Understanding the EDPB Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive

Understanding the EDPB Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive

Insolvency statistics for July to September 2020 Quarter - a continued downward trend, at least for now!

The European Data Protection Board (EDPB) has released updated guidelines on the technical scope of Article 5(3) of the ePrivacy Directive.

These guidelines, adopted on 7 October 2024, aim to clarify the application of Article 5(3) to various technical solutions, particularly in light of new tracking methods and technologies.

What does Article 5(3) say?

The position in Article 5(3) of the e-Privacy Directive is that an organisation cannot use cookies (or similar technologies) unless the subscriber or user (i) is given clear and comprehensive information about the purpose of the cookie; and (ii) has given his or her consent to the use of the cookie.

Key points from the guidelines:

  1. Scope of Article 5(3) ePrivacy Directive:
    • Article 5(3) applies to the storing of information or gaining access to information already stored in the terminal equipment of a subscriber or user.
    • This provision is not limited to cookies and includes similar technologies that can store or access information on a user’s device.
  2. Technical analysis:
    • The guidelines provide a detailed analysis of what constitutes "information", "terminal equipment", "public communications network", and "gaining access". The EDPB makes it clear that the term "information" is broader than "personal data" and includes any data stored on the user’s terminal equipment.
    • The EDPB emphasises that the protection of users’ terminal equipment is crucial for safeguarding their private sphere and ensuring the confidentiality of their communications.
  3. Use cases:
    • URL and pixel tracking: Tracking pixels and links embedded in content to collect user data fall under Article 5(3) as they involve storing and accessing information on the user’s device.
    • Local processing: Information processed locally on a device and then accessed remotely is also covered by Article 5(3).
    • Tracking based on IP only: Collecting IP addresses for tracking purposes can trigger Article 5(3) if the IP address originates from the user’s terminal equipment.
    • Intermittent and mediated IoT reporting: IoT devices that store and intermittently report data are subject to Article 5(3).
    • Unique identifiers: The use of unique identifiers derived from personal data for tracking across different datasets is covered by Article 5(3).
  4. Implications for organisations:
    • Organisations must ensure they obtain user consent or meet the necessary exemptions under Article 5(3) when storing or accessing information on users’ devices.
    • Transparency is a key aspect of compliance, as users must be informed about the data being collected and the purposes for which it is used before consent can be obtained.

Organisations should review their data collection practices to ensure they align with these updated guidelines and maintain user trust and compliance.

Contact our experts for further advice

View profile for Beverley FlynnBeverley Flynn
, View profile for Sinead HughesSinead Hughes

Search our site