ePrivacy Directive Article 5(3) Essential Cookie Exemption
Applying the ePrivacy Directive Article 5(3) strictly necessary exemption to classify cookies that do not require consent. Covers exemption criteria, functionality cookies, load balancing, session state, and non-exempt categories with regulatory guidance from EDPB and national DPAs.
ePrivacy Directive Article 5(3) Essential Cookie Exemption
Overview
Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) requires informed consent before storing or accessing information on a user's terminal equipment (cookies, LocalStorage, device fingerprints). However, it provides an exemption for storage that is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to deliver the service." Correctly classifying cookies under this exemption is critical — over-claiming exemption exposes organizations to enforcement action, while under-claiming creates unnecessary consent friction. The Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemption (WP 194) remains the authoritative guidance on applying this exemption.
Exemption Criteria
The Two-Part Test
A cookie qualifies for the strictly necessary exemption only if BOTH conditions are met:
Condition 1 — The cookie is strictly necessary The cookie must be essential for the specific functionality that the user has actively requested. "Strictly necessary" means the service literally cannot function without it — not merely that it would be degraded or less convenient.
Condition 2 — For a service explicitly requested by the user The user must have actively requested the service that the cookie enables. The cookie must serve the user's purpose, not the website operator's purpose. A cookie that is necessary for the operator's business model (e.g., analytics) but not for the service the user requested (e.g., viewing products) does not qualify.
Article 29 Working Party Exemption Categories
WP 194 (Opinion 04/2012) identified specific cookie categories that can qualify for exemption:
Category A — User Input Cookies (Session-Only)
| Criterion | Requirement |
|---|---|
| Purpose | Keeping track of user input during a multi-step process (e.g., filling a form, shopping cart) |
| Duration | Session-only (deleted when browser closes) or short-lived (limited to a few hours) |
| Scope | First-party only |
| Example | Shopping cart contents during a browsing session |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| cart_session | Stores items added to shopping cart during session | Session | Yes |
| checkout_step | Tracks current step in multi-page checkout | Session | Yes |
| form_data_temp | Preserves form input if page reloads during checkout | 30 minutes | Yes |
Category B — Authentication Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Authenticating the user to provide access to authenticated content/services |
| Duration | Session-only for session authentication; persistent only if user explicitly chose "remember me" |
| Scope | First-party only |
| Example | Session token after login |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| auth_token | Authenticates logged-in user | Session | Yes |
| refresh_token | Maintains authentication across browser restarts (when "remember me" selected) | 30 days | Yes — user explicitly requested persistent login |
| session_id | Links requests to server-side session | Session | Yes |
Category C — User Security Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Ensuring security of the service explicitly requested by the user |
| Duration | Limited to what is necessary |
| Scope | First-party only |
| Example | CSRF protection, detecting repeated failed login attempts |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| csrf_token | Prevents cross-site request forgery attacks | Session | Yes |
| login_attempts | Tracks failed login count for brute-force protection | 30 minutes | Yes |
| device_verified | Flags device as verified after 2FA | 30 days | Yes — security for authenticated service |
Category D — Multimedia Player Session Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Storing technical data for media playback (quality settings, buffering) |
| Duration | Session-only |
| Scope | First-party only |
| Example | Video player quality preference for current session |
Category E — Load Balancing Cookies
| Criterion | Requirement |
|---|---|
| Purpose | Distributing web traffic across multiple servers |
| Duration | Session-only (persists only for the browsing session) |
| Scope | First-party only |
| Example | Load balancer session affinity cookie |
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| SERVERID | HAProxy server affinity cookie | Session | Yes |
| __cfduid (legacy) | Cloudflare server identification | Session | Yes — if session-only |
| lb_route | Internal load balancer routing | Session | Yes |
Category F — UI Customisation Cookies (Session-Only)
| Criterion | Requirement |
|---|---|
| Purpose | Storing user interface preferences explicitly set by the user during the session |
| Duration | Session-only (first visit within a session); persistent requires consent |
| Scope | First-party only |
| Example | Language selection within a session |
Critical Distinction: A language preference cookie set for the current session when the user clicks a language selector is exempt. A persistent language preference cookie that remembers the selection across visits typically requires consent (it exceeds the session scope).
Pinnacle E-Commerce Ltd Examples:
| Cookie | Purpose | Duration | Exempt |
|---|---|---|---|
| locale_session | Language selected during current session | Session | Yes |
| locale | Persistent language preference | 1 year | No — requires consent |
| currency_session | Currency selected during current session | Session | Yes |
| currency | Persistent currency preference | 1 year | No — requires consent |
Non-Exempt Cookie Categories
The following cookie types are explicitly NOT exempt and always require consent:
Analytics and Performance Cookies
| Cookie Type | Why Not Exempt |
|---|---|
| Google Analytics (_ga, _gid) | Serves the operator's analytics purpose, not the user's requested service |
| Hotjar (_hj*) | Session recording and heatmaps serve the operator |
| A/B testing (optimizely_*) | Experimentation serves the operator's optimization goals |
| Performance monitoring | Site performance monitoring benefits the operator |
Note: The CNIL has created a separate limited exemption for audience measurement (see analytics-cookie-consent skill), but this is a French-specific interpretation, not a universal ePrivacy Article 5(3) exemption.
Advertising and Targeting Cookies
| Cookie Type | Why Not Exempt |
|---|---|
| Meta Pixel (_fbp, _fbc) | Advertising tracking serves the advertiser |
| Google Ads (_gcl_au, IDE) | Conversion tracking and remarketing serve the advertiser |
| Retargeting cookies | Cross-site tracking for ad personalization |
| Ad frequency capping | Serves the ad delivery system, not the user |
Social Media Plug-in Cookies
| Cookie Type | Why Not Exempt |
|---|---|
| Facebook Like button cookies | Third-party tracking via social widget |
| Twitter share widget cookies | Third-party data collection |
| YouTube embed cookies | Google tracking via embedded video |
| LinkedIn Insight Tag | Professional network tracking |
Exception: If a social login (e.g., "Login with Google") is explicitly requested by the user, the authentication cookies for that flow may qualify under Category B. The social platform's tracking cookies do not.
Persistent Preference Cookies
| Cookie Type | Why Not Exempt |
|---|---|
| Persistent language preference | Exceeds session scope |
| Theme/dark mode preference (persistent) | Exceeds session scope |
| "Don't show again" dismissal cookies | Convenience, not strictly necessary |
| Recently viewed products | Enhancement, not essential service |
Borderline Cases and Regulatory Guidance
Consent Cookie Itself
The cookie that stores whether the user has accepted or rejected cookies:
| DPA Position | Exempt? | Reasoning |
|---|---|---|
| UK ICO | Yes | Strictly necessary to remember the user's privacy choice |
| CNIL | Yes | Technical necessity for implementing consent |
| Belgian DPA | Yes | Required to avoid re-prompting on every page |
| EDPB | Yes (implied) | Necessary to fulfill the consent obligation |
Pinnacle E-Commerce Ltd: The consent_state cookie is classified as strictly necessary.
Fraud Detection Cookies
| Scenario | Exempt? | Reasoning |
|---|---|---|
| CSRF token for form submission | Yes | Security for service the user requested (submitting a form) |
| Bot detection (CAPTCHA) | Likely yes | Security for the service; some DPAs require notice |
| Device fingerprinting for fraud | Likely no | Goes beyond what is strictly necessary; may use consent or legitimate interest |
| reCAPTCHA cookies | Contested | Google reCAPTCHA sets cookies and communicates with Google; some DPAs require consent |
CDN and Infrastructure Cookies
| Scenario | Exempt? | Reasoning |
|---|---|---|
| Cloudflare __cf_bm (bot management) | Contested | Security-related but sets persistent cookie; review with DPO |
| CDN session routing | Yes | Load balancing (Category E) |
| Geographic routing | Yes if session-only | Infrastructure necessity |
| A/B testing server routing | No | Optimization, not user-requested service |
Classification Process for Pinnacle E-Commerce Ltd
Step 1: Inventory All Cookies
Use the cookie-audit skill to generate a complete cookie inventory.
Step 2: Apply the Two-Part Test
For each cookie, answer:
- Is this cookie strictly necessary for the website to deliver a specific function?
- Did the user explicitly request that specific function?
Step 3: Classify and Document
| Cookie | User-Requested Service | Strictly Necessary | Duration OK | Exempt |
|---|---|---|---|---|
| session_id | Browsing the site | Yes — session state | Session | Yes |
| auth_token | Logging in | Yes — authentication | Session | Yes |
| cart_session | Adding items to cart | Yes — cart functionality | Session | Yes |
| csrf_token | Submitting forms | Yes — form security | Session | Yes |
| _ga | None (operator analytics) | No | 2 years | No |
| _fbp | None (operator advertising) | No | 90 days | No |
| locale | Changing language | Debatable | 1 year | No — persistent, needs consent |
| consent_state | Managing cookie preferences | Yes — consent management | 6 months | Yes |
Step 4: Document Justification
For each exempt cookie, maintain a written justification:
Template:
Cookie: [name]
Classification: Strictly Necessary — Exempt from consent
User-Requested Service: [specific service]
Why Strictly Necessary: [explanation of why the service cannot function without this cookie]
Duration Justification: [why this duration is the minimum necessary]
WP 194 Category: [A/B/C/D/E/F]
Reviewed By: [DPO name]
Review Date: [date]
Next Review: [date + 12 months]
Key Legal References
- ePrivacy Directive 2002/58/EC, Article 5(3) — Consent requirement and strictly necessary exemption
- Directive 2009/136/EC (Citizens' Rights Directive) — Amended Article 5(3) to require informed consent
- Article 29 Working Party Opinion 04/2012 (WP 194) — Authoritative guidance on cookie consent exemption categories
- CJEU Case C-673/17 (Planet49) — Active consent; exemption applies only to strictly necessary cookies
- EDPB Guidelines 05/2020 on Consent — Consent under GDPR applicable to ePrivacy consent
- UK ICO Guidance on Cookies (2019, updated 2023) — PECR implementation of ePrivacy exemptions
- CNIL Deliberation No. 2020-091 (17 September 2020) — French implementation of cookie exemptions
- Recital 66, Directive 2009/136/EC — Exemption for cookies "strictly limited to the provision of an information society service explicitly requested"
No additional documents ship with this skill.
Related Skills
Data Subject Rights for AI Systems
Implements data subject rights mechanisms for AI systems including right to explanation of AI decisions, contestation procedures, human review, model…
Lawful Basis for AI Training Data
Assesses lawful basis for AI training data processing per EDPB April 2025 report on LLMs and general-purpose AI. Covers legitimate interest balancing…
Managing Consent for Analytics Cookies
Managing consent for analytics cookies and implementing privacy-preserving measurement. Covers GA4 privacy configuration, consent mode fallback behav…
Applying Privacy Design Patterns
Systematic application of the eight privacy design patterns per Hoepman: minimize, hide, separate, abstract, inform, control, enforce, and demonstrat…
User Input
[COMMUNITY] Assess EU Data Act (Regulation 2023/2854) compliance for connected products, data holders, and data processing service providers
