The European Data Protection Board (EDPB) has officially adopted the updated Guidelines 02/2024 on the technical scope of Article 5(3) of the ePrivacy Directive on October 7, 2024.
These new guidelines follow the initial draft, Guidelines 02/2023, which was released for public consultation on November 14, 2023. After receiving valuable feedback during the consultation process, the final guidelines are now sharper, clearer, and more comprehensive, addressing new technologies and providing more precise interpretations of data tracking and consent.
These guidelines have always been binding for national Data Protection Authorities (DPAs), guiding them on the enforcement of Article 5(3), which regulates how consent is obtained when accessing information stored on users' devices. However, after the public hearing, the guidelines are not only better but also more technically aligned with the latest developments in tracking technologies, making them highly practical for businesses adapting to today's fast-changing digital world.
In this article, I will break down the key updates from the Guidelines 02/2024, compare them with the previous version, and explain how they sharpen the application of Article 5(3). This is critical for businesses and digital platforms that handle data through cookies, device fingerprinting, and various tracking technologies.
Key Updates in the 2024 Guidelines
After the public consultation, the 02/2024 Guidelines include several refinements to better address modern tracking technologies and enable robust compliance with the ePrivacy Directive.
1. Broader Scope of "Information" Definition
One of the most important refinements is the expanded definition of "information". While the 2023 version already made it clear that Article 5(3) covers more than just personal data, the 2024 guidelines go further by confirming that non-personal data (e.g., MAC addresses, IP addresses) also requires user consent. This reinforces the idea that any stored information on a user's device, even if not tied to identifiable personal data, falls under the ePrivacy Directive's protection.
For example, this means that hidden identifiers or device-generated data, such as network interface identifiers or device sensors, must now explicitly require consent before being accessed.
2. Enhanced Clarity on "Gaining Access" and "Storage"
The final guidelines provide more technical depth in defining the terms "gaining access" and "storage". Both actions — storing information on a device and gaining access to it — must meet the requirements of Article 5(3), even if carried out by different entities. This update clears up any ambiguity by emphasizing that both actions trigger the need for consent, and they can happen independently.
Additionally, whether information is locally processed on the device or stored by the user or third party, if accessed by another entity, it constitutes "gaining access," thus requiring prior consent.
3. Revised Analysis of Technical Use Cases
The final guidelines maintain the use cases introduced in the 2023 version but expand the technical depth for each, providing clearer examples of how Article 5(3) applies in specific scenarios.
- Pixel and URL Tracking: The 02/2024 guidelines give more detailed treatment to tracking pixels and URL tracking, confirming that both require explicit consent. This is critical for businesses using email marketing or website analytics tools, where tracking pixels are used to monitor user interactions.
- IP-based Tracking: The guidelines now clearly state that even tracking technologies based solely on IP addresses are subject to Article 5(3). This is particularly important for businesses using geolocation services or IP-based marketing, as they must ensure compliance when tracking users' IPs.
- Intermittent IoT Reporting: A key refinement in the 02/2024 guidelines is the expanded treatment of IoT (Internet of Things) devices. These guidelines clarify that when data from IoT devices is stored locally and later transmitted to a server, consent is required under Article 5(3). This was not as clearly outlined in the previous version, making it crucial for industries that rely on connected devices.
4. Strengthened Guidelines for Local Data Processing
The 02/2024 guidelines clarify that local processing on devices (such as browsers or smartphones) falls within the scope of Article 5(3) when the processed data is later accessed by a third party via client-side APIs. This means that businesses using local data processing technologies, like JavaScript-based processing, must obtain consent before accessing any locally processed information.
What the Updated Guidelines Mean for Businesses
The updated Guidelines 02/2024 mark a significant improvement in both the clarity and application of Article 5(3) of the ePrivacy Directive. For businesses, this means two things:
- Greater responsibility in how tracking technologies are implemented: From IP tracking to IoT devices and pixel-based tracking, all mechanisms that store or access information on user devices must now follow even stricter consent requirements.
- Compliance requires ongoing vigilance: As new tracking technologies emerge, businesses need to continuously assess their compliance with Article 5(3). The guidelines now provide a strong foundation, but the digital landscape is always evolving, and staying compliant requires forward planning and flexibility.
The 02/2024 guidelines are not just an incremental update; they represent a significant shift towards greater accountability for businesses involved in data processing and tracking technologies.
The Guidelines 02/2024 reflect the increasing complexity of the digital ecosystem, addressing new forms of tracking and clarifying what constitutes "gaining access" to information. For businesses, this means a clearer framework for compliance with Article 5(3) of the ePrivacy Directive, but also a reminder that compliance is not optional — it is a requirement that demands constant attention.
Moving forward, companies that proactively align with these updated guidelines will not only avoid regulatory scrutiny but also build trust and transparency with their users, gaining a competitive advantage in an increasingly privacy-conscious market.
Conclusion
The adoption of the Guidelines 02/2024 sets a new bar for data protection and privacy compliance across Europe. While compliance is a legal necessity, it also represents an opportunity for businesses to build stronger, more transparent relationships with their users. The updated guidelines provide clear rules for handling tracking technologies and data access, so that businesses can operate effectively while respecting user privacy.
For anyone managing data, from marketers to compliance officers, understanding and implementing these guidelines will be crucial to managing data privacy in the years ahead.
Ronni K. Gothard Christiansen // VikingTechGuy
Creator, AesirX.io
AesirX Privacy Scanner for WordPress: Check your WordPress site complies with the ePrivacy Directive and GDPR by using AesirX Privacy Scanner, which detects non-compliant elements like cookies and trackers.