Making sense of the EDPB guidelines on the scope of the ePrivacy Directive

In an attempt to cover “emerging tracking tools” under the ePrivacy Directive (ePD), EDBP guidelines 02/2023¹ do more harm than good for data protection online. The broad interpretation of the ePD’s scope does not provide additional safeguards against tracking. Instead, the adopted guidelines create legal uncertainty for widely accepted use cases and strongly discourage the adoption of privacy-friendly tracking alternatives

Before explaining why, I want to acknowledge that many organizations shared extensive and well-substantiated feedback during the consultation process of these guidelines. I recommend reading referenced submissions in this post.

Article 5 (3) of the ePD aims to protect the confidentiality of communications on terminal equipment² through a consent requirement. “The use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed” based on consent or two specific exemptions from consent.

The wording of article 5 (3) suggests that ‘storage’ and ‘access’ have boundaries. The reference to “already stored” implies the deliberate retrieval of information. For example, caching, as short-lived storage for responsiveness, has not been considered in scope of the ePD until now. "Gain access" implies an active step to obtain information. Reading cookies or device identifiers are the first examples that come to mind. However, receiving an IP address within an HTTP request does not appear to meet this threshold.

The EDPB essentially removes these boundaries. Under the new guidelines, any storage or access to information on terminal equipment falls under the scope of the ePD. Storage now includes caching and accessing RAM, while access encompasses the passive receipt of an IP address, user agent, and other automatically transmitted components in the HTTP protocol.

During the consultation process, many have argued that this approach results in absurd consent requirements for uncontested use cases including caching³, RAM⁴, CSS⁵, tracking links⁶, and tag management⁷. I will briefly highlight three other examples.

The first category at risk is anonymous analytics providers. The most privacy-friendly form of analytical tracking distinguishes visitors based on the URL, user agent, a hashed IP address, and the referrer URL. The domain owner (a) receives this information whenever a user requests a page, (b) does not store anything on the user’s device, and (c) immediately aggregates this information. While a.o. France, the Netherlands, and Spain allow privacy-friendly analytics, including the use of cookies, without consent, the EDPB guidelines push for consent.

Second, affiliate marketing links may require consent⁸ despite push back during the consultation. In the discussion on URL tracking, EDPB omits that (a) users actively click on these links and (b) identifiers in the URL primarily refer to the originating content rather than the user.

Third, and perhaps most controversially, contextual targeting may now require consent. Contextual advertisements require access to device information for selecting the appropriate advertising format. Since this communication is neither essential for the transmission nor requested by the user, consent may be required if a server passively receives the user agent in the HTTP request⁹.

Without revisiting the longstanding opinion on the two consent exemptions, the EDPB introduces significant legal uncertainty. The exemptions require a modern interpretation of necessity that extends beyond strictly technical arguments, as illustrated by the security example¹⁰. Contextual advertisements and commercially essential components for advertising performance, such as fraud prevention, frequency capping and impression-level measurements, should be considered integral to financing a user-requested service¹¹. The WP29 similarly recommended a more flexible stance on first-party analytics¹² back in 2012.

The cost of this legal uncertainty is not offset by enhancing data protection against more intrusive or novel forms of tracking. The GDPR already covers device fingerprinting¹³ and identity-based tracking¹⁴. Cohort-based profiling, such as the Topics and the Protected Audience API, fall under an active interpretation of storage and access. Precise geolocation for tracking requires consent under the ePD, along with a device permission.

How to make sense of it all? An active interpretation of ‘storage’ and ‘access’ remains defendable. The ePD itself and earlier opinions by the WP29 do not suggest an all-encompassing interpretation. The German Data Protection Conference¹⁵ argued that “access requires a targeted transmission of browser information that is not initiated by the end user”. The CJEU does not consider the passive receipt of an IP address within the scope of the ePD¹⁶.

I encourage online service providers to apply first principles when analyzing the legal basis of tracking use cases. First, does tracking single out individual users or their terminal equipment? If yes, then the GDPR applies. Second, does tracking involve active storage or access on the terminal equipment? If so, does one of the consent exemptions under the ePD apply? If not, argue why the use case is not covered by article 5 (3). If the GDPR and ePD both apply, consent can be a good option if all processing activities are covered in the original consent. However, do not dismiss a legitimate interest just because the ePD requires consent for access to personal data on terminal equipment.