not limited to cookies. localStorage, IndexedDB, device fingerprinting, tracking pixels, and any technology that accesses the user’s device falls under Article 5(3).

• Strictly necessary exemption

  Only cookies essential for a service the user explicitly requested are exempt. Analytics, marketing, A/B testing, and preference cookies all require consent.

• National enforcement

  Each EU member state enforces through its own data protection authority. CNIL (France), BfDI (Germany), Garante (Italy), and AEPD (Spain) have been particularly active with cookie enforcement.

How CookieBoss helps

• Prior consent blocking

  All non-essential scripts and cookies are blocked until the visitor explicitly opts in. No pre-ticked boxes, no implied consent from scrolling or continued browsing.

• Automatic cookie detection

  Our scanner identifies all cookies, localStorage entries, and tracking technologies on your site — including third-party scripts that set cookies you may not know about.

• Granular consent categories

  Visitors choose consent per purpose: necessary, analytics, marketing, and preferences. Each category maps to specific cookies and scripts, satisfying the “specific consent” requirement.

• Consent logging & proof

  Every consent decision is recorded with timestamp, visitor ID, and categories chosen. Exportable logs demonstrate compliance to national DPAs during audits.

• EU infrastructure

  All consent data stored on Cloudflare D1, region-pinned to Western Europe. Operated by Transformination OÜ, registered in Tallinn, Estonia under full EU jurisdiction.

The upcoming ePrivacy Regulation

The European Commission has proposed an ePrivacy Regulation to replace the current Directive. Once enacted, it will apply directly across all EU member states without national transposition — eliminating the enforcement inconsistencies of the current framework.

The Regulation is expected to maintain the prior consent requirement for non-essential cookies while adding clearer rules for cookie walls, browser-level consent signals, and metadata processing. CookieBoss will adapt to the final text once adopted.