On this page
- Legal architecture
- Article 5(3) — the core rule
- The two-layer system
- Member-state variation
- Strictly necessary exemption — narrower than assumed
- Enforcement landscape (as-of 2026-06-29)
- France — CNIL (most active EU enforcer)
- UK — ICO and PECR
- Other EU DPAs (as-of 2024-08)
- Dark patterns — prohibited practices
- Pay-or-consent (PUR model)
- Impact on ecommerce measurement
- Analytics consent rates
- GA4 and attribution degradation
- Google Consent Mode v2
- IAB Transparency and Consent Framework (TCF)
- Consent Management Platforms (CMPs) for ecommerce
- Status of the ePrivacy Regulation
- Digital Omnibus — what replaces it
- Benchmarks
- Key terms
- What practitioners report
ePrivacy Directive
ePrivacy Directive
Directive 2002/58/EC (as amended by Directive 2009/136/EC) — colloquially the "Cookie Directive" or "Cookie Law" — is the EU law that governs privacy in electronic communications and mandates consent for placing or reading tracking technologies on a user's terminal device. It operates as a lex specialis alongside the GDPR in Ecommerce|GDPR: the ePrivacy Directive determines whether consent is required to place a cookie or read device storage; GDPR then governs how that consent must be collected and how any personal data gathered via those technologies must be processed. Both instruments apply simultaneously to ecommerce websites serving EU users. The UK equivalent is PECR (Privacy and Electronic Communications Regulations 2003), which transposed the Directive and continues to apply post-Brexit under UK law.
Firewall: every claim is what a source reports. See
../../CONTEXT.mdRule 1.
Legal architecture
Article 5(3) — the core rule
Article 5(3) of the ePrivacy Directive requires that storing or gaining access to information on a user's terminal equipment is permitted only with user consent or where technically necessary for a service explicitly requested by the user. Legitimate interest under GDPR Article 6(1)(f) does not substitute for this consent requirement — a point confirmed by the EDPB and consistently reported by practitioners in r/gdpr (GDPR.eu, consenteo.com, 2026; r/gdpr community, 2024-08).
The EDPB adopted version 2.0 of its Guidelines 2/2023 on the Technical Scope of Article 5(3) on 7 October 2024, clarifying that the provision applies far beyond HTTP cookies. The EDPB confirmed Article 5(3) covers (as-of 2024-10-07):
- Tracking pixels and tracking links
- Device fingerprinting techniques
- Local processing where information is transferred outside the user's device
- IoT device reporting
- Certain IP-only tracking techniques
- Web storage mechanisms including localStorage and IndexedDB
Terminal equipment in scope includes smartphones, laptops, connected cars, connected TVs, and smart glasses — not just desktop computers (EDPB Guidelines 2/2023 v2.0, 2024-10-07).
The two-layer system
The ePrivacy Directive and GDPR operate as a two-layer system for ecommerce (GDPR.eu; r/gdpr community, high-upvote consensus):
- Layer 1 — ePrivacy Art. 5(3): governs the act of placing or reading tracking technologies on terminal equipment. Sets the consent trigger.
- Layer 2 — GDPR: governs the downstream processing of any personal data thereby collected. Sets consent quality, information requirements, and data subject rights.
DPAs enforce them together, citing ePrivacy national implementation and GDPR Article 7 in the same enforcement action (r/gdpr, u/dpo_network, 567-upvote thread, 2025-05).
Member-state variation
The ePrivacy Directive is a minimum-harmonisation instrument implemented differently across EU Member States. Cookie consent rules vary in detail from country to country even though Article 5(3) sets the floor (recordinglaw.com, 2026).
Strictly necessary exemption — narrower than assumed
Practitioners in r/gdpr (234-upvote thread, 2024-03) report the "strictly necessary" exemption is narrower than most developers assume: it requires necessity for a service explicitly requested by the user, not necessity for the business.
| Cookie type | Necessity status | Consent required? |
|---|---|---|
| Session ID, cart, auth token, CSRF, load balancer sticky session | Strictly necessary | No |
| Accessibility preferences explicitly set by user | Strictly necessary | No |
| Language preference, recently viewed, wishlist | Grey area | DPA-dependent |
| Analytics (GA4, Hotjar, FullStory, Mixpanel) | Not necessary | Yes |
| Marketing (Meta Pixel, TikTok Pixel, Google Ads, retargeting) | Not necessary | Yes |
Multiple DPAs are "increasingly checking" over-claims of necessity for analytics and personalisation (r/gdpr, u/cmb5e6f, 167 upvotes, 2024-03; corroborated r/ecommerce, 2024-05).
Enforcement landscape (as-of 2026-06-29)
France — CNIL (most active EU enforcer)
CNIL fined Google €325 million (€200m against Google LLC + €125m against Google Ireland) on 1 September 2025 for displaying Gmail ads without prior consent and collecting invalid consent during account creation. The CNIL found Google used asymmetric design ("dark patterns") making accepting personalised cookies easier than refusing (CNIL press release, 2025-09-01; Goodwin Law, 2025-09).
CNIL fined Shein's Irish subsidiary (Infinite Styles Co. Limited) €150 million on 1 September 2025 for placing advertising cookies without valid user consent (CNIL, 2025-09-01).
CNIL conducted sector sweeps targeting 50+ French ecommerce sites simultaneously; exposure applies to non-French-incorporated retailers selling to French customers (r/gdpr, OP fined €45k, 567-upvote thread, 2025-05).
A mid-size ecommerce operator (~€2M revenue) reported in r/gdpr being fined €45,000 by CNIL for three dark patterns: green Accept vs multi-click Reject requiring three steps; pre-ticked analytics boxes; re-showing the banner every 30 days after users had already consented (r/gdpr, 567 upvotes, 2025-05).
Matomo's analysis states CNIL issued 83 sanctions totalling approximately €486.8 million in 2025 [matomo.org, 2025-09]. The individual fine amounts confirmed for Google (€325M) and Shein (€150M) sum to €475 million — close but not identical to the €486.8M aggregate. The difference likely reflects other smaller fines, but the Matomo figure could not be cross-checked against a primary CNIL aggregate source. Both figures are vendor-sourced or secondary (Matomo sells analytics software — mild COI).
UK — ICO and PECR
The ICO published final guidance on "storage and access technologies" on 29 April 2026, broadening scope beyond cookies to explicitly cover tracking pixels, device fingerprinting, web storage, and tag-based scripts under PECR Regulation 6 (ICO, 2026-04-29).
The Data (Use and Access) Act 2025 (DUAA), commencing 5 February 2026, raised the maximum PECR fine ceiling to £17.5 million or 4% of global annual turnover — up from the previous £500,000 maximum (ICO guidance, 2026-04-29; WSG Data Advisor, 2026-02). (as-of 2026-04-29)
The ICO's 2025 compliance review of the top 1,000 UK websites found that over 95% met cookie compliance standards by December 2025, achieved through engagement — letters, investigations, and 17 preliminary enforcement notices — rather than financial penalties (ICO, December 2025; YouTube — tg5xPKNIgLQ, 2025-06-24).
ICO's updated 2026 guidance added sub-chapters on "simple means of objecting" and "same technology for multiple purposes" — directly addressing ecommerce analytics-plus-personalisation use-cases (Costello Advisory, 2026).
Other EU DPAs (as-of 2024-08)
r/gdpr contributors report: CNIL issued 14 cookie-related fines in H1 2024 alone; Italian Garante increasing activity; Spanish AEPD ramping up; German DPAs coordinating; Dutch AP slower but changing (r/gdpr, 445-upvote thread, 2024-08). (as-of 2024-08)
Dark patterns — prohibited practices
EDPB cookie banner task force findings establish prohibited dark patterns (EDPB guidelines; r/gdpr, 445-upvote thread, 2024-08):
- Asymmetric visual design: Accept button prominent / Reject button muted or harder to find
- Multi-step rejection vs single-click acceptance
- Consent walls blocking site access without consent
- Pay-or-consent models (under active DPA investigation — see below)
- Pre-ticked boxes (settled as illegal since ECJ Planet49, 2019)
- Misleading language hiding the nature of consent
- Re-showing banner to users who have already consented
CNIL and multiple DPAs now require "Reject all" as a single-click option of equivalent prominence to "Accept all." German DSK issued aligned guidance in 2024. The principle is "ease of rejection, not specific button labelling" — a customise screen with all pre-unticked boxes and Reject all has been accepted by some DPAs (r/gdpr, 312-upvote thread, 2025-07). (as-of 2025-07)
Pay-or-consent (PUR model)
The "pay-or-consent" model (free access with tracking OR paid access without) is described by r/gdpr contributors as "the big live debate in 2024." Meta's conditional approval from German DPA for a paid tracking-free tier was cited. EDPB Opinion 08/2024 was described as saying pay-or-consent is "generally not valid consent but left room for very specific circumstances." Contributors describe this as "massively unsettled" (r/gdpr, 445-upvote thread, 2024-08). (as-of 2024-08)
Impact on ecommerce measurement
Analytics consent rates
Ecommerce operators in r/ecommerce report typical analytics cookie consent rates with compliant banners (as-of 2024-05, vendor benchmark — treat with caution):
| Sector | Consent opt-in rate |
|---|---|
| General retail | 35–42% |
| Fashion/lifestyle | 45–55% |
| Financial services | 28–35% |
| Subscription services | 50–60% |
These benchmarks are from a CMP consultant reporting across ~50 EU ecommerce clients (r/ecommerce, 2024-05). No independent publication corroborates these figures. They are directionally useful but not primary-source data.
GA4 and attribution degradation
r/ecommerce contributors report "40% data loss" from compliant GA4 consent as "on the lower end" — some sectors see 50–65% (r/ecommerce, 567-upvote thread, 2024-09). One ecommerce CMO notes consented users show 23% higher conversion rates than non-consented users, "likely reflecting a population difference rather than a causal effect, which distorts your CRO decisions" (r/ecommerce, 2024-09).
A/B testing is significantly degraded: "statistical significance takes much longer to reach" — one operator describes moving to server-side experiments and "accepted longer test durations" as a real product velocity cost (r/ecommerce, u/conversion_rate_eu, 134 upvotes, 2024-09).
A "two-tier measurement reality" is described: large retailers with data science teams compensate via modelling, first-party data, Media Mix Modeling (MMM)|media mix modelling, and incrementality testing; small retailers "who relied 100% on GA4 for attribution are flying blind" (r/ecommerce, 167-upvote comment, 2024-09).
Google Consent Mode v2
Google Consent Mode v2 became mandatory for Google Ads and GA4 in EU/EEA from March 2024 — without it, Google stopped processing EU conversion data. Requires CMP to support consent signals for four parameters: analytics_storage, ad_storage, ad_user_data, ad_personalization (r/gdpr, 201-upvote thread, 2025-02). (as-of 2025-02)
A grey area reported by r/gdpr contributors: in Consent Mode v2 "basic mode," Google fires cookieless pings from non-consented users for modelling purposes. "Multiple privacy researchers have flagged this as potentially violating the spirit of consent." DPAs had not formally ruled on it as of early 2025 (r/gdpr, u/privacy_vs_google, 167 upvotes, 2025-02). (as-of 2025-02)
A common implementation mistake: consent mode fires out of order when CMP loads after GTM, meaning the first page view always fires with default consent (usually "denied"), creating data distortion even on nominally compliant implementations (r/gdpr, u/ga4_compliance, 145 upvotes, 2025-02).
Phil Pearce (MeasureMinds, Masters of Privacy podcast, 2026-03-08) argues that Google Consent Mode does not by itself satisfy ePrivacy/PECR obligations — misconfigured Tag Manager rules and consent banners frequently leave live technical gaps even when Consent Mode is deployed (YouTube — kac1SP59HFw, Masters of Privacy, 2026-03-08).
IAB Transparency and Consent Framework (TCF)
Belgian DPA found IAB TCF 2.0 non-compliant with GDPR in 2022; IAB TCF 2.2 released in 2023. As of late 2024, the situation remained unresolved (r/gdpr, 334-upvote thread, 2025-01). (as-of 2025-01)
TCF is only relevant to ecommerce retailers running programmatic display advertising. For standard analytics + marketing tracking (GA4, Meta Pixel, TikTok Pixel), a GDPR/ePrivacy compliant consent mechanism is needed but it does not need to be TCF (r/gdpr, u/retail_dpo, 145 upvotes, 2025-01).
Consent Management Platforms (CMPs) for ecommerce
Shopify's built-in consent banner is described by r/ecommerce operators as "not compliant for EU if you care about actual compliance — it shows a banner but the cookies fire anyway." A proper CMP that actually gates script loading is required (r/ecommerce, u/shopify_plus_merchant, 145 upvotes, 2024-09). (as-of 2024-09)
Recommended CMPs for Shopify EU cited by practitioners: Axeptio (popular in France, good CNIL alignment), Cookiebot (easy integration, expensive), Usercentrics, Pandectes GDPR Compliance (Shopify-native, cheaper, less feature-rich) (r/gdpr, 2025-02).
Warning from r/gdpr: "many 'GDPR apps' on Shopify App Store don't actually block scripts, they just show a banner" (r/gdpr, u/cmp_implementation, 89 upvotes, 2025-02).
Self-hosted Matomo: CNIL has issued guidance suggesting self-hosted Matomo with anonymized IPs, no cross-site tracking, and no external data sharing "can qualify for cookie exemption or legitimate interest" (r/ecommerce, u/matomo_self_hosted, 145 upvotes, 2025-03). (as-of 2025-03)
noyb (Max Schrems' organisation) uses "automated complaint systems" targeting sites with obvious dark patterns — characterised as a meaningful risk vector for small ecommerce businesses alongside competitor DPA complaints (r/gdpr, 2024-08; r/ecommerce, 2024-05).
Status of the ePrivacy Regulation
The European Commission formally withdrew the proposed ePrivacy Regulation (originally proposed in 2017) from its legislative agenda on 16 July 2025. The withdrawal was published in the Official Journal of the European Union on 6 October 2025 (Arthur Cox, 2025; confirmed by European Parliament Legislative Train). The stated rationale: "no agreement is expected from the co-legislators and the proposal is outdated in view of recent legislation" (AIGovHub, 2026).
Key sticking points reported by r/gdpr contributors: scope of "electronic communications" in modern internet; browser-based consent signals (Art. 10) disrupting the CMP industry; member state disagreements on enforcement. A 2025-era commenter described it as "unlikely before 2027 at the earliest" — now rendered moot by the formal withdrawal (r/gdpr, 2025, multiple threads).
Digital Omnibus — what replaces it
On 19 November 2025, the European Commission published the "Digital Omnibus" package, which includes targeted amendments to both the GDPR and the ePrivacy Directive rather than a standalone Regulation (Kennedys Law, 2026; Loyens & Loeff, 2025-11).
The Digital Omnibus proposes to restructure Article 5(3):
- Article 5(3) would be retained for non-personal-data scenarios (access to/storage of information on terminal equipment where the activity does not involve processing of personal data)
- Cookie consent for personal data processing would migrate to new GDPR Articles 88a and 88b
noyb (Digital Omnibus Report v3, 2025) argues this restructuring risks weakening privacy protections rather than simplifying them [noyb.eu, 2025]. Kennedys Law and Loyens & Loeff analyses agree on the mechanics but noyb's evaluative framing diverges sharply — they see the restructuring as a substantive weakening, not a neutral simplification.
As of early 2026, the European Parliament was scheduled to discuss the Digital Omnibus package; a final institutional position had not been adopted (AIGovHub, 2026). (as-of 2026-06-29)
Benchmarks
| Metric | Value | Source | As-of |
|---|---|---|---|
| CNIL fine — Google | €325M | CNIL press release | 2025-09-01 |
| CNIL fine — Shein | €150M | CNIL press release | 2025-09-01 |
| CNIL sanctions total 2025 | ~€486.8M (83 sanctions) | Matomo (vendor, COI) | 2025-09 |
| UK PECR max fine ceiling | £17.5M or 4% global turnover | ICO / DUAA 2025 | 2026-02-05 |
| UK top-1,000 compliance rate | >95% | ICO December 2025 | 2025-12 |
| EU/EEA analytics consent opt-in (fashion) | 45–55% | CMP consultant, ~50 clients | 2024-05 |
| GA4 data loss from compliant consent | 40–65% | r/ecommerce practitioners | 2024-09 |
Key terms
| Term | Meaning |
|---|---|
| Art. 5(3) | The ePrivacy Directive provision requiring consent for placing/reading terminal equipment storage |
| PECR | Privacy and Electronic Communications Regulations 2003 — UK transposition of the ePrivacy Directive |
| Strictly necessary | Cookies/storage required for a service explicitly requested by the user — exempt from consent |
| Dark patterns | Design techniques that make consent acceptance easier than refusal — prohibited |
| CMP | Consent Management Platform (CMP) — tool that gates script loading to consent status |
| TCF | IAB Transparency and Consent Framework — consent signalling standard for programmatic advertising |
| PUR model | Pay-or-consent / "consent wall with paid exit" — legality contested |
| Digital Omnibus | November 2025 EC package proposing targeted GDPR + ePrivacy Directive amendments |
| DUAA | Data (Use and Access) Act 2025 — UK law raising PECR fine ceiling from £500k to £17.5M (commenced Feb 2026) |
| Consent Mode v2 | Google's consent signalling framework for EU/EEA — mandatory for Google Ads/GA4 from March 2024 |
What practitioners report
Practitioners in r/ecommerce and r/gdpr consistently highlight three operational pain points not always visible in regulatory publications:
- Measurement degradation — 40–65% GA4 data loss creates a systematic measurement disadvantage for small EU retailers compared to large retailers with modelling capabilities.
- CMP implementation gaps — the gap between "a banner is showing" and "scripts are actually gated" is common, especially on Shopify. The banner without true script blocking does not satisfy ePrivacy requirements.
- Google Consent Mode v2 basic mode grey area — cookieless pings from non-consented users remain an unresolved regulatory question (as-of 2025-02).