Data Privacy Hub

The ePrivacy Directive has always required companies to receive user consent before storing or accessing information on a user's device via cookies or similar methods. In the European Data Protection Board's draft guidelines, they delve deeper into the technical scope of the regulation, which could cause a major shakeup to the adtech industry.

The guidelines clarify that:

• Cookie compliance obligations apply to personal AND non-personal data stored or accessed on any user device
• Only devices that are able to store information, like phones and computers, fall into the scope of the law. Devices like internet modems are not considered terminal equipment
• If someone attempts to access data stored in terminal equipment, the cookie rules apply. The draft guidelines makes the distinction that 'gaining access' (through methods like tracking cookies) is independent from 'storing information' (like when a browser stores cookies). However, both situations need to comply with the cookie requirements.

The EDPB's draft also specifies that cookie (and other tracking methods) obligations also apply across a wide range of use cases, notably including the use of URL and pixel tracking, local processing, IP-tracking, IoT reporting and other unique user identifiers.

In short, no matter what way you are attempting to track user data, you likely need to comply with the cookie rules to respect user privacy.