Insights EU ePrivacy Directive: European Data Protection Board (“EDPB”) seeks feedback on “cookie” guidance


Article 5(3) of the ePrivacy Directive (2002/58/EC) provides that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information, including about the purposes of the processing, and is offered the right to refuse such processing. This does not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary to provide an information society service explicitly requested by the subscriber or user.

The EDPB, an independent body tasked with ensuring consistent application and enforcement of data protection law across the EEA, has published draft guidance on article 5(3), specifically to clarify what is covered by “to store information or to gain access to information stored in the terminal equipment of a subscriber or user”. It does not consider the circumstances under which such processing may fall within the exemptions from the consent requirement (set out above). The guidance analyses the meaning of each of the elements of the law in turn – “information”, “terminal equipment”, “electronic communications networks”, “to store” and to “gain access” –  followed by a number of case studies.

For example, the guidance reiterates the position that “information” is not limited to cookies; nor is it limited to personal data. It can include several other technologies and even a virus. In one of the proposed case studies, the guidance analyses tracking pixels, a hyperlink to a resource embedded into a piece of content such as a website or email. In the case of an email, the sender may wish to detect when the receiver reads the email or, in the case of a website, the tracking pixel may link to an entity aggregating information to track the website users’ behaviour. Including tracking pixels in content sent to a user constitutes an instruction to the terminal equipment to send back the targeted information and, if distributed over an electronic communications network, could constitute gaining of access within the meaning of Art 5(3).

For more information and to respond to the call for feedback, which closes on 28 December 2023, click here.