What the ePrivacy Directive Means for Your Website Analytics
When people talk about cookie consent banners and GDPR, they're usually blaming the wrong law. The regulation that actually requires consent for cookies isn't GDPR — it's the ePrivacy Directive (2002/58/EC), a separate EU law specifically about electronic communications.
Understanding the difference matters because it changes what you need to do. GDPR governs personal data. The ePrivacy Directive governs what gets stored on or read from a visitor's device. They overlap, but they're not the same thing — and your analytics setup needs to comply with both.
What Article 5(3) Actually Says
The key provision is Article 5(3), amended in 2009 by the so-called "Cookie Directive" (2009/136/EC). The rule is straightforward:
Storing information on, or accessing information from, a user's device requires prior informed consent — unless it falls under one of two narrow exceptions.
Three things to note:
-
It covers more than cookies. The EDPB confirmed in Guidelines 2/2023 (finalized October 2024) that Article 5(3) applies to tracking pixels, URL tracking parameters, local storage, and any unique identifier accessed from a device.
-
It applies to all information, not just personal data. Even if a cookie contains no personal data, you still need consent to set it. This is broader than GDPR.
-
Consent must be real. The CJEU ruled in the Planet49 case (C-673/17, October 2019) that pre-checked boxes don't count. Consent must be freely given, specific, informed, and unambiguous.
The Two Exceptions
Article 5(3) allows two situations where consent is not required:
Exception 1: Technical transmission. The storage is solely for carrying out the transmission of a communication over a network. Think: routing data.
Exception 2: Explicitly requested service. The storage is "strictly necessary" to provide a service the user explicitly asked for.
What counts as strictly necessary:
- Session/authentication cookies (staying logged in)
- Shopping cart cookies
- Security cookies (detecting repeated failed logins)
- Load-balancing cookies
- Language preference cookies the user actively set
What does not count:
- Analytics cookies — even first-party, even "privacy-friendly"
- Advertising cookies
- Social media sharing cookies
- Any cookie that serves the site owner's interests rather than a service the user requested
This is the critical point: analytics serve the website operator, not a service the visitor asked for. Under a strict reading of Article 5(3), analytics cookies always require consent.
How It Differs From GDPR
People confuse these two laws constantly. Here's why the distinction matters:
| ePrivacy Directive | GDPR | |
|---|---|---|
| Type | Directive (each country implements it differently) | Regulation (uniform across the EU) |
| Scope | Any information on a user's device | Personal data only |
| Legal bases | Consent or strictly necessary — that's it | Six options including legitimate interest |
| Cookie rules | Specific, explicit rules in Article 5(3) | No mention of cookies |
| Relationship | Takes precedence for electronic communications (lex specialis) | General data protection framework |
The key difference for analytics: GDPR allows "legitimate interest" as a legal basis for basic analytics. The ePrivacy Directive does not — if you set a cookie, you need consent, period. There's no legitimate interest exception for device storage.
This means a tool can be GDPR-compliant under legitimate interest but still violate the ePrivacy Directive by setting cookies without consent.
How Different Countries Implement It
Because the ePrivacy Directive is a directive (not a regulation), each EU member state transposed it into national law differently. This creates real variation:
France (CNIL): The strictest enforcer. Requires that "reject all" must be as easy as "accept all" — no dark patterns. In 2025, the CNIL issued €486.8 million in fines, including €325 million against Google for cookie violations and €150 million against SHEIN for setting advertising cookies before users could interact with the consent banner.
Germany (TTDSG/TDDDG): Only two legal bases for cookies — consent or strictly necessary. No balancing test, no grey areas. Some German supervisory authorities say consent is required for all analytics, full stop.
Netherlands: More permissive. Dutch law explicitly allows analytics cookies without consent if they have "no or little impact on privacy." Tracking cookies still require consent.
Austria, Cyprus, Finland: Supervisory authorities have stated consent is required for all analytics that fall within Article 5(3) scope, regardless of privacy impact.
UK (PECR): Post-Brexit, the UK's Privacy and Electronic Communications Regulations mirror the ePrivacy Directive. The ICO requires consent for analytics cookies.
This patchwork is exactly why the ePrivacy Regulation was supposed to replace the Directive — to create one uniform set of rules. That didn't happen.
The CNIL's Audience Measurement Exemption
France's CNIL created an important exception: analytics tools can operate without consent if they meet all of these criteria:
- Purpose limited strictly to audience measurement for the publisher only
- No cross-site tracking or measurement
- No combining data with other processing operations
- Cookie lifetime maximum of 13 months
- Data retention maximum of 25 months
- Output must be anonymous — both in visualization and export
- Data used exclusively by the publisher, not shared with third parties
The CNIL explicitly notes that "most large audience measurement offerings do not fall within the scope of the exemption, regardless of their configuration." Google Analytics does not qualify. Matomo can qualify if self-hosted and configured correctly. Piano Analytics (formerly AT Internet) has been recognized.
This exemption isn't EU-wide — it's a French interpretation. But it has been influential, with several other DPAs pointing to similar criteria.
What Happened to the ePrivacy Regulation?
The ePrivacy Regulation was proposed in January 2017 to replace the 2002 Directive with a directly applicable regulation — uniform rules across all EU member states. It got stuck in legislative negotiations for eight years.
In February 2025, the European Commission formally withdrew the proposal. The reason: "no foreseeable agreement" and the proposal had become "outdated in view of recent legislation and technological landscape."
Instead, the Commission proposed targeted amendments through the Digital Omnibus Regulation in late 2025. This would:
- Move some Article 5(3) requirements into GDPR as a new Article 88a
- Introduce automated preference signals (browser-based consent) to reduce "consent fatigue"
- The Commission estimates EU users spend ~334 million hours per year clicking cookie banners, costing roughly €11.2 billion in lost productivity
For now, the 2002 Directive (as amended in 2009) remains in force indefinitely. There is no replacement on the horizon.
What This Means for Your Analytics
Here's the practical breakdown:
If your analytics tool sets cookies (Google Analytics, Matomo default configuration):
- You need a consent banner — required by Article 5(3), no exception
- You must offer "reject all" as prominently as "accept all"
- You'll lose 30-70% of your data from visitors who decline
- You need to comply with whichever national implementation applies
- Enforcement is increasing, not decreasing — 2025 saw record fines
If your analytics tool uses no cookies and stores nothing on the device (Plausible, Fathom, Fairlytics):
- Article 5(3) doesn't apply — there's no device storage to consent to
- No consent banner needed for analytics
- You still need GDPR compliance (privacy policy, DPA if using a cloud provider)
- No DPA has taken enforcement action against truly cookieless analytics tools
The legal nuance: Some scholars argue that even reading the User-Agent string or IP address constitutes "accessing information from terminal equipment." In practice, no regulator has applied Article 5(3) this broadly, and the CNIL's exemption criteria suggest regulators accept that minimal server-side data collection falls outside the Directive's scope.
Why This Matters More Now
With the ePrivacy Regulation withdrawn and the 2002 Directive remaining in force, the current rules aren't going anywhere. The patchwork of national implementations will persist. Enforcement is accelerating — the CNIL alone issued nearly 9x more in fines in 2025 than 2024.
The simplest way to handle this: don't trigger Article 5(3) in the first place. If your analytics tool stores nothing on the visitor's device, the ePrivacy Directive's consent requirement simply doesn't apply to you.
Fairlytics takes this approach — a 510-byte script that sets no cookies, uses no local storage, and collects no personal data. Free for sites under 10K monthly views. You can remove your cookie banner and still know how your site is performing.
This article is for informational purposes only and does not constitute legal advice. For specific compliance questions, consult a data protection professional.