ePrivacy: Common Scenarios
Common Scenarios
Practical guidance for applying the ePrivacy Directive to real-world situations.
Scenario 1: Cookie Banner Implementation
Question: What’s required for a legally compliant cookie banner?
Answer:
- No cookies before consent — Analytics/marketing cookies blocked until accepted
- Clear Accept/Reject options — Both equally prominent
- Granular choices — Allow selection by category
- No dark patterns — Don’t make “Accept” easier than “Reject”
- Remember choices — Store consent preference (this cookie is exempt)
Citation: Art 5(3)
Scenario 2: Marketing Email to Purchased List
Question: Can we send marketing emails to a list we purchased from a data broker?
Answer: No. The soft opt-in exception requires:
- YOU obtained the email during a sale
- Marketing YOUR OWN similar products
- Opt-out given at collection
Purchased lists fail all three conditions. Prior opt-in consent is required.
Citation: Art 13(1), Art 13(2)
Scenario 3: Re-engagement Email Campaign
Question: Can we email inactive customers who haven’t engaged in 2 years?
Answer: Yes, with conditions:
- Original consent or soft opt-in was valid
- Consent hasn’t been withdrawn
- Still marketing similar products
- Easy unsubscribe included
Best practice: Consider a re-permission campaign rather than assuming old consent is still valid.
Citation: Art 13(2)
Scenario 4: B2B Cold Email
Question: Can we cold email business contacts at their work email?
Answer: Depends on Member State:
- UK, Germany: B2B opt-out model allowed
- France, Spain: Opt-in required for all
Safe approach: Check local implementation. When in doubt, use opt-in.
Citation: Art 13(5)
Scenario 5: Analytics Without Consent
Question: Can we run Google Analytics without cookie consent?
Answer: No. Google Analytics sets cookies that are not “strictly necessary” for the service requested by the user. Consent required.
Alternatives:
- Privacy-focused analytics (Plausible, Fathom) — may still need consent
- Server-side analytics — no cookies, no consent needed
- Aggregated data only — ensure true anonymization
Citation: Art 5(3)
Scenario 6: Session Cookies
Question: Do we need consent for login session cookies?
Answer: No. Session cookies for user authentication are “strictly necessary” for the service explicitly requested. Exempt from consent.
Also exempt:
- Shopping cart cookies
- CSRF security tokens
- Load balancing cookies
- Consent preference cookies
Citation: Art 5(3)
Scenario 7: Telecom Retaining Call Records
Question: How long can a telecom retain call metadata?
Answer:
- For billing: Until period for legal challenge expires (typically 6 months)
- For marketing: Only with subscriber consent
- For law enforcement: Only under specific legal order, targeted retention
Not permitted: Blanket retention “just in case”
Citation: Art 6(1), Art 6(2)
Scenario 8: Location-Based Advertising
Question: Can our app use GPS location for targeted ads?
Answer: Only with consent:
- Request location permission with clear explanation
- Explain it’s for advertising (not just “improve experience”)
- Provide easy toggle to disable
- Honor temporary refusal per-session
Don’t: Bundle location consent with app functionality unless essential.
Citation: Art 9(1), Art 9(2)
Scenario 9: Employee Email Monitoring
Question: Can we monitor employee work emails?
Answer: Complex — check national law:
- ePrivacy protects confidentiality of communications
- Employment law varies by Member State
- Generally requires: legitimate purpose, transparency, proportionality
Minimum requirements:
- Clear policy communicated to employees
- Legitimate business reason
- Proportionate monitoring (not reading all emails)
- Compliance with local labor law
Citation: Art 5(1)
Scenario 10: IoT Device Data
Question: Does ePrivacy apply to our smart home device?
Answer: Likely yes, if it:
- Connects to electronic communications network
- Stores/accesses data on user’s device
- Processes traffic or location data
Key obligations:
- Cookie-like consent for device storage
- Location data consent
- Traffic data minimization
Citation: Art 5(3), Art 6, Art 9
Quick Reference Table
| Scenario | Consent Required? | Citation |
|---|---|---|
| Analytics cookies | Yes | Art 5(3) |
| Marketing emails to customers | Soft opt-in OK | Art 13(2) |
| Marketing emails to purchased list | Yes (prior consent) | Art 13(1) |
| Session/security cookies | No | Art 5(3) |
| Location for advertising | Yes | Art 9(1) |
| Call recording for business | Depends on law | Art 5(1) |
| B2B cold email | Varies by country | Art 13(5) |