EDPB Guidelines on the Implementation of „Cookie“ Rules

On November 16, 2023, the European Data Protection Board released guidelines concerning the scope of the application of Article 5(3) of the ePrivacy Directive. It should be noted that the Directive itself was first adopted by the European Union’s legislative bodies in 2002, but it was amended in 2009, primarily to regulate the consent necessary for the use of “cookies.” Cookies themselves are small text files stored on the device of the user by websites he visited, which help to make browsing more personalized by remembering preferences, login information, and activity. While their primary goal is to enhance the browsing experience, it is also important to know that they may be used to track browsing behavior across sites.

In an ever-changing world, which also includes the continuous change of the digital landscape, it is of essential importance to keep track of who is tracking our data. The goal of the adopted guidelines is to further regulate the use of cookies and similar tracking tools in order to provide the necessary level of protection for the users.

The adopted guidelines have been put very broadly in order to provide the users with the highest possible level of protection while simultaneously keeping the existing free-flowing browsing experience. Ambiguous definitions of terms such as “information“ and “terminal equipment of a subscriber or a user“ have intentionally been given in order to increase the level of transparency of tools that are accessing the personal data of users.

The Guidelines are primarily focused on cookies, but it is important to note that they also address what other types of tracking technologies fall within the „notice and consent“ requirements. These include, but are not limited exclusively to, URL and pixel tracking, local processing, as well as IoT reporting.

While the Guidelines provide a clear step forward in terms of protecting the privacy of end-users, it is important to recognize that these measures must continually evolve to address new tracking technologies and potential risks, supporting both user privacy and regulatory compliance in an ever-advancing digital environment.