Stay Ahead of ePrivacy: Essential Guidelines for Adapting to Emerging Tracking Technologies
As new tracking technologies emerge – such as cookies and device fingerprinting – ensuring compliance with data protection laws can be challenging. To promote a unified understanding and clarify the legal requirements, the European Data Protection Board (EDPB) issues guidelines, recommendations, and best practices. These guidelines provide clear insights into the application of EU data protection laws, including the GDPR and the Law Enforcement Directive.
In particular, the EDPB’s recent Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive focus on Article 5(3) of the ePrivacy Directive, which governs how companies can store or access information on users’ devices. While the directive is well-established for technologies like cookies, its application to newer tracking methods, such as device fingerprinting or IoT tracking, has raised concerns. These guidelines address key technical operations, clarifying how Article 5(3) applies to various tracking methods and emphasizing the importance of user consent and transparency.
This blog post will explore the key elements of the EDPB guidelines and the implications of Article 5(3) of the ePrivacy Directive (ePD) for businesses, particularly those that store or access data on users’ devices through cookies, tracking pixels, or mobile apps. This will offer practical advice to help companies ensure compliance, protect user privacy, and navigate the complexities of emerging tracking technologies.
Key Implications for Companies
Increased Responsibility for Data Access and Storage:
• Companies must be aware that any storage or access to data on user devices—whether it’s done directly or through third parties—falls under the scope of Article 5(3) ePD.
• Even if the data is not directly stored by the company (e.g., through SDKs or third-party integrations like tracking pixels), the company is responsible for ensuring compliance with privacy laws.
Broader Definition of “Stored Information”:
• Information stored on a device can include a wide range of data types, from cookies and cached data to more obscure forms of storage like CPU cache or data created by APIs and sensors.
• This broad definition means that many technical operations previously overlooked, such as device fingerprinting, can now fall under the regulations.
Consent Requirements:
• Consent is required before storing or accessing data on users’ devices unless a specific exemption applies (e.g., strictly necessary cookies for website functionality).
• Companies must obtain explicit, informed consent from users before placing cookies, tracking pixels, or using similar technologies that gather information from their devices.
Accountability for Third-Party Data Collection:
• Even if the company doesn’t directly collect data but facilitates third-party access (e.g., through tracking links, third-party scripts, or embedded content), it is responsible for ensuring that the third parties comply with ePD.
• This extends to affiliate marketing, behavioral tracking, and advertising solutions, where companies must ensure transparency about who collects user data and how it’s used.
Device-Specific Information:
• The directive covers all forms of data stored on or accessed from a user’s device, such as IP addresses, unique device identifiers, or information generated locally (e.g., via APIs or local processing on smartphones).
• IoT devices (e.g., smart home devices) that store or transmit user data also fall under the scope of Article 5(3), meaning manufacturers and service providers need to comply.
Key Actions Companies Should Take
Conduct a Full Data Mapping and Audit:
• Companies should perform a comprehensive audit of all data collected, stored, or accessed on users’ devices. This includes identifying cookies, tracking pixels, SDKs, IoT data streams, and any software that stores or accesses information on users’ terminal equipment.
• Be sure to review third-party tools and partners that may access user data through your systems.
Implement Robust Consent Mechanisms:
• Ensure that users provide informed, explicit consent before any data storage or access happens on their devices. Cookie banners and consent management platforms (CMPs) should provide clear information about the data being collected, who collects it, and for what purpose.
• Ensure users can easily withdraw consent at any time.
Review and Update Privacy Policies:
• Privacy policies must clearly explain how the company stores and accesses user data, including detailed information about third-party involvement, tracking technologies, and any local processing on users’ devices.
• Be transparent about your use of cookies, tracking pixels, and the like, ensuring that users understand what is being collected and why.
Implement Technical Safeguards:
• Ensure that data access complies with the principle of data minimization. Only collect data necessary for the service and minimize the duration of data storage on users’ devices.
• Ensure that third-party scripts or tools embedded in your website comply with ePrivacy Directive regulations, and regularly audit these integrations for compliance.
Check for Exemptions:
• Determine whether any of the use cases qualify for consent exemptions under Article 5(3). For instance, essential cookies that are necessary for providing an explicitly requested service (e.g., online shopping cart functionality) might be exempt from consent.
• Ensure that you still inform users of the exemptions where appropriate.
Monitor and Adapt to Changes in Legislation:
• The ePrivacy Regulation (ePR), which is expected to replace the ePD, will likely bring further changes to these rules. Companies should stay informed about developments and adapt their practices accordingly.
• Maintain compliance with other data protection laws like the GDPR, which may overlap with or complement the ePD.
Key Clues and Takeaways for Companies
- Storage or Access is Broad: Any act of storing or accessing data on a user’s device, no matter how indirect, may fall under Article 5(3).
- Consent is Central: Unless exemptions apply, companies need explicit, informed consent before storing or accessing any information on a user’s device.
- Transparency: Users should be made fully aware of what data is being collected, who is collecting it, and why. This is essential for both user trust and legal compliance.
- Third-Party Accountability: Companies need to manage not only their own data practices but also the practices of any third parties accessing user data through their systems.
By taking these steps, companies can align themselves with the ePrivacy Directive, protect user privacy, and avoid potential legal penalties.
Disclaimer: This blog post is intended solely for informational purposes. It does not offer legal advice or opinions. This article is not a guide for resolving legal issues or managing litigation on your own. It should not be considered a replacement for professional legal counsel and does not provide legal advice for any specific situation or employer.