Consent for everything? EDPB guidelines on URL, pixel, IP tracking
I discuss this topic and potential legal problems for subscription and ad-funded business models (especially Meta’s) in a recent Mobile Dev Memo podcast with Eric Seufert.
You may know that the culprit behind cookie consent banners is not the GDPR but the older ePrivacy Directive, specifically its Article 5(3). The EDPB, a representative body of EU national data protection authorities, has just issued new Guidelines on this law. Setting aside that they arguably didn’t have the authority to issue the Guidelines, this new interpretation is very expansive. They would expect consent for e-mail pixel tracking, URL tracking, and IP tracking. In general, in their view, consent would be required for all Internet communication unless very limited exceptions apply (even more restrictive than under the GDPR).
Technically, the EDPB waits for comments on this text until tomorrow, but their previous practice doesn’t suggest that they’re likely to change much. Hence, it is worth considering what this interpretation could mean for online advertising and, more generally, web analytics.
First, a simple observation. When my browser connects to any website, it actively sends much information about itself to its server (especially through an HTTP request). You can play with the Am I Unique service to see what kind of information this is and how it allows for distinguishing your device. The server also receives information about my IP address (due to how TCP/IP works).
The EDPB says that using this information on the server side, “for example in the context of fingerprinting or the tracking of resource identifiers” constitutes “abuse of those mechanisms.” Consequently, they believe it requires prior user consent (just like cookies). This will likely mean consent before “gaining access” to user data, i.e., before user data reaches the server. My first thought is that situations where you can realistically ask for prior consent, are not situations where you would need to rely on HTTP requests or IP data for analytics.
As Peter Craddock noted (for a more detailed legal analysis, I recommend Peter’s ongoing commentary on LinkedIn):
The new guidelines appear to centre around one key idea: the ePrivacy Directive’s “cookie” rule should apply to everything that is in any manner the reflection of an interaction – past or present, active or passive, direct or indirect – with a user’s “terminal equipment”.
Overall, the EDPB effectively says that processing any information from a user device or sending any information to a user device requires consent unless one of two exceptions apply.
How narrow?
There are two exceptions:
(1) “the sole purpose of carrying out the transmission of a communication over an electronic communications network” and
(2) “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
Regarding traffic analytics and advertising, I’d argue that the second exception could apply. After all, what is necessary for funding a service or for a better understanding of customers may be strictly necessary to provide a service with the level of quality demanded by users. But this would require a broader understanding of “necessity” than European privacy authorities tend to adopt under the GDPR. I wrote about that in Facebook, Instagram, “pay or consent” and necessity to fund a service. As I explained there, one of the key aspects of the narrow interpretation of “necessity” under the GDPR is that it only covers “technical necessities for service provision, excluding economic or business necessities such as the need to generate revenue.” I don’t think it’s likely that EU privacy authorities will adopt a different interpretation of “necessity” here (under the ePrivacy Directive) than under the GDPR.
Given that only those two alternatives to consent apply here, this also means there is no “legitimate interest” option like under the GDPR. Notably, there isn’t even a “legal obligation” alternative, which at least raises doubts about situations when data processing is required by some other law (especially, national law, not EU law) - would that separately require user consent?
How significant is this going to be in practice? This is hard to predict. I’m sure that if you ask the public officials responsible for the new Guidelines, they will say not to worry and that the new interpretation will only be enforced against real “abuses.” Of course, what they see as abuse (their examples: e-mail pixel tracking, URL tracking, IP tracking) may also be standard business practice. Hence, my short-term bet is that we’ll see some high-profile enforcement actions against a large technology company, which will be perceived as an isolated problem of that company by the rest of the industry.