It’s been nearly two decades since the European Union’s ePrivacy Directive was introduced, which (following an update in 2009) introduced a requirement for website operators to obtain consent for the use of non-essential cookies and other similar technologies (the so-called ‘cookie’ consent requirement).
Despite the passage of time, questions have persisted about the precise scope of the cookie consent requirement (exactly what technologies are caught), but recently the European Data Protection Board (EDPB) announced for consultation some new Guidelines that are intended to resolve any ambiguity.
Whilst the EDPB guidance is not directly applicable to UK-based website operators, the Guidelines will of course be of interest to those with pan-European operations, and they are also a useful indication as to how the UK Information Commissioner’s Office (ICO) may interpret the UK’s implementation of the ePrivacy Directive (that law being the Privacy and Electronic Communications Regulations 2003, or ‘PECR’, which lives-on post-Brexit).
A quick recap – the ‘cookie law’
The black-letter law that the new Guidelines address is technology agnostic - it doesn’t mention the word ‘cookie’ (nor any other technology). The law says (emphasis added):
…the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent.
Therefore, the consent requirement applies whenever a person stores information, or accesses information that is stored, on a subscriber’s terminal equipment (e.g. the mobile phone that they use to access a website).
Cookies are traditionally the primary technology through which website operators (and others) might do that, hence this law is colloquially known as the ‘cookie law’. However, it has always been clear (and is now even clearer) that the law covers other technologies (as well as cookies).
About the new Guidelines
The Guidelines are intended to clarify exactly what is covered by the phrase ‘to store information or to gain access to information stored in the terminal equipment of a subscriber or user’, i.e. when the cookie consent requirement is triggered.
The Guidelines do not address thorny issues in relation to the cookie consent requirement (for example, the standard of consent that is required, or the possible exemptions to the consent requirement).
When are the consent requirements triggered?
The EDPB’s Guidelines clarify that the consent requirements are triggered if the operations:
- relate to ‘information’
- involve a ‘terminal equipment’
- are made in the ‘provision of publicly available electronic communications services in public communications networks’
- constitute a ‘gaining of access’ or ‘storage’.
Whilst the first three requirements are certainly not to be overlooked, the Guidelines are not particularly ground-breaking in relation to these elements, although there is useful clarity that the consent requirements:
- Aim to protect both non-personal data and personal data.
- Cover any device that is an endpoint of a communication, including devices that are rented or are used by multiple users or subscribers.
- Apply only where the communications service is publicly available – but it’s important to bear in mind that the fact that a network is made available to a limited subset of the public does not make such a network private (N.B. the ICO’s guidance refers to intranets as an example of a service that is unlikely to be a public communications service).
The commentary in relation to the fourth requirement, however, is especially interesting as, in a nutshell, it highlights that the consent requirements are likely to apply to many technologies which (until now) may have been thought (or argued) as being out of scope. In particular, the EDPB:
- Stresses that the Directive is aimed at protecting the confidentiality of communications and the integrity of devices, and that any access may seriously intrude upon privacy. As such ‘gaining access’ must be interpreted in a way that safeguards the user’s right to privacy.
- ‘Storage’ and ‘access’ do not each need to be present or carried out by the same person. They are independent notions and, if one is present, the consent requirements are triggered.
- Access will be considered to take place where a technology “instructs” the terminal equipment to send information. This will be the case where cookies are used, and this also applies to other technologies e.g. software that proactively calls an API (application programming interface) endpoint over a network, or JavaScript code that instructs a browser to send requests with content.
- The access may be carried out by more than one person – one person may instruct the device to send information, and another entity may be a recipient.
- ‘Storage’ typically takes place by instructing software to generate specific information.
- There is no lower limit on the length of time that information must persist on a storage medium to be considered as ‘stored’, nor is storage dependent on the type of medium on which information is stored on the terminal equipment. Therefore, information stored on RAM or even cached information on a CPU are not excluded. Storage can even result from sensors integrated into the device or produced through processes and programs executed on the terminal equipment.
If you’re thinking this all sounds rather technical and think that this type of evaluation is the remit of a data scientist and not a lawyer or privacy specialist – you are correct!
However, the key takeaway is that the EDPB has signalled that ‘access’ and ‘storage’ are concepts that will be interpreted extremely broadly. If you think the technology you’re assessing might involve access or storage – it probably does.
To tie this altogether and illustrate the breadth, the EDPB concludes by discussing various examples of technologies that are likely to trigger the consent requirements, including:
- URL and pixel tracking (i.e. technologies that are embedded in a piece of content like a website or an email, and which hyperlink to a resource). The EDPB says that it is “clear” that these technologies constitute a storage, at the very least through caching (temporary storage) mechanisms. Where content is sent to a user, these technologies also constitute an instruction to the terminal equipment to send back information.
- IP address tracking. Perhaps surprisingly for some, if tracking takes place by solely gaining access to a user’s IP address, this may also trigger the consent requirement. This will only be the case where the IP address “originates from the terminal equipment” of a user (i.e. a device that is an endpoint of a communication, and not other equipment). Again, that’s a technical question, but what to do if you’re not sure? In that case, the EDPB says that the entity gaining access to the IP address must comply with the consent requirements.
- Use of ‘unique identifiers’. The EDPB specifically calls out the ad-tech industry’s use of unique or persistent identifiers that are derived from personal data (such as an email address) that is hashed on a user’s device, collected and then shared amongst various ad-tech participants to identify individuals. This information is input by the user (for example during a newsletter sign-up), and then temporarily stored on the terminal equipment of the user before being collected – and therefore the ‘storage’ requirement is met. In addition, the entity that collects the information instructs the browser to send it – and therefore the ‘access’ requirement is also met. This will be of concern to vendors and advertisers that are looking to embrace these technologies following the depreciation of third party cookies.
Next steps
It remains to be seen whether the EDPB will adopt the Guidelines in their current form following their consultation but, if the current version is anything to go by, the Guidelines signal that we can expect further momentum from (some, if not all) European regulators in their enforcement of cookie consent requirements.
Whilst we do not anticipate the ICO will update their guidance in this area, from a technical perspective these Guidelines can theoretically apply from a UK perspective (whilst to date the ICO’s guidance does not go as far as these draft Guidelines, there is also nothing in them to favour a narrower interpretation). Whether the ICO will have the appetite to take such a stance is another question. We anticipate that the ICO will not do in the near future, at least while it is focusing its attention on other aspects of consent requirements, including making it easier for users to reject tracking technologies.