The European Data Protection Board (EDPB) recently released the 2024 version of its guidelines on the technical scope of Article 5(3) of the ePrivacy Directive, addressing the evolving nature of tracking technologies and their implications for user privacy. The updated guidelines aim to clarify how this specific article of the ePrivacy Directive applies to various tracking techniques, including cookies, device fingerprinting, and emerging technologies used to monitor user behavior online.

Clarifying the Scope of Article 5(3)

The updated guidelines build on earlier opinions, including the Article 29 Working Party’s 2014 analysis of device fingerprinting. The EDPB now expands that work to cover a wider range of technologies. The Board explains that Article 5(3) protects the user’s terminal equipment—not just personal data—by setting rules for when companies may store or access information on a user’s device. Under these rules, companies must obtain clear, informed consent before storing or accessing data unless a specific exemption applies.

Three Key Elements of Applicability

The guidelines identify three key elements for determining the applicability of Article 5(3):

1. Information: Refers to any data that is stored or accessed on the user’s device, including both personal and non-personal information.

2. Terminal Equipment: The guidelines clarify that terminal equipment can include smartphones, laptops, IoT devices, and any other hardware that can connect to a public communications network. This protection applies regardless of whether the user is aware that their equipment is being accessed.

3. Storage and Access: The act of storing or accessing information on a user’s device, regardless of the method used, falls under the purview of Article 5(3). This includes storing cookies or accessing stored information via APIs.

Expanded Coverage for Emerging Tracking Technologies

The 2024 guidelines recognize that modern tracking methods go far beyond traditional cookies. As a result, the EDPB outlines how Article 5(3) applies across several key scenarios.

• URL and Pixel Tracking: Tracking pixels in emails or websites trigger communication from the user’s device. Because this process accesses stored information, it falls within Article 5(3).

• Local Processing and Later Access: Some systems process data locally before transmitting it to a third party. If a company later accesses that information, the activity still requires user consent.

• Tracking Based on IP Only: Even tracking that relies only on an IP address can fall under Article 5(3) when the address comes from the user’s device.

• IoT Devices: Many IoT products transmit large amounts of data. When these devices send information through a public network, Article 5(3) protections apply.

• Unique Identifiers: Persistent identifiers—such as hashed email addresses—can track behavior across multiple sites or services. These identifiers also require prior consent.
  

What the Guidelines Mean for Businesses

The EDPB’s updates serve as a direct reminder that companies must place transparency and user control at the center of their digital practices. Any technology that stores or retrieves information on a user’s device must follow strict consent requirements.

That includes:

• Clear consent collection mechanisms

• Easy withdrawal options

• Honest disclosures about tracking tools such as pixels, cookies, or device identifiers

The guidelines also warn against deploying tracking tools without user knowledge, which would violate the ePrivacy Directive.

Need Help?

If you have questions or concerns about the EU’s AI guidelines, or any global guidelines, regulations and laws, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.