On November 16, 2023, the European Data Protection Board (“EDPB”) issued draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (“Guidelines”). Article 5(3) is the provision that requires consent before storing or accessing information on an end user’s device. Over the years it has become known as the “cookie rule,” but it is technology-agnostic. The Guidelines expand upon guidance issued by the Article 29 Working Group in 2014, and are intended to clarify when the requirement applies to new tracking methods. The Guidelines are open to public consultation through December 28, 2023.
The Guidelines identify and explain the four key elements that trigger the obligation to obtain opt-in consent under Article 5(3) of the ePrivacy Directive (“ePD”). The Guidelines set forth an extremely broad interpretation of what constitutes “storing” and “accessing” information on a user’s device that arguably goes beyond the plain meaning of these terms. This interpretation is likely to be relevant for companies considering how to approach the discontinuation of third-party cookies on many browsers.
The Guidelines note that Article 5(3) of the ePD applies to “the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user”, which the EDPB breaks down into the following four elements, providing commentary on each:
- “Information” – The EDPB underscores that the rule applies to any information stored or accessed on an end-user device, whether the information is of a personal or non-personal nature.
- “Terminal equipment” – The EDPB clarifies that whenever a device is only relaying information without modifying it, it would not be considered “terminal equipment” under the ePD, and would therefore be out of scope of Article 5(3).
- “Electronic communications network” – The EDPB confirms that the broad definition of this term means that Article 5(3) applies—in effect—to any network system that allows transmission of electronic signals between nodes.
- “Gaining of access or storage” – The EDPB clarifies that the consent requirement applies where a company either stores information or gains access. It is not necessary to do both. The EDPB also states that the consent requirement applies:
- Where a company deploys software on the terminal equipment to generate specific information that will be stored. Further, the EDPB emphasizes that Article 5(3) ePD does not put any upper or lower limits on the length of time information must remain on a storage medium to be considered “stored,” nor on how much information is stored. This implies that even very short-term storage (e.g., caching) could be captured.
- Where a company wishes to access any information at all on the device, irrespective of the origin of the information (i.e., regardless of whether the information is generated by the device itself or, for example, by cookies or other trackers deployed on the device), and takes steps to obtain that access. The EDPB goes on to state that when a company sends specific instructions to terminal equipment, in order to receive information in the future, for example, when website cookies instruct an internet browser to send information in each subsequent HTTP call, consent is required.
On the other hand, the EDPB concedes that Article 5(3) will not apply if applications on terminal equipment process information entirely on the device (e.g., access to a camera, microphone, GPS sensor, or accelerator on a smartphone), and no information leaves the device.
The EDPB goes on to provide several examples of specific technologies to which Article 5(3) ePD applies. Many of these are well-known, for example pixel tracking, the collection of locally-generated information through an API, or the collection of identifiers that were hashed on-device. Others, however, represent an expansive interpretation of the law, and may be more controversial. In particular, the EDPB states that URL tracking is subject to Article 5(3) because URL tags (i.e., strings of numbers and letters that are appended to URLs to identify, for example, a click on an ad) are stored on a user’s terminal equipment, “at the very least through the caching mechanism of the client-side software”.
Organizations interested in submitting comments to the EDPB regarding the draft Guidelines should consult the EDPB’s web page dedicated to this topic for more information.
* * *
Covington’s Data Privacy and Cybersecurity Team regularly advises clients on the laws governing the use of cookies, trackers, and similar technologies. If you have any questions about the draft Guidelines or need support to submit comments for the public consultation, please do not hesitate to reach out.