Consent as a Service: Why Third-Party Solutions Lead to Non-Compliance

As privacy regulations grow stricter, consent has become the cornerstone of ethical and legal digital interactions. At the center of these requirements is Article 5(3) of the ePrivacy Directive, which mandates that any access to a user’s device, or terminal equipment, requires explicit, informed consent unless it is strictly necessary for the functionality of a service explicitly requested by the user.

While the General Data Protection Regulation (GDPR) is often regarded as the gold standard for data protection, the ePrivacy Directive (ePD) plays an even more crucial role when it comes to consent requirements for accessing or storing data on a user's device.

As a Lex Specialis, the ePrivacy Directive takes precedence over GDPR in matters of electronic communications and tracking technologies. Its Article 5(3) establishes strict conditions for any access to or storage of information on a user’s terminal equipment. Explicit, informed consent is required unless the access is strictly necessary for a service explicitly requested by the user.

Unlike GDPR, which governs personal data broadly, the ePD focuses specifically on the confidentiality of communications and device-level interactions. This means its scope extends to any type of data, whether personal or not, stored or accessed on a user’s device. As such, actions like setting cookies, reading local storage, or modifying content through JavaScript, all fall under the ePD’s remit. 

Terminal equipment is defined as any device a user employs to connect to the internet, such as a smartphone, laptop, or desktop browser. Consequently, any action that interacts with the device’s data, such as setting cookies, reading local storage, or modifying active content (like the DOM), constitutes terminal access.

When organizations rely on third-party consent management platforms (CMPs) or other "Consent as a Service" solutions that preemptively access this data or facilitate unapproved tracking, they inherently violate these legal requirements. Such practices not only breach regulatory compliance but also jeopardize customer trust by undermining the principles of transparency and user control.

Is your business prepared for the next wave of privacy enforcement? Are you confident in how your consent strategies align with evolving regulations?

ePrivacy Directive Article 5(3) Explained

Article 5(3) explicitly states that storing information or gaining access to information stored in the terminal equipment of a user is only allowed if one of the following conditions is met:

• Explicit Consent: The user has provided clear, informed, and specific consent to the operation.
• Strict Necessity: The action is strictly necessary to provide a service explicitly requested by the user, such as maintaining a session or storing items in a shopping cart.

Unlike GDPR, this provision applies broadly, beyond traditional cookies, to include other forms of tracking or data access like JavaScript-based scripts, server-side tags, pixel trackers, beacons, SDKs, and APIs. Its goal is to protect the user's device and data from intrusive technologies that operate without their knowledge or approval.

What Constitutes Terminal Access?

Terminal access is any interaction with a user’s device that reads, writes, or modifies data, even temporarily. Key examples include:

• Cookies and Local Storage: Writing or retrieving information stored in the browser for tracking or analytics purposes.
• Document Object Model (DOM) Manipulation: Scripts that modify active content on a webpage in ways that interact with or track user actions.
• Pixel Trackers and Beacons: Technologies that transmit data from the user’s device back to a third-party server, often for tracking or marketing purposes.
• APIs and SDKs: Interactions where user data is sent to external systems for processing, even if hidden in the backend.

Even when businesses believe such activities are benign or essential, Article 5(3) requires explicit consent for any access that is not necessary for providing the requested service.

The Compliance Problem with Third-Party CMPs

Third-party CMPs inherently struggle to align with the strict requirements of regulations like the GDPR and ePrivacy Directive. Here’s why:

Control and Transparency

• Article 5(3) of the ePrivacy Directive requires that consent mechanisms be transparent, user-centric, and unambiguous. However, third-party CMPs operate outside the direct control of the website owner, making it nearly impossible to provide users with a clear and detailed account of how their data is processed, by whom, and for what purpose​​. This lack of control undermines transparency, as website owners cannot fully verify how the third party processes or shares data.

Preloaded Third-Party Trackers

• Many third-party CMPs preload cookies or trackers before user consent is obtained, which directly contravenes GDPR's requirement for explicit, opt-in consent. This premature loading exposes businesses to significant compliance risks​​.

Dependence on BigTech Infrastructure

• Third-party CMPs often operate through cloud-based infrastructures controlled by BigTech companies. This creates additional privacy concerns as data may be shared across entities without the user's knowledge or explicit consent. This practice not only violates legal mandates but also contradicts the principles of privacy by design​​.

Lack of Decentralized Consent Options

• Traditional CMPs fail to provide decentralized consent mechanisms that empower users to control and revoke their consent across platforms. Decentralized systems, such as those leveraging blockchain, are increasingly recognized as the gold standard for privacy compliance, offering transparency, accountability, and user control​​.

Technical Implications: JavaScript and "Terminal Access"

The technical behavior of JavaScript on websites underscores the deeper compliance challenges associated with third-party CMPs:

What Constitutes Terminal Access?

• Terminal Equipment: Under the ePrivacy Directive, any device (e.g., smartphone, laptop, browser) that a user uses to connect to the internet is considered "terminal equipment."
• JavaScript and Access: If a website’s JavaScript code can read from or write to data on the user’s device, like cookies, local storage, or the Document Object Model (DOM), it constitutes “accessing” terminal equipment under Article 5(3). This includes setting cookies, tracking interactions, or even manipulating the DOM in ways that facilitate analytics or marketing​​.

Common Misunderstandings About JavaScript

• “JavaScript doesn’t access the filesystem!”: True, JavaScript cannot directly access a user’s hard drive. However, its ability to create, modify, or read browser cookies or local storage is sufficient to be considered terminal access under ePrivacy rules.
• “It’s only modifying the webpage!”: The DOM exists in the user’s device memory during browsing. If scripts inject or interact with third-party resources or track user behavior, they require explicit consent​.

Why Premature Script Loading is Non-Compliant

• Even when consent banners are displayed, many websites still allow scripts for analytics, tracking, or marketing to execute before a user provides consent. This practice violates both the ePrivacy Directive and, in some cases, GDPR when consent is the sole legal basis for such processing​.

Impact on Business Operations

• When customers discover that websites are improperly accessing their devices through third-party trackers, it creates a trust deficit. The harm to brand reputation and customer loyalty is often far greater than regulatory penalties​.

Beyond JavaScript: Server-Side Tagging, Pixel Trackers, Beacons, SDKs, and APIs

While JavaScript often takes center stage in discussions about “terminal access,” it is crucial to understand that other technologies, such as server-side tagging, pixel trackers, beacons, SDKs, and APIs, also fall under the same regulatory scope.

Server-Side Tagging and Tracking

• Server-side tagging shifts data processing from the client (browser) to a server controlled by the business or a third party. This approach is often implemented using tools like Google Tag Manager (GTM), which facilitates the management and execution of tags (scripts) through server-side configurations. By processing data server-side, businesses reduce the visibility of tracking scripts on the client side, which can make these operations less apparent to users.
• While server-side tagging can enhance performance and provide more control over data flows, it still involves the processing of user data, such as unique identifiers, behavioral metrics, and IP addresses, often without explicit user awareness.

Compliance Challenges

Server-side tagging setups, including those using Google Tag Manager, frequently pass data to third-party endpoints without obtaining clear user consent. This can include:

• Unique Identifiers: Data such as IP addresses, user IDs or cookies routed through the server to third-party services like analytics or advertising platforms.
• User Behavior Data: Clicks, session durations, and other interactions collected and shared without prior approval.

Such practices violate Article 5(3) of the ePrivacy Directive, which requires explicit, informed consent for any processing that is not strictly necessary for the functionality requested by the user.

The Transparency Gap

• Server-side tagging compounds the transparency challenge by hiding data flows from the user’s browser. Unlike traditional client-side tracking, where scripts and cookies are visible in browser developer tools, server-side tagging operates in the backend, making it harder for users, and even website operators, to fully understand where data is being sent or how it is being used.

When tools like Google Tag Manager are employed for server-side tagging, businesses must ensure that:

• Data Minimization Principles are upheld, collecting only the data strictly required for the specified purpose.
• Consent Mechanisms are robust, ensuring no data is processed until explicit user consent is obtained.
• Clear Disclosures are provided to users about the role of server-side processing, the types of data collected, and the third parties involved.

Server-side tagging, while powerful, introduces complexities that businesses must address to remain compliant and transparent. Failure to do so not only risks regulatory fines but also damages user trust in a privacy-conscious digital landscape.

Pixel Trackers

• What They Are: Pixels are small, invisible images embedded in a webpage or email to track user interactions, such as page visits, clicks, or conversions.
• Legal Implications: The act of embedding a pixel on a webpage constitutes "storing or accessing information on the user's terminal equipment" and requires explicit user consent before it is loaded​​.

Beacons

• Purpose: Similar to pixels, beacons, which are often JavaScript based, facilitate tracking by sending data from the user’s browser to third-party servers. They are often used for real-time data collection, such as location tracking or user behavior analytics. 
• Regulatory Considerations: As with pixels, the use of beacons for any purpose beyond strictly necessary site functionality (e.g., marketing or analytics) triggers the requirement for prior, explicit consent​​.

Software Development Kits (SDKs)

• Scope: SDKs are bundles of tools and libraries that allow developers to embed functionalities like analytics or advertising into mobile apps. They often come pre-configured to share data with third-party providers.
• Compliance Risks: SDKs typically operate in the background, collecting device data, geolocation, and behavioral insights. If these operations are conducted without informed user consent, they violate both GDPR and ePrivacy Directive requirements​​.

Application Programming Interfaces (APIs)

• Functionality: APIs facilitate data exchange between systems. For example, a marketing API might enable a website to send user data to a CRM or ad platform.
• Compliance Oversight: Many APIs are used to pass user data, like email addresses or behavioral metrics, to third parties. Unless users explicitly consent to this data processing, businesses may find themselves in breach of privacy regulations​​.

The Reputational and Financial Cost of Non-Compliance

While fines for non-compliance are a significant deterrent, the ripple effects of privacy violations extend far beyond monetary penalties. The damage to brand reputation, customer trust, and operational stability can have lasting consequences, amplified by recent legal developments that underscore the personal accountability of businesses.

Erosion of Customer Trust

When customers discover that their data has been shared with third parties or BigTech without proper consent, it fosters a deep sense of betrayal. This breach of trust can result in:

• Negative Perception: Users are more likely to disengage with brands they perceive as exploitative or careless with their data.
• Reduced Loyalty: A loss of trust translates directly into lower customer retention and diminished lifetime value.
• Market Vulnerability: Competitors with robust, privacy-first practices become more appealing, further eroding market share.

As privacy awareness grows, customers are increasingly prioritizing brands that demonstrate ethical and transparent data practices. Non-compliance risks alienating this privacy-conscious audience, often irreparably.

Loss of Competitive Edge

In today’s privacy-driven landscape, compliance is no longer just a legal necessity but a competitive advantage. Companies that invest in first-party, privacy-centric solutions are not only meeting regulatory requirements but are also capitalizing on consumer demand for ethical data handling.

• Non-compliant businesses risk falling behind competitors that emphasize trust and transparency.
• Losing consumer confidence can cascade into weakened relationships with partners, advertisers, and stakeholders who value privacy-aligned practices.

Financial Penalties and the Rising Risk of Immaterial Damages

The financial stakes of non-compliance are higher than ever. Regulators are enforcing privacy laws with unprecedented vigor, and recent legal precedents have expanded the scope of liability to include immaterial damages:

Regulatory Fines:

• GDPR fines can reach up to €20 million or 4% of annual global turnover, whichever is higher. For many businesses, these penalties are not just fines but existential threats.
• Companies like Amazon (€888 million) and Meta (€1.3 billion) exemplify the scale of enforcement, sending a clear message that non-compliance is not an option.

Immaterial Damages:

• The recent CJEU ruling that awarded €400 in immaterial damages to a user suing the European Commission underscores the personal cost of privacy violations.
• In this case, the Commission included a Facebook Login option on its site, inadvertently sending the visitor’s IP address outside the EU without a valid legal basis. This ruling illustrates how even seemingly minor oversights, such as offering a convenience feature like social login, can result in financial liability and reputational harm.
• Beyond direct costs, rulings like these set a precedent that could lead to an increase in individual claims for privacy violations, further amplifying the risk.

Negative Publicity

Scrutiny from media, privacy advocacy groups, and regulators compounds the reputational cost of non-compliance. Publicized cases of privacy breaches or violations often result in:

• Consumer Backlash: Negative press can discourage customers from engaging with the brand, further reducing trust and revenue.
• Partner Alienation: Partners and advertisers may distance themselves from businesses involved in publicized non-compliance, fearing association with unethical practices.
• Litigation Risks: Public awareness of non-compliance increases the likelihood of class-action lawsuits or individual claims, amplifying financial and reputational damages.

The Cost of Non-Compliance

Businesses must recognize that the cost of non-compliance is multifaceted, affecting not just their bottom line but their long-term viability. To avoid these risks:

• Prioritize privacy-first frameworks that align with GDPR and ePrivacy Directive requirements.
• Transition to first-party consent mechanisms to ensure greater transparency and control.
• Regularly audit privacy practices to mitigate the risk of fines, immaterial damages, and reputational harm.

By addressing compliance proactively, businesses can not only avoid costly pitfalls but also position themselves as trusted leaders in a privacy-conscious market.

The Case for First-Party Consent Management

Adopting a first-party consent management approach is not just a regulatory necessity, it is a strategic imperative for businesses that value compliance, user trust, and long-term growth. Unlike third-party solutions, first-party CMPs operate directly within a business’s digital infrastructure, offering unparalleled control over data flows and ensuring strict adherence to privacy regulations.

Direct Ownership of Data

First-party solutions put businesses in complete control of their data ecosystem:

• Eliminating Third-Party Risks: By managing consent directly, businesses avoid unauthorized data sharing with third parties, minimizing the risk of regulatory violations and privacy breaches.
• Data Sovereignty: Retaining ownership of user data ensures it is used responsibly, securely, and transparently, building confidence with regulators and users alike.

Privacy by Design

Embedding compliance into the core of digital operations is the foundation of first-party consent management:

• Regulatory Alignment: First-party CMPs ensure compliance with GDPR and ePrivacy Directive requirements by preventing any data collection or tracking technology from activating until explicit, informed consent is obtained.
• Seamless Integration: Designed to prioritize user privacy from the outset, these solutions eliminate the need for retroactive compliance fixes, reducing both risk and cost.

Data Minimization

First-party solutions inherently support the principle of data minimization, ensuring that only necessary data is collected:

• Purpose Limitation: By gathering only the data required for the specific, consented purpose, businesses reduce their data footprint and associated privacy risks.
• Enhanced Security: A smaller, well-defined dataset is easier to secure, reducing the potential impact of data breaches.
• User-Centric Design: Collecting minimal data demonstrates respect for user privacy and fosters trust, aligning with the expectations of modern, privacy-conscious consumers.

Building Trust and Loyalty

First-party consent management is a cornerstone for cultivating lasting relationships with users:

• Enhanced Transparency: Clear, privacy-first practices empower users to understand and control how their data is handled, fostering trust.
• Strengthened Customer Relationships: Users are more likely to engage with businesses that prioritize ethical data practices, leading to higher loyalty and customer retention.
• Competitive Advantage: In an era of heightened privacy awareness, businesses that adopt first-party solutions are positioned as leaders in transparency, setting themselves apart in the market.

By transitioning to first-party consent management, businesses can align with legal requirements while embracing the values of transparency, data minimization, and user empowerment. This approach not only mitigates compliance risks but also reinforces a brand’s reputation as a trusted steward of user data.

Key Takeaways

Article 5(3) of the ePrivacy Directive

• Requires explicit, informed user consent for any storage or access of information on a user’s device unless it is strictly necessary for a service the user explicitly requested.
• Applies broadly to cookies, local storage, server-side tagging, pixel trackers, and any other mechanisms that read or write data on the terminal equipment.

Third-Party CMPs: A Compliance Risk

• “Consent as a Service” solutions often load trackers or cookies before obtaining valid user consent, violating both GDPR and ePrivacy Directive requirements.
• The lack of direct oversight and transparency around how third parties process or share data undermines user trust.

Terminal Access is More Than Just Cookies

• Any interaction that reads, writes, or modifies data on the user’s device, such as JavaScript injections, pixel placements, or API calls, constitutes “terminal access” under Article 5(3).
• Premature script loading, even for analytics or marketing, is non-compliant if performed without prior consent.

Server-Side Tagging & Other Hidden Trackers

• Tools like Google Tag Manager can move data processing to the server side, making it less transparent for users.
• Even if hidden from the browser, these processes still require explicit consent if they’re not strictly necessary for the service requested.

Non-Compliance: Reputational & Financial Repercussions

• Regulatory penalties can include steep fines under GDPR and potential immaterial damages claims, as illustrated by recent CJEU rulings.
• Customer trust and brand reputation suffer when users discover data is shared without proper consent, undermining loyalty and competitive advantage.

First-Party Consent as a Strategic Imperative

• Operating a consent management system in-house gives businesses direct control of data flows, ensuring data minimization and compliance with privacy by design.
• Aligning consent practices with user expectations fosters trust, cleaner datasets, and actionable insights, turning compliance into a market differentiator.

Moving Forward

Businesses must take a hard look at their consent strategies. While third-party solutions may offer convenience, they come with significant risks, compromising regulatory compliance, eroding customer trust, and exposing businesses to financial and reputational harm.

The path forward lies in adopting first-party, privacy-first consent frameworks. These solutions not only ensure strict adherence to regulations like the GDPR and ePrivacy Directive but also position businesses as leaders in transparency and trust. By prioritizing data minimization, user empowerment, and privacy by design, organizations can turn compliance into a strategic advantage that builds long-term customer loyalty.

Beyond Compliance: Better Data, Better Insights

• Implementing trusted consent frameworks enables businesses to collect data that is more accurate, reliable, and meaningful.
• Users who provide informed consent are more likely to engage with the brand authentically, resulting in cleaner datasets and actionable insights.
• This privacy-aligned approach fosters a stronger foundation for data-driven decision-making, enhancing both operational efficiency and customer satisfaction.

While transitioning to first-party consent management may require an upfront investment in resources and technology, the long-term benefits far outweigh the risks of non-compliance and the potential damage to your brand.

Concerned about your website’s compliance? 

Take control of your website's compliance today. Use the AesirX Privacy Scanner to identify potential GDPR and ePrivacy Directive violations and proactively protect your brand and user trust.

Ronni K. Gothard Christiansen
Creator, AesirX.io

---

 References & Additional Resources

1. Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive
2. New EDPB Guidelines on ePrivacy Directive: Sharper, Clearer, and More Comprehensive After Public Consultation
3. UK ICO on PECR
4. Norway’s Ekomloven
5. Court of Justice of the European Union (CJEU): Why the EU Commission Was Fined and Its Broader Implications for Data Transfers
6. Analysis of "Google Tag Manager: Privacy Leaks and Potential Legal Violations"
7. The Cookie Consent Confusion: Why Technically Required Cookies Never Needed Consent
8. Your Legitimate Interest Is Not Your Suppliers’
9. Building Trust in Code: Why Privacy Compliance is the Next Big Metric
10. Guide til virksomheder: Dataetik i anvendelsen af tredjepartstjenester [DK]

Remember: The ePrivacy Directive has been ratified by all EU member states. In the UK, the PECR serves as its equivalent, while Norway's new Ekomloven unifies GDPR and the ePrivacy Directive into a single comprehensive law.