The European Data Protection Board (EDPB) recently released the 2024 version of its guidelines on the technical scope of Article 5(3) of the ePrivacy Directive, addressing the evolving nature of tracking technologies and their implications for user privacy. The updated guidelines aim to clarify how this specific article of the ePrivacy Directive applies to various tracking techniques, including cookies, device fingerprinting, and emerging technologies used to monitor user behavior online.
The guidelines expand upon previous opinions, specifically the 2014 Article 29 Working Party’s analysis on device fingerprinting. They underscore the importance of ensuring that tracking technologies respect users’ privacy by clarifying the conditions under which data storage and access on users’ terminal equipment (such as smartphones, computers, or IoT devices) are permissible. Central to the guidelines is the requirement for companies to obtain user consent before engaging in these practices, unless certain exemptions apply.
The EDPB emphasizes that the goal of Article 5(3) of the ePrivacy Directive is to protect users’ terminal equipment as part of their private sphere. This extends beyond personal data to include any form of information that could be stored or accessed on a user’s device, even if it is not personally identifiable. As such, the protection offered under this directive covers a wide array of technologies, including those that have emerged since the original drafting of the directive, such as new tracking mechanisms designed to replace cookies.
The guidelines identify three key elements for determining the applicability of Article 5(3):
- Information: Refers to any data that is stored or accessed on the user’s device, including both personal and non-personal information.
- Terminal Equipment: The guidelines clarify that terminal equipment can include smartphones, laptops, IoT devices, and any other hardware that can connect to a public communications network. This protection applies regardless of whether the user is aware that their equipment is being accessed.
- Storage and Access: The act of storing or accessing information on a user’s device, regardless of the method used, falls under the purview of Article 5(3). This includes storing cookies or accessing stored information via APIs.
One of the notable updates in the 2024 guidelines is the inclusion of a wider range of tracking technologies and use cases. The EDPB recognizes that the digital ecosystem has evolved, and the tools used for tracking users are no longer limited to traditional cookies.
The guidelines cover several specific scenarios:
- URL and Pixel Tracking: The use of tracking pixels embedded in emails or websites to monitor user behavior is explicitly addressed. These pixels function by triggering a communication from the user’s device to the server hosting the pixel, thereby collecting information about user actions.
- Local Processing: Some technologies involve processing information locally on a user’s device, such as through web browsers or mobile apps. If this locally processed information is later accessed by a third party, it would still fall under the protections of Article 5(3).
- Tracking Based on IP Only: The guidelines highlight that tracking based solely on IP addresses can also be subject to Article 5(3), particularly when the IP address originates from the user’s terminal equipment.
- IoT Devices: The guidelines account for the growing prevalence of IoT devices, which may continuously produce and transmit data. In cases where these devices relay information through a public communications network, the protections of Article 5(3) apply.
- Unique Identifiers: The use of unique or persistent identifiers to track users across multiple domains or services is also addressed. Even when identifiers are derived from non-personal data, such as hashed email addresses, they are still subject to the directive’s consent requirements.
For businesses that engage in digital marketing, analytics, or any activity that involves tracking users across the web, the EDPB’s updated guidelines serve as a reminder of the need to prioritize transparency and user consent. Companies must ensure that any technology used to store or access information on users’ devices complies with the consent requirements outlined in the ePrivacy Directive.
This includes implementing clear mechanisms for users to provide or withdraw consent and ensuring that tracking technologies are not deployed without the user’s knowledge. For example, companies employing tracking pixels or unique identifiers must ensure that these tools do not infringe upon users’ privacy without their explicit consent.
Need Help?
If you have questions or concerns about the EU’s AI guidelines, or any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.