A cookie is not just a cookie, according to the European Data Protection Board. It’s also similar technologies, and access and Internet of Things (IOT).
Here are some key takeaways you need to know from the EDPB’s draft guidelines on the Art 5(3) clarifying the applicability of Art 5(3) of the ePrivacy Directive.
The operations carried out relate to ‘information‘
This includes both non-personal data and personal data, regardless of how this data was stored and by whom, i.e. whether by an external entity (also including other entities than the one having access), by the user, by a manufacturer, or any other scenario.
The operations carried out involve a ‘terminal equipment’ of a subscriber or user.
- NOT a device that solely acts as a communication relay.
- May be comprised of any number of individual pieces of hardware, which together form the terminal equipment. This may or may not take the form of a physically enclosed device hosting all the display, processing, storage and peripheral hardware (for example, smartphones, laptops, connected cars, connected TVs, smart glasses)
- Terminal equipment that allows for personal correspondence and the legitimate interests of the legal persons to be carried out is protected. The user or subscriber may own or rent or otherwise be provided with the terminal equipment.
- Multiple users or subscribers may share the same terminal equipment in multiple communications (for example, in the case of a connected car) and a single communication may involve more than one terminal equipment. Protection is not dependent on whether the electronic communication was initiated by the user or even on whether the user is aware of the said communication.
The operations carried out are made in the context of the ‘provision of publicly available electronic communications services in public communications networks’
- Broad enough to cover any type of infrastructure. It includes networks managed or not by an operator, networks co-managed by a group of operators, or even ad-hoc networks in which terminal equipment may dynamically join or leave a mesh of other terminal equipment using short range transmission protocols.
- There is no limitation with regards to the number of terminal equipment present in the network at any time.
- The public availability of the communication service over the communication network is necessary for the applicability of Article 5(3) ePD.
- The fact that the network is made available to a limited subset of the public (for example, subscribers, whether paying or not, subject to eligibility conditions) does not make such a network private.
The operations carried out indeed constitute a ‘gaining of access’ or ‘storage’
- Storage and access do not need to occur within the same communication and do not need to be performed by the same party.
- Applies where accessing entity instructs the terminal equipment to proactively send information on each subsequent HTTP (Hypertext Transfer Protocol) call. (Cookies)
- Applies where the accessing entity distributes software on the terminal of the user that will then proactively call an API (application programming interface) endpoint over the network.
- Applies when the entity instructing the terminal to send back the targeted data and the entity receiving information are not the same.
- As long as the networked storage medium constitutes a functional equivalent of a local storage medium (including the fact that its only purpose is for the user of the terminal equipment to store information that will be processed on the terminal equipment itself), that storage medium will be considered part of the terminal equipment.
- MAC or IP address of the terminal equipment
- Session identifiers (SSRC, Websocket identifier)
- Authentication tokens
- HTTP header including “accept” field or user agent)
- Caching mechanism (such as ETag or HSTS)
- Other functionalities (cookies being one of them
Use of information by an application would not be subject to Article 5(3) ePD as long as the information does not leave the device, but when this information or any derivation of this information is accessed through the communication network, Article 5(3) ePD may apply.
Crypto mining: the sole fact that the software instructing the nefarious processing has been distributed over a network would imply the application of Article 5(3) ePD.
Tracking pixels and URLs: Under the condition that said pixel or tracked URL have been distributed over a public communication network, it is clear that it constitutes storage on the communication network user’s terminal equipment, at the very least through the caching mechanism of the client-side software. As such, Article 5(3) ePD is applicable. It can also constitute access.
IP address: Unless the entity can ensure that the IP address does not originate from the terminal equipment of a user or subscriber, it has to take all the steps pursuant to the Article 5(3) ePD. (Eg IPv6)
- Devices have a direct connection to a public communication network, for example through the use of WIFI or a cellular SIM card. In the first case, the IoT device, where it is connected to a public communications network, would itself be considered a terminal
- Other IoT devices do not have a direct connection to a public communication network and might be instructed to relay the information to another device through a point-to-point connection (for example, through Bluetooth).
- In both situations, Article 5(3) ePD would apply as it is. Through the instruction of the IoT device to send the dynamically stored data to the remote server, there is “gaining of access.”
- In the case of IoT devices connected to the network via a relay device (a smartphone, a dedicated hub, etc.) with a purely point to point connection between the IoT device and the relay device, the transmission of data to the relay could fall outside of the Article 5(3) ePD as the communication does not take place on a public communication network. However, the information received by the relay device would be considered stored by a terminal and Article 5(3) ePD would apply as soon as this relay is instructed to send that information to a remote server
In the context of “unique identifier” collection on websites or mobile applications, the entity collecting is instructing the browser (through the distribution of client-side code) to send that information. As such a “gaining of access” is taking place and Article 5(3) ePD applies.