A technology-neutral law that has been misinterpreted
Under the EU’s ePrivacy Directive, which was adopted in 2002 and last updated in 2009, a service provider – e.g. a website operator – may by default store data on a user’s device or access data on the device only if the user has given his or her consent. To up the complexity, the consent must be given in accordance with the EU General Data Protection Regulation, which means that the consent must be freely given, specific, informed and unambiguous. A disclaimer like “by using this website you consent to tracking” or a pre-ticked consent box won’t cut it.
The only situation where consent is not required is if the information is stored or used for the sole purpose of facilitating electronic communications, or if the storage or use is strictly necessary to provide the service explicitly requested by the user. In practice, this is the case for instance when mandatory cookies or other tracking tools are used to ensure a website’s technical functioning and security.
The law, which was last updated 15 years ago, quite understandably devotes most of its attention to the tracking tools of that time: cookies. Although cookies are described only as an example and the Directive applies equally to all “similar technologies”, many have interpreted the law only to regulate cookies and some other types of file-based tracking technologies. As a result, consent forms for cookies – so-called cookie banners – are now quite common, while for other tracking technologies the user’s consent is rarely asked.
Fresh, clear rules of the game
In its Guidelines, the EDPB now looks at the different circumstances in which consent should be obtained when tracking tools (also other than cookies) are used. In summary, the Board’s position is that any form of non-necessary tracking that uses any information on or provided by a user’s device (like the IP address or device identifier of the device) or that stores any information on the user’s device requires consent.
In principle, consent is required from everyone, including where the user being tracked is a company or other legal person. Moreover, the question is not dependent on whether personal data are processed in the same context, but consent is also required for anonymous tracking if it involves the storage or use of any information on or provided by the user’s device.
“User consent is always required if tracking tools are used for the purposes of targeting advertising, analysing customer and user flows, tracking conversions, analysing user activity or any other tracking that is not strictly necessary for providing the service or functionality that the customer is looking to receive.”
To clarify its position, the EDPB assesses some of today’s tracking technologies and how they fit in the law’s realm. The Board underlines that the technologies assessed are only examples and by no means represent a complete list of tools that may require user consent. We’ll now take a glance at a few situations that arise in most companies’ day-to-day activities.
Hidden tracking on websites and in newsletters usually requires consent
First, the EDPB looks at two popular modern technologies: analytics pixels and tracking URLs. Analytics pixels are small (usually pixel-sized as the name implies) and therefore practically invisible files that can be hidden in web pages and email messages or in any other electronic environment.
The idea is that when a user opens or navigates to a particular page or message, the pixel loads and doing so informs the website provider or email sender that the pixel has loaded. This information can be used to deduce that the user has taken a certain action.
Analytics pixels are a popular tracking technique to measure audience engagement. All well-known email delivery services offer pixel-based tools to measure message opens, reads, reactions and conversions. On websites, analytics pixels can be used to see things like what content users are browsing through, how much time they are spending doing that, and what are the “heat spots” receiving clicks.
A tracking URL on the other hand is a website address that is embedded with identifiers to single out a specific user or a specific user session. This is a common practice especially in e-commerce, but it is also used in advertising and marketing links to track clicks and conversions.
Article continues below the picture
Using the “cid” identifier requires the customer’s consent if it’s for instance used to measure the effectiveness of the campaign.
Even though some other types of tracking tools, such as measuring user activity through mouse movements and mobile app heatmaps are not specifically mentioned in the Guidelines, it’s safe to assume that any imaginable tracking technology is covered if it stores any information on the user’s device or makes use of information received from the device (like information on cursor locations provided by the user’s browser or finger tap locations provided by the user’s mobile phone).
Based on our reading of the Guidelines, user consent is always required if tracking tools are used for the purposes of targeting advertising, analysing customer and user flows, tracking conversions, analysing user activity or any other tracking that is not strictly necessary for providing the service or functionality that the customer is looking to receive.
In the context of websites, tracking without consent has to fulfil a function related to the technical functionality and security of the website the customer is browsing. It is permissible to add a unique identifier to a web address if it’s necessary, for instance, to secure a customer portal login. However, a user ID added to an address for Google Analytics probably isn’t technically necessary for providing the website to the customer but instead serves the marketing purposes of the vendor. Consent is required even if the same identifier serves a technically necessary purpose on the one hand, but also serves other purposes on the other.
All kinds web analytics may now require consent
An important clarification in the new Guidelines concerns analytics and other types of tracking on websites. As mentioned, many have until now thought that the ePrivacy Directive only requires obtaining consent from users if cookies or similar files are stored on their devices. As a result, many have wrongly assumed that the law does not impose restrictions on so-called cookie-free analytics, which is based on the collection of IP addresses, device identifiers and the like, and which do not store anything on the user’s device.
Matomo Analytics, an open-source platform that respects user privacy, among other things, has long offered a cookie-free alternative for collecting website user data. This is mostly why public authorities and privacy-minded companies (Varoen included) prefer this platform over Google Analytics.
However, the Board’s guidance makes it clear that the requirement for user consent does not only apply to the use of cookies and other such files, but that consent is also required when any data on the user’s device or provided by the device (e.g. at the request of a website) is used for analytics. In other words, tracking based on device-specific IP addresses or other device identifiers (and, of course, cookies and other files already on the device) also requires consent, as it makes use of information on or provided by the user’s device. It should be kept in mind that consent is needed even if the information used in the tracking is not personal data.
Article continues below the picture
Since its inception, Varoen has always asked its website users for their consent for anonymous and cookie-free analytics.
Again, even in the case of web analytics, consent is not needed if the tracking is strictly necessary for the provision of the website or other service. For instance, singling out and analysing website users is perfectly OK even without consent if it’s only done for load balancing purposes or for detecting and preventing DDOS attacks.
Sending newsletters requires special attention
Based on the EDPB’s Guidelines, it is clear that if your company uses analytics pixels, tracking links or other tracking technologies in your newsletters and promotional messages, you need the consent of the recipient. If you use platforms such as Mailchimp and Hubspot to send newsletters, this is something to pay particular attention to. Most of these mainstream options have pixel-based tracking turned on by default, and it is your responsibility to turn it off when it’s illegal.
For tracking to be allowed the company has to get a consent from its email recipients. It doesn’t matter if the tracking technologies collect personal data or if they are used for non-personal statistics such as “open rate” or “click rate”. Consent is also required for anonymous tracking.
Even if consent is obtained for the actual sending of newsletters (a so-called marketing consent), it is not enough: the law requires separate consent specifically for the use of tracking technologies. Some services allow you to edit the consent forms. If the service you are using allows this, you should see to it that the form clearly states the type of tracking you are using and asks for the legally required consent for analytics.
The guidance does not change the law, only clarifies it
There’s nothing completely new in the EDPB’s new Guidelines. The use of tracking pixels was first discussed in an opinion issued by the Board’s predecessor (the so-called “WP29 Working Party”) already in 2006. And later in 2014, the Working Party published another set of guidelines to try to correct the persistent misunderstanding that consent would only be required for using cookies and not other “similar technologies”.
In some EU countries, such as France, it has been a national policy for years that the use of tracking pixels requires the consent of users.
The EDPB’s 2024 guidance basically just confirms that the law has not changed, and the use of tracking pixels and tracking URLs on websites and in email communications still requires the consent of the recipient.
What is new is that it is now being discussed in the light of current legislation, bringing the issue back to the centre of the debate. It also clarifies the scope of the law, and any ambiguities and novel “loopholes” are now explicitly excluded. This may well mean that EU supervisory authorities will start to pay more attention to the use of tracking technologies in electronic environments. In addition, people will inevitably become increasingly aware of their rights, and complaints about hidden tracking may start to rise.
Article continues below the picture
How to make sure you're compliant
While the EDPB guidance does not offer anything entirely new for data protection professionals, as of now few companies are fully compliant with the ePrivacy Directive. In a great deal of cases analytics pixels and other tracking technologies are used illegally especially in newsletters but also on websites, where the requisite consent is normally asked for the use of cookies but not for other types of tracking.
More unusually, the Board’s guidance seems to have surprised a number of newsletter and web analytics service providers who, at least until now, have offered analytics and tracking services that are by default unlawful. Time will tell whether these providers will bring their tools into line with the law.
Pending a remedy, we recommend that if your company sends email newsletters or uses analytics tools on its website, you ensure that the services you use are able to comply with the law.
In online analytics, Matomo Analytics for example offers the possibility to block their tools before the user has consented to cookies and other tracking. When asking for consent, it is important to make it clear that if the user permits the use of cookies and other tools the website will collect analytics data about their visit.
For newsletters, it can be more difficult to obtain consent for the tracking. When using Hubspot, Mailchimp and other newsletter services, “email tracking” should be turned off until it is certain that the services allow for the legally required consent to use tracking technologies. Often the tracking is on by default, so it’s good the take a look at the service settings.
Ethical and legal risks from non-compliance
The above recommendations are first and foremost directed at Varoen’s customers who are companies that want to operate sustainably and respect the the rights and freedoms of their own customers and other stakeholders. Failing to adhere to the European Data Protection Board’s Guidelines already poses significant short-term ethical risks for any company that conducts responsible business.
In the longer term, the EDPB’s guidance should not be ignored also from the legal point of view. Apart from the fact that the Board is composed of the data protection supervisors of EU Member States and its position corresponds to that of those authorities, both domestic and other European authorities and courts generally follow the Board’s Guidelines as such when investigating data protection infringements and issuing penalties for non-compliance.
In Finland, the use of cookies and other such technologies is monitored by the Finnish Transport and Communications Agency (Traficom), which cannot issue penalties under the EU’s General Data Protection Regulation. So, direct financial risks from non-compliance may be low. However, if tracking tools are used to process any personal data (like IP addresses and device identifiers), the matter may be moved to the Finnish Data Protection Authority’s jurisdiction, which might escalate the risks very quickly. Also in other EU countries such as France, the use of cookies and similar technologies are directly monitored by the national Data Protection Authority, which may significantly elevate the risk of penalties for unlawful cookie policies and other such mishaps when compared to the Finnish approach.
In the end it’s important to remember that it is your company’s responsibility to ensure that all your data protection activities fulfil the ethical expectations of stakeholders and legal requirements. Even if Google, Mailchimp or another large service provider enables unlawful processing of personal and device data, it does not make it ethically acceptable or legally compliant.
If you want help with making sure your data protection activities are in order, we’re here for you! Book a no-risk meeting free of charge, and let’s see what’s happening.
Follow us on LinkedIn. We’ll post updates on this and other topics that are useful for your business.