🍪 Cookie Monster's Nightmare

EDPB Cracks Down on Tracking

Ah? Rule of Thumb?

You may have noticed that we’ve rebranded ourselves a bit (if you haven't, skip this part and dive right in).

We’ve rebranded this newsletter to the “Rule of Thumb”. Why?
Well, for one, you may not have heard, but it’s now become the rule of thumb to read our newsletter. Obviously. And also because, like (y)our favorite digit that helps us grasp things, our goal is to help grasp and stay on top of never-ending digital governance issues. And so, we’re broadening our scope to cover topics that affect the tech world.

But that’s not all – from now on, we’ll serve these updates in bite-sized compliance nuggets that are easily digestible, and quick to grasp. And because of that, you can indulge in them weekly every Wednesday. Why Wednesday you ask? Well, who doesn’t like a midweek kick of a compliance roundup that keeps you in the know?

So, without further ado, let's welcome our bite-sized compliance updates that will take you no more than 2 minutes to read! (Unless you’re a bit slow, but hey, no judgment here).

🍪 Cookie Monster's Nightmare

🎯 Why it matters:

Your toaster might need consent to spy on you now - and it's not just about cookies anymore.

🔑 Key points:

• Article 5(3) of ePrivacy Directive gets a tech-savvy makeover:

  • Applies to ANY information, not just personal data

  • Covers both direct and indirect network connections

  • Even temporary storage counts

  • Location of data storage doesn't matter

• "Information" isn't just personal data - it's everything on your device:

  • Files you create

  • System information

  • Sensor data

  • Device identifiers

  • Even viruses (yes, really)

• Your smart fridge is now "terminal equipment" if it:

  • Can connect to public networks (even indirectly)

  • Processes or sends information

  • Has network interfaces (even if not currently connected)

  • Is part of a home IoT setup

• "Gaining access" includes when:

  • Your device sends data proactively

  • Third parties request data

  • Software on your device calls home

  • SDKs collect and transmit data

  • Tracking pixels phone home

• Tracking techniques now explicitly covered:

  • Pixels in emails and websites

  • URL parameters

  • IP address tracking (with caveats)

  • Local processing that sends data externally

  • IoT device reporting

  • Unique identifiers (even if user-provided)

🔍 The bigger picture:

As tech evolves, so do privacy laws. This guidance aims to keep your gadgets from gossiping about you behind your back, whether they're cookies, smart devices, or sneaky tracking pixels.

📍 Bottom line:

The EDPB is playing whack-a-mole with sneaky tracking techniques. They're casting a wide net to catch everything from traditional cookies to your chatty IoT devices. The message is clear: if you're storing or accessing info on user devices, you'd better have a good reason (or consent).

👀 What’s next:

• More consent popups (because we totally needed more of those)

• IoT devices might become a bit less chatty

• Marketers and ad-tech firms scrambling to adapt

• Possible increase in local processing to avoid triggering Article 5(3)

❓ Questions you should be asking:

• Do your devices store ANY information, even temporarily?

• Does your code make devices send data anywhere?

• Are you using any unique identifiers, even hashed ones?

• Do your IoT devices report data, even intermittently?

• Are you collecting IP addresses from user devices?

Go Deeper: European Data Protection Board Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (October 16th, 2024)