EDPB Guidelines 2/2023 on the on Technical Scope of Art. 5(3) of ePrivacy Directive

This Directive, and in particular Article 5(3), lays down requirements for the processing of information contained in users’ terminal equipment, establishing consent as the legal basis. In other words, it gives special protection to the terminal equipment of these users, as it is considered part of their private sphere.

The Guidelines propose a list of tracking technologies that should meet these requirements and and clarify the application of such requirements to well-known cookies but also other similar tracking technologies.

The approach taken by the EDPB was to define three criteria for the applicability of Art. 5(3) above:

• The operations carried out relate to any information (e.g. a broader definition than personal data);
• The operations carried out involve a ‘terminal equipment’ of a subscriber or user, which imply the need to assess the notion of a ‘public communications network’, terms that have been defined along the document;
• The operations constitute storage or gaining access. Although this do not need to occur within the same communication and do not need to be performed by the same party

Finally, the text provides for a list of use cases including URL and pixel tracking, unique identifiers, local processing, among others.