EDPB Guidelines on Cookies. The European Data Protection Board (EDPB) is seeking public feedback on draft guidelines regarding the technical scope of Article 5(3) of the Privacy and Electronic Communications Directive (ePrivacy Directive). The draft guidelines aim to extend the ePrivacy Directive to new tracking methods beyond cookies. They also aim to enhance legal clarity for data controllers and users by adapting the directive for modern digital technologies.
The draft guidelines focus on the key elements of the “Cookie” rules found in the ePrivacy Directive, comprising of the terms “information,” “terminal equipment of a subscriber or user,” “gaining access,” and “stored information and storage.” Notably, “information” in this context extends beyond “personal data” to protect the private sphere of users, including scenarios not involving personal data.
“Terminal Equipment” is defined broadly as equipment connected to a public telecommunications network. The “Electronic Communications Network” is described as any system enabling the transmission of electronic signals, regardless of infrastructure or management, thus encompassing a wide range of communication methods.
The concept of “gaining access” is interpreted to safeguard privacy rights against violations by third parties. This includes scenarios where storage and access might not occur within the same communication or be performed by the same entity.
The guidelines also address use cases including URL and Pixel Tracking, IP Address Tracking and Unique Identifiers, and data collection through interconnected devices.
EU-Wide Ban on Meta. In response to a request from the Norwegian Data Protection Authority, the EDPB issued an urgent decision instructing the Irish Data Protection Authority to impose a Europe-wide ban on Meta Ireland Limited’s processing of personal data for behavioral advertising on Facebook, without proper user consent. This step followed the Norwegian regulator’s imposition of daily fines on Meta and a temporary restraining order issued in August, enjoining Meta from continuing to collect data for targeted advertising. The Norwegian regulator asked the EDPB to extend these steps across the whole EU. In response, the EDPB instructed the Irish regulator to ban Meta from processing data for targeted advertising without user consent, particularly in light of Meta’s history of non-compliance.
Cookie Enforcement Campaign in the UK. The UK Information Commissioner’s Office (ICO) has alerted top websites to comply with data protection laws on cookies within 30 days. These regulations require user-friendly mechanisms to decline cookies for targeted advertising, ensuring that opting out is as straightforward as opting in. The enforcement campaign appears to focus on non-consensual targeted ads, particularly those affecting vulnerable individuals when users choose to decline the use of cookies for targeted ads. In January, the ICO plans to release an update on the compliance status of these websites, naming non-compliant companies.
Click here to read the Guidelines on Technical Scope of Art. 5(3) of the ePrivacy Directive.
Click here to read about the EDPB Urgent Binding Decision on the processing of personal data for behavioral advertising by Meta.
Click here to read more about the Commissioner’s warning to the UK’s top websites.