So… is the information “stored” and “accessed” through use of a CAPTCHA strictly necessary to the provision of the service explicitly requested by a user, namely the service of being able to submit a form? From the perspective of common interpretations of data protection authorities also in charge of ePrivacy enforcement, you would expect “no”, given their strict position on service improvement and similar topics when looking at the “contract” legal ground under the GDPR.
Yet on the EDPB’s webform for contributing to their public consultation on their ePrivacy Guidelines, a CAPTCHA is used to prevent spam. This clearly works on the basis of information that is “stored” ephemerally on a device and that is “accessed”, based on the EDPB’s interpretation – which would require consent unless a consent exemption (e.g. the “service” one) applies.
Here, the EDPB does not request consent to that end (and its cookie consent banner does not cover that either). Does the EDPB then implicitly consider that anti-fraud and anti-spam is strictly necessary?
[Humour, for those still wondering]
Back on topic: I strongly recommend reading this submission once it’s available (perhaps more on this later today) – and also the IAB Europe one.
Edit: here’s the IAB Europe one: https://lnkd.in/ediZ4Cxq
And one we prepared for clients wishing to contribute without drawing attention to their identity: https://lnkd.in/e67zSX3a
Edit 2: For those who aren’t yet aware, this has to do with the EDPB’s new guidelines, which change the scope of Art. 5(3) of the ePrivacy Directive (often called the “cookie” rule) to cover pretty much any interaction (active /passive, initiated/automatic) with a computer or other user device. Here are some in-depth comments on the guidelines I published two months ago:
– Part I: By what authority? https://lnkd.in/ekdviZ_K
– Part II: Overbroad notions and regulator activism? https://lnkd.in/eDV4NSRX
All submissions to the public consultation will also be published shortly.
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗