KPMG Law LLP logo

22 November 2023

New Guidelines published by the European Data Protection Board aim to clarify which tracking technologies require the consent of the user in accordance with Article 5(3) of the ePrivacy Directive. Spoiler alert – it’s most of them. Emma Ritchie, Head of Data Protection and Privacy, explains.

The ePrivacy Directive mandates that certain tracking technologies can only be used with the user’s prior informed consent. This is provided for by Article 5(3) of the Directive and is most commonly associated with the use of cookies.

However, Article 5(3) applies to more than just cookies, and last week the European Data Protection Board published draft Guidelines aimed at clarifying which tracking technologies (in addition to cookies) fall under this Article of the Directive.

The ePrivacy Directive ambiguity

Article 5(3) of the Directive states that in order to store or gain access on a user’s device, consent must be obtained from that user unless there is a necessity for such access or storage for a purpose set out by law.

It’s clear that the Article was intended to cover more than just cookies, and includes ‘similar technologies’, but there is no comprehensive list of what such technical operations are covered by Article 5(3).

This is where the draft Guidelines come in, with a particular focus on the emergence of new tracking methods to both replace existing tracking tools and create new business models. In the executive summary, the EDPB states: “While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to remove ambiguities related to the application of the said provision to emerging tracking tools.”

The Draft Guidelines

The Guidelines present an analysis on the scope of what is covered under Article 5(3) by the phrase ‘to store information or to gain access to information stored in the terminal equipment of a subscriber or user’.

The draft Guidelines are relevant to any organisation or website owner that tracks an internet user’s behaviours for purposes which require the consent of the internet user. For organizations engaged in:

these Guidelines are particularly relevant.

The four key criteria

There are four key criteria to consider when determining whether a specific tracking technique will fall within the scope of the ePrivacy Directive:

  1. The operations carried out relate to ‘information’:
    • According to the EDPB, ‘information’ refers to both non-personal and personal data.
  2. The operations carried out involve a ‘terminal equipment’ of a subscriber or user:
    • If a device only conveys information without modifying it, it will not fall within the scope of the ePrivacy Directive.
    • Any device connected to a public network to send, process, or receive information will be considered ‘terminal equipment’ (e.g., smartphones, laptops, connected cars, or connected TVs).
    • The protection applies not only to natural persons but also to legal persons.
  3. The operations carried out are made in the context of the “provision of publicly available electronic communications services in public communications networks”:
    • In the Guidelines, the EDPB sets the limits of the context in which Article 5(3) applies. The EDPB has clarified the network would be considered public even when it is only available to a certain number of people, for example in the case of subscribers.
  4. The operations carried out indeed constitute a ‘gaining of access’ or ‘storage’:
    • The Guidelines analyse these concepts separately, as both actions do not need to occur within the same communication or be carried out by the same entity:
      • Gaining Access: the entity must take active steps to gain access to the information stored in the electronic equipment (e.g., an entity that installs software on the terminal equipment that calls an API endpoint over the network).
      • Storage: storage of information refers to placing information on a physical electronic storage medium that is part of the user or subscriber’s terminal equipment. This would typically occur by instructing software on the terminal equipment to generate specific information. The EDPB specifies in the use cases that “The ePD does not place any upper or lower limit on the length of time that information must persist on a storage medium to be counted as stored, nor is there an upper or lower limit on the amount of information to be stored”. This aspect implies that as long as something is kept on the terminal equipment, it will be considered “storage”.

The Guidelines provide helpful use cases which make it clear that tracking technologies using URLs and pixels, making information available on a server, tracking using IP addresses, IoT reporting, and the use of ‘unique identifiers’ and ‘persistent identifiers’ are potentially within the scope of Article 5(3), depending on the particular processing activity.

What does my organisation need to do and how can KPMG help?

Our team can help you understand whether the Guidelines apply to your organization and to understand what tracking devices will fall within the scope of Article 5(3) once the EDPB publishes the final version. We can also review your existing privacy policies, consents, and data capture forms to ensure compliance with the law.

Further, the Guidelines are open to public consultation until 28 December 2023. If you would be interested in sending comments to the EDPB during the consultation period, we can help you prepare the response and act as intermediaries and signatories if you would like for your identity to remain confidential.

Contact the team

emma ritchie

Emma Ritchie

Head of Data Protection & Privacy

Discover more in Data Privacy