The EDPB has released new Guidance for public consultation (available here) on the Technical Scope of Art 5(3) of the ePrivacy Directive. This Directive is otherwise known as the 'cookie law', but the EDPB makes clear that the scope of the Directive is much wider than cookies. The Guidance seeks to address the applicability of the ePrivacy Directive to different tracking tools.
Much of the Guidance is unsurprising however it does contain a very wide reading of what is meant by "storage", "information" and "access" (which may have unintended consequences). It is already causing ripples in the privacy / tech community and there will be much for the EDPB to consider as it takes in consultation comments.
The Guidance is available for comment until 28th December 2023.
First, a recap:
Art 5(3) of the ePrivacy Directive:
‘….the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information…’
There are then two exemptions to this consent requirement: where the sole purpose of the storage or access is transmission of a communication, or strictly necessary to provide a digital service explicitly requested by the subscriber or user.
The Guidance doesn't touch the exemptions – that is subject to different guidance from 2012 from the EDPB's predecessor – the Article 29 Working Party (WP29 Opinion 4/2012 on Cookie Consent Exemption, WP 194).
So, what does the new Guidance tell us?
Some things are unsurprising:
- There are four key elements for application of Art 5(3):
- ‘terminal equipment’ of a subscriber or user;
- in the context of the ‘provision of publicly available electronic communications services in public communications networks’; and
- ‘gaining access’ or ‘storage’.
- Art 5(3) does not just apply to traditional cookies. The storage of any information, or the access of information already stored, on a user device is sufficient.
- 'Information' is broadly defined and does not need to be "personal data".
- Any information "accessed" need not actually originate on the device – it could have been stored there by another entity.
The new Guidance analyses the 4 key criteria in greater detail, applies them to new technologies and reflects on areas of uncertainty.
- What constitutes "terminal equipment" of a subscriber is not just a laptop/PC/smartphone, but any connected device (IOT etc).
- Art 5(3) only applies in the context of a public network – so not ad hoc networks within a house/workplace. It is broad enough to cover any type of infrastructure. It includes networks managed or not by an operator, networks co-managed by a group of operators, or even ad-hoc networks.
- An IP address may be information in scope depending on how it is collected. For example, some IP addresses are generated by the ISP (not on the device). Where the IP address originates from the terminal equipment and "gaining of access" takes place, Art 5(3) applies.
- In relation to using an App:
- Use of an API (application programming interface) in an App to collect data would amount to access from the device; a browser is not needed.
- Mere access through (and used within) an App is not enough; the information does need to leave the device.
- Information generated by an App or website on a device and then sent back to a server is within scope (say the EDPB). The fact that the information is "locally generated" – just before being sent back – does not preclude Art 5(3). As a broader example of this, unique IDs generated by an adtech company on a device will also be in scope.
Somewhat surprisingly, there are two points which open a very wide reading of the law.
- On the notion of storage, it is sufficient for information to be in random access memory (RAM) – or in the central processing unit (CPU) of the device – that is only for the duration of the device being switched on. The EDPB are motivated to take this reading as they want to impose a consent obligation on many common tracking technologies which do not use long-term storage of the device; for example, tracking pixels, which may only work when an email is actually being read on the device, or a webpage is actually being viewed.
- Tracking links are similarly within scope. A link arriving, say, in an email may contain the email address of the addressee (or some other ID). When the email is opened, then that link will "transmit" the email address or the ID back to the server. Is this really information accessed that was stored on the device? Again, motivated by a desire to require consent for tracking operations, the EDPB say it is. It makes no difference that the ID within the link may never be stored other than "dynamically".
The problem with this wide reading is that – taking this approach – almost anything that appears within a browser or on an App will be "information" that is "stored" – ePD Article 5(3) doesn't require both storage and access – storage alone is enough.
If these types of technologies are in scope, with dynamic storage being enough, then why wouldn't any unwanted/unrequested content also be in scope (of course subject to possible exemptions). For example, any banner advert on a website visited, or in the body of an email, will be information "stored".
As for the exemptions, it is not easy to see how any "unwanted" content (whether used for tracking or not) is ever going to be within any of the exemptions within Art 5(3) (necessary for a communication or specifically requested by the individual).
The only distinction appears to be that the tracking pixels and links are used for, of course, "tracking". But that is not a requirement within Art 5(3).
As such, consequences of a broad reading of this Guidance could lead to some unintended results, or at least remaining uncertainty.
As an aside, a criticism could also be made that the EDPB is overstepping its jurisdiction by issuing this type of guidance on grounds such as the fact that it is not in all member states that the ePD is enforced by a data protection regulator (and you have the curious situation that privacy regulators are telling, say, telco regulators how to interpret laws that the latter safeguard). Moreover, Art 5(3) applies not only to "personal data".
What should businesses do?
Although the Guidelines – for most tracking uses - do not radically change the landscape, they serve as a useful reminder of how the law seeks to protect users in an evolving world. And, as a consequence of clarifying the scope of application, the EDPB potentially paves the way for future enforcement – at least against tracking using pixels and similar.
As for the UK, it remains to be seen whether the ICO will join in with this wide reading – although they have always said that tracking pixels are in scope. Formally, of course, the ICO is not bound by this. As an aside, the ICO has recently announced that it has written to some of the UK's top websites giving them 30 days to make changes to their cookie compliance.
The draft Guidelines are open for consultation until 28th December 2023.
Sign up to our email digest