Version 2.0 - Adopted on 7 October 2024

Executive summary

In these Guidelines, the EDPB addresses the applicability of Article 5(3) of the ePrivacy Directive to different technical solutions. These Guidelines expand upon the Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting and aim to provide a clear understanding of the technical operations covered by Article 5(3) of the ePrivacy Directive.

The emergence of new tracking methods to both replace existing tracking tools (for example, cookies, due to discontinued support for third-party cookies by some browser vendors) and create new business models has become a critical data protection concern. While the applicability of Article 5(3) of the ePrivacy Directive is well established and implemented for some tracking technologies such as cookies, there is a need to address ambiguities related to the application of the said provision to emerging tracking tools.

The Guidelines identify three key elements for the applicability of Article 5(3) of the ePrivacy Directive (section 2.1), namely ‘information’, ‘terminal equipment of a subscriber or user’ and ‘gaining access and ‘storage of information and stored information’. The Guidelines further provide a detailed analysis of each element (section 2.2-2.6).

In section 3, that analysis is applied to a non-exhaustive list of use cases representing common techniques, namely:

• URL and pixel tracking
• Local processing
• Tracking based on IP only
• Intermittent and mediated Internet of Things (IoT) reporting
• Unique Identifier

The European Data Protection Board

Having regard to Article 70 (1)(e) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, (hereinafter, ‘GDPR’),

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018,

Having regard to Article 15(3) of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended by Directive 2009/136/EC (hereinafter, ‘ePrivacy Directive’ or ‘ePD’),

Having regard to Article 12 and Article 22 of its Rules of Procedure,

HAS ADOPTED THE FOLLOWING GUIDELINES:

1. INTRODUCTION

1. According to Article 5(3) ePD, ‘the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user’ is only allowed on the basis of consent or necessity for specific purposes set out in that As reminded in Recital 24 of the ePD, the goal of that provision is to protect the users’ terminal equipment, as they are part of the private sphere of the users. It results from the wording of the Article, that Article 5(3) ePD does not exclusively apply to cookies, but also to ‘similar technologies’. However, there is currently no comprehensive list of the technical operations covered by Article 5(3) ePD.
2. Article 29 Working Party (hereinafter, ‘WP29’) Opinion 9/2014 on the application of ePrivacy Directive to device fingerprinting (hereinafter, ‘WP29 Opinion 9/2014’) has already clarified that fingerprinting falls within the technical scope of Article 5(3) ePD, but due to the new advances in technologies further guidance is needed with respect to the tracking techniques currently observed. The technical landscape has been evolving during the last decade, with the increasing use of identifiers embedded in operating systems, as well as the creation of new tools allowing the storage of information in terminal equipment.