The Law Says "Information" - Not "Cookies"
Most website owners associate consent requirements with cookies. The actual legal text is broader than that. Article 5(3) of the ePrivacy Directive refers to "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." There is no mention of cookies specifically.
This means any technology that writes data to or reads data from a visitor's device falls within scope. HTTP cookies are the most common example, but they are far from the only one. Local storage, session storage, and IndexedDB all meet this definition. So do less common mechanisms such as the Cache API and browser fingerprinting techniques that rely on stored information.
The European Data Protection Board confirmed this interpretation in October 2024 when it adopted Guidelines 2/2023 on the Technical Scope of Article 5(3). These guidelines make clear that the provision is technology-neutral and applies to any operation that stores or accesses information on a user's terminal equipment.
What Are Local Storage, Session Storage, and IndexedDB?
Before examining the legal treatment, a brief technical overview is useful. These three browser APIs serve different purposes, but they all store data on the client side.
Local Storage
Local storage (part of the Web Storage API) allows websites to store key-value pairs in the browser with no expiry date. Data persists until explicitly deleted by JavaScript or by the user clearing browser data. A typical storage limit is 5-10 MB per origin. Common uses include saving user preferences, theme settings, and authentication tokens.
Session Storage
Session storage works identically to local storage except that data is cleared when the browser tab closes. It is scoped to the tab, meaning two tabs on the same site have separate session storage. Typical uses include storing form progress, temporary UI state, and shopping cart data during a session.
IndexedDB
IndexedDB is a full client-side database. It supports structured data, indexes, and transactions. Storage limits are much higher - often hundreds of megabytes. Progressive web apps, offline-capable sites, and applications that cache large datasets use IndexedDB extensively.
How Each Technology Compares to Cookies
| Feature | HTTP Cookies | Local Storage | Session Storage | IndexedDB |
|---|---|---|---|---|
| Storage limit | ~4 KB per cookie | 5-10 MB | 5-10 MB | Hundreds of MB |
| Persistence | Set by expiry date | Until deleted | Tab session only | Until deleted |
| Sent with HTTP requests | Yes (automatic) | No | No | No |
| Accessible by JavaScript | Unless HttpOnly | Yes | Yes | Yes |
| Structured data | No (string only) | No (string only) | No (string only) | Yes |
| Covered by ePrivacy Art. 5(3) | Yes | Yes | Yes | Yes |
The final row is the one that matters most. All four technologies are covered by the same legal provision. The size of the data, whether it is sent to a server automatically, and whether it persists beyond a session are technical details. They do not change the legal classification.
When Do These Technologies Require Consent?
Article 5(3) provides two lawful grounds for storing information on a user's device: consent, or strict necessity to provide a service explicitly requested by the user. The same test that applies to non-essential cookies applies to local storage, session storage, and IndexedDB.
If your site stores a user's language preference in localStorage so the interface renders in their chosen language, that is arguably strictly necessary - the user requested that functionality. The same logic applies to sessionStorage holding items in a shopping cart during checkout.
Tracking, analytics, and advertising uses are a different matter. Storing a user identifier in localStorage to track behaviour across visits requires prior consent, just as setting an analytics cookie like _ga does. An IndexedDB database caching ad targeting profiles also requires consent.
The ICO's guidance on storage and access technologies explicitly includes local storage within the scope of PECR Regulation 6. The CNIL similarly applies its cookie guidance to "local shared objects" and HTML5 local storage.
Common Scenarios and Their Legal Position
Authentication tokens in local storage
Storing a JSON Web Token (JWT) in localStorage after a user logs in is typically classified as strictly necessary. The user explicitly requested access to a protected area, and the token enables that service. Consent is not required for this specific use.
Analytics identifiers in local storage
Some analytics tools store unique identifiers in localStorage instead of cookies to avoid third-party cookie restrictions. This does not change the legal analysis. The purpose is tracking, which requires consent under Article 5(3) and, where personal data is involved, under the GDPR as well.
Offline data in IndexedDB
A progressive web app that caches content in IndexedDB so users can read articles offline is providing a service the user requested. This storage is likely strictly necessary. An IndexedDB database that logs every page view for analytics purposes is not.
Session storage for form data
Saving form input in sessionStorage so users do not lose data if they accidentally navigate away is a usability feature the user benefits from directly. Most regulators would consider this strictly necessary. Storing marketing attribution data in sessionStorage is a different use case that requires consent.
Why Cookie Scanners Often Miss These Technologies
Traditional cookie scanning tools crawl a website, load pages, and record the HTTP cookies that are set. Many do not inspect localStorage, sessionStorage, or IndexedDB entries. This creates a false sense of compliance.
A site might pass a cookie audit with flying colours while silently writing tracking identifiers to local storage. Regulators are aware of this gap. The EDPB's 2024 guidelines were partly motivated by the growing use of non-cookie storage mechanisms to circumvent consent requirements.
A thorough cookie audit should include all client-side storage. Use your browser's developer tools - the Application panel in Chrome DevTools shows local storage, session storage, and IndexedDB alongside cookies. Kukie.io's scanner checks for these storage mechanisms as part of its detection process.
What Regulators Have Said
Enforcement specifically targeting local storage or IndexedDB is still relatively rare compared to cookie-related fines. That does not mean these technologies are safe from scrutiny.
The ICO's updated guidance on storage and access technologies, revised following the UK Data (Use and Access) Act in 2025, explicitly names local storage as a technology within scope of PECR. The CNIL's guidelines on "cookies and other tracking devices" have covered local storage since 2020. Germany's data protection authorities treat all client-side storage identically under their interpretation of the ePrivacy Directive transposition (TTDSG/TDDDG).
The trend is clear. As browsers restrict third-party cookies and developers shift to alternative storage, regulators are ensuring the legal framework follows.
Practical Steps for Compliance
Getting this right does not require a complete overhaul. A few targeted steps will close the gap.
- Audit all client-side storage, not just cookies. Check
localStorage,sessionStorage, and IndexedDB in your browser's Application panel. - Classify each storage entry by purpose. Apply the same category framework you use for cookies: strictly necessary, functional, analytics, or marketing.
- Block non-essential storage before consent. If a script writes tracking data to
localStorage, that script must be conditionally loaded after consent, just like a tracking cookie. - Update your cookie policy to mention these technologies. Listing only HTTP cookies when your site also uses local storage is incomplete and potentially misleading.
- Include local storage and IndexedDB entries in your consent records. If a regulator asks what data you store on user devices, your answer should cover all storage mechanisms.
Frequently Asked Questions
Does local storage count as a cookie under GDPR?
Local storage is not a cookie in the technical sense, but it falls under the same legal rules. Article 5(3) of the ePrivacy Directive covers all information stored on a user's device. The GDPR applies separately if the stored data constitutes personal data.
Do I need consent to use session storage?
It depends on the purpose. Session storage used for strictly necessary functions - like keeping items in a shopping cart - does not require consent. Session storage used for analytics or tracking does require prior consent under Article 5(3).
Is IndexedDB covered by the ePrivacy Directive?
Yes. The ePrivacy Directive's Article 5(3) applies to any technology that stores or accesses information on a user's device. IndexedDB stores data locally in the browser, so it is within scope. The EDPB confirmed this technology-neutral interpretation in its 2024 Guidelines 2/2023.
Can I use local storage to avoid cookie consent requirements?
No. Switching from cookies to local storage does not remove the obligation to obtain consent. The legal requirement is based on the act of storing information on a device, not on the specific technology used. Regulators have explicitly addressed this.
Do cookie scanners detect local storage and IndexedDB?
Many basic cookie scanners only detect HTTP cookies. A proper compliance audit should also check local storage, session storage, and IndexedDB entries. Use your browser's Application panel in DevTools or a scanner that covers all client-side storage.
What happens if I store a JWT token in local storage without consent?
A JWT token stored for authentication purposes after a user logs in is typically classified as strictly necessary. Consent is not required for this use. The exemption applies because the user explicitly requested access to a protected service.
Take Control of Your Cookie Compliance
If you are not sure which cookies and storage mechanisms your site uses, start with a free scan. Kukie.io detects cookies, local storage entries, and other client-side storage - so your visitors get a clear choice, and you stay on the right side of the law.
