ARTICLE
7 November 2024

EDPB Provides Insight For Use Of Tracking Tools

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The EDPB released guidance last month to help companies understand their obligations when using newer tracking tools. These include pixels, URL tracking, IP-tracking, and the like.
European Union Privacy

The EDPB released guidance last month to help companies understand their obligations when using newer tracking tools. These include pixels, URL tracking, IP-tracking, and the like. First, some background: an EU law that predates GDPR (Directive 2002/58/EC or the Cookie Directive), impacted how companies could interact with users on their computers. That directive was updated in 2009 (Directive 2009/136/EC or the ePrivacy Directive). Under the ePrivacy Directive, among other things, companies cannot "store" or "access" someone's "terminal equipment" without consent. (There are some exceptions to the consent requirement.) In this recent guidance, the EDPB provided direction on when and whether passive tracking technologies were storing or accessing information on a users' computer (or other device) such that the ePrivacy Directive requirements would apply.

In the guide, the EDPB reminded companies that the ePrivacy Directive requirements apply when the technology collects any information (not just personal information). Additionally, that in-scope equipment can be that owned or simply used by an individual. The equipment may also not be a computer, but could be a connected (IoT) device. And, that "access" can occur through technologies that place software on someone's computer (APIs, JavaScript) or instructing protocols (SDKs, tracking pixels). Finally, that "storage" might be temporary, but will still be in scope for the ePrivacy Directive.

With these in mind, the EDPB outlined what it viewed as newer technologies that are in-scope for the ePrivacy Directive. This updates the list from the 2014 Working Party guidance (which included digital fingerprinting). The list provided in this new guidance included tracking pixels, when they are sent to the user's computer and then return to the sender with specific information. It also included IP-only tracking, if the IP address "originates from the" user's computer. The list the EDPB provided was not exhaustive, it stressed.

Putting It Into Practice: This guide is a reminder that new technologies can be viewed as in-scope for older laws. While this guidance is helpful, it does not outline the times when there might be an exception to the consent requirement. Something that the EDPB specifically called out. Privacy practitioners reviewing proposed tracking tools may find helpful the way that the EDPB analyzed these tools to determine whether or not the ePrivacy Directive would be viewed as applying.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More