The EDPB released guidance last month to help companies understand their obligations when using newer tracking tools. These include pixels, URL tracking, IP-tracking, and the like. First, some background: an EU law that predates GDPR (Directive 2002/58/EC or the Cookie Directive), impacted how companies could interact with users on their computers. That directive was updated in 2009 (Directive 2009/136/EC or the ePrivacy Directive). Under the ePrivacy Directive, among other things, companies cannot “store” or “access” someone’s “terminal equipment” without consent. (There are some exceptions to the consent requirement.) In this recent guidance, the EDPB provided direction on when and whether passive tracking technologies were storing or accessing information on a users’ computer (or other device) such that the ePrivacy Directive requirements would apply.
In the guide, the EDPB reminded companies that the ePrivacy Directive requirements apply when the technology collects any information (not just personal information). Additionally, that in-scope equipment can be that owned or simply used by an individual. The equipment may also not be a computer, but could be a connected (IoT) device. And, that “access” can occur through technologies that place software on someone’s computer (APIs, JavaScript) or instructing protocols (SDKs, tracking pixels). Finally, that “storage” might be temporary, but will still be in scope for the ePrivacy Directive.
With these in mind, the EDPB outlined what it viewed as newer technologies that are in-scope for the ePrivacy Directive. This updates the list from the 2014 Working Party guidance (which included digital fingerprinting). The list provided in this new guidance included tracking pixels, when they are sent to the user’s computer and then return to the sender with specific information. It also included IP-only tracking, if the IP address “originates from the” user’s computer. The list the EDPB provided was not exhaustive, it stressed.
Putting It Into Practice: This guide is a reminder that new technologies can be viewed as in-scope for older laws. While this guidance is helpful, it does not outline the times when there might be an exception to the consent requirement. Something that the EDPB specifically called out. Privacy practitioners reviewing proposed tracking tools may find helpful the way that the EDPB analyzed these tools to determine whether or not the ePrivacy Directive would be viewed as applying.