22 November 2023
New Guidelines published by the European Data Protection Board aim to clarify which tracking technologies require the consent of the user in accordance with Article 5(3) of the ePrivacy Directive. Spoiler alert – it’s most of them. Emma Ritchie, Head of Data Protection and Privacy, explains.
The ePrivacy Directive mandates that certain tracking technologies can only be used with the user’s prior informed consent. This is provided for by Article 5(3) of the Directive and is most commonly associated with the use of cookies.
However, Article 5(3) applies to more than just cookies, and last week the European Data Protection Board published draft Guidelines aimed at clarifying which tracking technologies (in addition to cookies) fall under this Article of the Directive.
Article 5(3) of the Directive states that in order to store or gain access on a user’s device, consent must be obtained from that user unless there is a necessity for such access or storage for a purpose set out by law.
It’s clear that the Article was intended to cover more than just cookies, and includes ‘similar technologies’, but there is no comprehensive list of what such technical operations are covered by Article 5(3).
This is where the draft Guidelines come in, with a particular focus on the emergence of new tracking methods to both replace existing tracking tools and create new business models. In the executive summary, the EDPB states: “While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to remove ambiguities related to the application of the said provision to emerging tracking tools.”
The Guidelines present an analysis on the scope of what is covered under Article 5(3) by the phrase ‘to store information or to gain access to information stored in the terminal equipment of a subscriber or user’.
The draft Guidelines are relevant to any organisation or website owner that tracks an internet user’s behaviours for purposes which require the consent of the internet user. For organizations engaged in:
these Guidelines are particularly relevant.
There are four key criteria to consider when determining whether a specific tracking technique will fall within the scope of the ePrivacy Directive:
The Guidelines provide helpful use cases which make it clear that tracking technologies using URLs and pixels, making information available on a server, tracking using IP addresses, IoT reporting, and the use of ‘unique identifiers’ and ‘persistent identifiers’ are potentially within the scope of Article 5(3), depending on the particular processing activity.
Our team can help you understand whether the Guidelines apply to your organization and to understand what tracking devices will fall within the scope of Article 5(3) once the EDPB publishes the final version. We can also review your existing privacy policies, consents, and data capture forms to ensure compliance with the law.
Further, the Guidelines are open to public consultation until 28 December 2023. If you would be interested in sending comments to the EDPB during the consultation period, we can help you prepare the response and act as intermediaries and signatories if you would like for your identity to remain confidential.