On November 16, 2023, the European Data Protection Board (“EDPB”) issued draft Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (“Guidelines”). Article 5(3) is the provision that requires consent before storing or accessing information on an end user’s device. Over the years it has become known as the “cookie rule,” but it is technology-agnostic. The Guidelines expand upon guidance issued by the Article 29 Working Group in 2014, and are intended to clarify when the requirement applies to new tracking methods. The Guidelines are open to public consultation through December 28, 2023.
The Guidelines identify and explain the four key elements that trigger the obligation to obtain opt-in consent under Article 5(3) of the ePrivacy Directive (“ePD”). The Guidelines set forth an extremely broad interpretation of what constitutes “storing” and “accessing” information on a user’s device that arguably goes beyond the plain meaning of these terms. This interpretation is likely to be relevant for companies considering how to approach the discontinuation of third-party cookies on many browsers.