New EDPB Guidelines on ePrivacy Directive: Sharper, Clearer, and More Comprehensive After Public Consultation
Ronni K. Gothard Christiansen
Creator @ AesirX | Empowering Digital Privacy with First-Party Analytics & Consent Management Solutions | 25+ Years Open Source Advocate | Privacy Champion
The European Data Protection Board (EDPB) has officially adopted the updated Guidelines 02/2024 on the technical scope of Article 5(3) of the ePrivacy Directive on October 7, 2024.?
These new guidelines follow the initial draft, Guidelines 02/2023, which was released for public consultation on November 14, 2023. After receiving valuable feedback during the consultation process, the final guidelines are now sharper, clearer, and more comprehensive, addressing new technologies and providing more precise interpretations of data tracking and consent.
These guidelines have always been binding for national Data Protection Authorities (DPAs), guiding them on the enforcement of Article 5(3), which regulates how consent is obtained when accessing information stored on users' devices. However, after the public hearing, the guidelines are not only better but also more technically aligned with the latest developments in tracking technologies, making them highly practical for businesses adapting to today's fast-changing digital world.
In this article, I will break down the key updates from the Guidelines 02/2024 , compare them with the previous version, and explain how they sharpen the application of Article 5(3). This is critical for businesses and digital platforms that handle data through cookies, device fingerprinting, and various tracking technologies.
Key Updates in the 2024 Guidelines
After the public consultation, the 02/2024 Guidelines include several refinements to better address modern tracking technologies and enable robust compliance with the ePrivacy Directive.
1. Broader Scope of "Information" Definition
One of the most important refinements is the expanded definition of "information". While the 2023 version already made it clear that Article 5(3) covers more than just personal data, the 2024 guidelines go further by confirming that non-personal data (e.g., MAC addresses, IP addresses) also requires user consent. This reinforces the idea that any stored information on a user's device, even if not tied to identifiable personal data, falls under the ePrivacy Directive's protection.
For example, this means that hidden identifiers or device-generated data, such as network interface identifiers or device sensors, must now explicitly require consent before being accessed.
2. Enhanced Clarity on "Gaining Access" and "Storage"
The final guidelines provide more technical depth in defining the terms "gaining access" and "storage". Both actions — storing information on a device and gaining access to it — must meet the requirements of Article 5(3), even if carried out by different entities. This update clears up any ambiguity by emphasizing that both actions trigger the need for consent, and they can happen independently.
Additionally, whether information is locally processed on the device or stored by the user or third party, if accessed by another entity, it constitutes "gaining access," thus requiring prior consent.
3. Revised Analysis of Technical Use Cases
The final guidelines maintain the use cases introduced in the 2023 version but expand the technical depth for each, providing clearer examples of how Article 5(3) applies in specific scenarios.
领英推荐
4. Strengthened Guidelines for Local Data Processing
The 02/2024 guidelines clarify that local processing on devices (such as browsers or smartphones) falls within the scope of Article 5(3) when the processed data is later accessed by a third party via client-side APIs. This means that businesses using local data processing technologies, like JavaScript-based processing, must obtain consent before accessing any locally processed information.
What the Updated Guidelines Mean for Businesses
The updated Guidelines 02/2024 mark a significant improvement in both the clarity and application of Article 5(3) of the ePrivacy Directive. For businesses, this means two things:
The 02/2024 guidelines are not just an incremental update; they represent a significant shift towards greater accountability for businesses involved in data processing and tracking technologies.
The Guidelines 02/2024 reflect the increasing complexity of the digital ecosystem, addressing new forms of tracking and clarifying what constitutes "gaining access" to information. For businesses, this means a clearer framework for compliance with Article 5(3) of the ePrivacy Directive, but also a reminder that compliance is not optional — it is a requirement that demands constant attention.
Moving forward, companies that proactively align with these updated guidelines will not only avoid regulatory scrutiny but also build trust and transparency with their users, gaining a competitive advantage in an increasingly privacy-conscious market.
Conclusion
The adoption of the Guidelines 02/2024 sets a new bar for data protection and privacy compliance across Europe. While compliance is a legal necessity, it also represents an opportunity for businesses to build stronger, more transparent relationships with their users. The updated guidelines provide clear rules for handling tracking technologies and data access, so that businesses can operate effectively while respecting user privacy.
For anyone managing data, from marketers to compliance officers, understanding and implementing these guidelines will be crucial to managing data privacy in the years ahead.
Ronni K. Gothard Christiansen // VikingTechGuy ?
Creator, AesirX.io
AesirX Privacy Scanner for WordPress: Check your WordPress site complies with the ePrivacy Directive and GDPR by using AesirX Privacy Scanner , which detects non-compliant elements like cookies and trackers.
Int. Sales Manager @Volla | 27214751 | [email protected]
1 个月Great news, great work! Now comes the phase where we need to make sure that hardware and software makes possible following laws and respecting rights, regulations and guidelines such as these. It's still much work to do in this respect.
Creator @ AesirX | Empowering Digital Privacy with First-Party Analytics & Consent Management Solutions | 25+ Years Open Source Advocate | Privacy Champion
1 个月European Data Protection Board New summary out on the latest Guidelines on ePrivacy Directive, thanks for making it crystal clear for tech organisations so that we can continue to build compliant solutions.