eprivacy-essential-cookies
ePrivacy Directive Article 5(3) Essential Cookie Exemption
Overview
Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by Directive 2009/136/EC) requires informed consent before storing or accessing information on a user's terminal equipment (cookies, LocalStorage, device fingerprints). However, it provides an exemption for storage that is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to deliver the service." Correctly classifying cookies under this exemption is critical — over-claiming exemption exposes organizations to enforcement action, while under-claiming creates unnecessary consent friction. The Article 29 Working Party Opinion 04/2012 on Cookie Consent Exemption (WP 194) remains the authoritative guidance on applying this exemption.
Exemption Criteria
The Two-Part Test
A cookie qualifies for the strictly necessary exemption only if BOTH conditions are met:
Condition 1 — The cookie is strictly necessary The cookie must be essential for the specific functionality that the user has actively requested. "Strictly necessary" means the service literally cannot function without it — not merely that it would be degraded or less convenient.
Condition 2 — For a service explicitly requested by the user The user must have actively requested the service that the cookie enables. The cookie must serve the user's purpose, not the website operator's purpose. A cookie that is necessary for the operator's business model (e.g., analytics) but not for the service the user requested (e.g., viewing products) does not qualify.