Privacy & Information Security Law Blog

On November 16, 2023, the European Data Protection Board (“EDPB”) published its Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive (the “Guidelines”).

Article 5(3) of the ePrivacy Directive is most commonly known for establishing the cookie notice and cookie consent requirements in the EU. That said, Article 5(3) of the ePrivacy Directive applies to more than just cookies.  Article 5(3) provides that: “[…]the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information.”

With the Guidelines, the EDPB aims to clarify what type of tracking technologies (in addition to cookies) fall within the technical scope of the above mentioned notice and consent requirements. To achieve this purpose, the EDPB carries out an analysis of the various components of Article 5(3) of the ePrivacy Directive, namely: (1) information; (2) terminal equipment; (3) electronic communications network; (4) gaining access; and (5) stored information and storage.

On the first component, the EDPB indicates that “the notion of information includes both non-personal data and personal data, regardless of how this data was stored and by whom.” This confirms that Article 5(3) applies regardless of whether the use of cookies or similar technologies storing or accessing information on someone’s terminal equipment involves the processing of personal data (in the context of the EU General Data Protection Regulation).

Regarding what should be considered as a terminal equipment, the EDPB argues that the ePrivacy Directive may be applicable to devices used by multiple users and that a terminal equipment may be comprised of any number of individual pieces of hardware, which together form the terminal equipment. Examples of devices that may be considered as a terminal equipment under the ePrivacy Directive include smartphones, laptops, connected cars, connected TVs and smart glasses.

The EDPB also states that the notion of “gaining access” is independent from the notion of “storing information”, and that both storage and access do not need to be present for Article 5(3) to be applicable.

Lastly, the EDPB clarifies that Article 5(3) is not only applicable to the use of cookies, but also to tracking pixels and tracking links, other device fingerprinting techniques, certain types of local processing where information is transferred outside of the user’s device, IoT reporting and certain instances of IP tracking.  

The Guidelines are open for public consultation until December 28, 2023. Read the Guidelines and the press release.