Beyond cookies

The ePrivacy Directive ambiguity

Article 5(3) of the Directive states that in order to store or gain access on a user’s device, consent must be obtained from that user unless there is a necessity for such access or storage for a purpose set out by law.

It’s clear that the Article was intended to cover more than just cookies, and includes ‘similar technologies’, but there is no comprehensive list of what such technical operations are covered by Article 5(3).

This is where the draft Guidelines come in, with a particular focus on the emergence of new tracking methods to both replace existing tracking tools and create new business models. In the executive summary, the EDPB states: “While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to remove ambiguities related to the application of the said provision to emerging tracking tools.”

The four key criteria

There are four key criteria to consider when determining whether a specific tracking technique will fall within the scope of the ePrivacy Directive:

1. The operations carried out relate to ‘information’:
   • According to the EDPB, ‘information’ refers to both non-personal and personal data.
2. The operations carried out involve a ‘terminal equipment’ of a subscriber or user:
   • If a device only conveys information without modifying it, it will not fall within the scope of the ePrivacy Directive.
   • Any device connected to a public network to send, process, or receive information will be considered ‘terminal equipment’ (e.g., smartphones, laptops, connected cars, or connected TVs).
   • The protection applies not only to natural persons but also to legal persons.
3. The operations carried out are made in the context of the “provision of publicly available electronic communications services in public communications networks”:
   • In the Guidelines, the EDPB sets the limits of the context in which Article 5(3) applies. The EDPB has clarified the network would be considered public even when it is only available to a certain number of people, for example in the case of subscribers.
4. The operations carried out indeed constitute a ‘gaining of access’ or ‘storage’:
   • The Guidelines analyse these concepts separately, as both actions do not need to occur within the same communication or be carried out by the same entity:
     • Gaining Access: the entity must take active steps to gain access to the information stored in the electronic equipment (e.g., an entity that installs software on the terminal equipment that calls an API endpoint over the network).
     • Storage: storage of information refers to placing information on a physical electronic storage medium that is part of the user or subscriber’s terminal equipment. This would typically occur by instructing software on the terminal equipment to generate specific information. The EDPB specifies in the use cases that “The ePD does not place any upper or lower limit on the length of time that information must persist on a storage medium to be counted as stored, nor is there an upper or lower limit on the amount of information to be stored”. This aspect implies that as long as something is kept on the terminal equipment, it will be considered “storage”.

The Guidelines provide helpful use cases which make it clear that tracking technologies using URLs and pixels, making information available on a server, tracking using IP addresses, IoT reporting, and the use of ‘unique identifiers’ and ‘persistent identifiers’ are potentially within the scope of Article 5(3), depending on the particular processing activity.