What should you urgently do during the first two weeks of 2024? Respond to the European Data Protection Board’s public consultation on ePrivacy. Why?
Every single interaction with information on a computer or information sent over the Internet will require a justification or consent, following the EDPB’s proposed guidelines on the technical scope of Art. 5(3) of the ePrivacy Directive (the so-called “cookie” rule).
The EDPB’s position is that this “cookie” rule applies not only to actual storage on a device and real access to (= active retrieval of) information from a device (like cookies, HTML5 storage etc.), but also to notably:
(i) the reading of URL parameters and other information transmitted automatically by your browser or operating system when you access a website or app and
(ii) the ephemeral existence of information on your device (e.g. the contents of a form you are about to send to a website, the parts of computer memory that are used to run software on your device, etc.).
It is unclear whether this is an oversight on the part of the EDPB, but in practice *everything* happening over the Internet or on a computer is covered, based on the EDPB’s stretched definitions of “storage” and “access”.
Yet pursuant to the ePrivacy Directive such “storage” or “access” must based on (i) consent, (ii) a justification that it is strictly necessary for a digital service *explicitly* requested by the user (or company subscriber) or (iii) a justification that it is done for the sole purpose of transmission of an electronic communication. [Reuse of that information beyond the communication or scope of the service then requires consent.]
The practical consequence of the EDPB’s stretching of the notions of “access” and “storage”? Banners explaining not only which types of cookies and the like are used but also every interaction with a computer and all information sent automatically as a result of how computers and the Internet work.
Cookieless doesn’t change a thing from that perspective.
As ? Chris van der Heijden?? put it, “Ready for cookie banners to be replaced with everything_on_the_internet banners?”.
So if you have some kinds of digital or connected activities, whatever you are – an adtech company, a publisher of digital content, a company using InternetOfThings / IoT devices to measure industrial equipment usage, a software development company, an app developer, a telecom company, an entertainment company, … – you really should react.
New deadline: 18 January 2024 (= in just 4 weeks).
[We are helping clients in various sectors to respond, some in their name, others through our intermediary – reach out if you need advice or some help.]
Links to some of my analyses:
– Short(er) article:�https://lnkd.in/eUrrHbwx
– In-depth two-parter “EDPB seeks to redefine ePrivacy”:
— Part I: By what authority?�https://lnkd.in/ekdviZ_K
— Part II: Overbroad notions and regulator activism?�https://lnkd.in/eDV4NSRX
gdpr data protection privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗