Helen Dixon, the ex-Irish Data Protection Commissioner famously described the GDPR as the “law of everything”. The broad scope of the concepts of “processing” and “personal data” means almost everything any business does is subject to the GDPR.

Recent developments risk a similarly expansive application of the cookie rules. The UK’s Data (Use and Access) Bill will extend these rules to information automatically emitted by terminal equipment. The European Data Protection Board’s cookie guidelines take a similarly broad-brush approach.

This expansion is problematic. The analogue principles in the GDPR apply flexibly according to the sensitivity of the personal data; but the cookie rules take a blunt and binary approach. Either the use case falls within a narrowly defined exception, or GDPR-standard consent is needed.

The main target for these changes is “cookie-like” technologies, such as tracking pixels and browser fingerprinting but there is a risk these changes are applied in an unexpected and unprincipled manner. We dive into the tangled legal and technical issues and consider the problems ahead.

What are the cookie rules?

The cookie rules originate from the EU ePrivacy Directive. This is lex specialis in relation to the GDPR and contains specific rules on privacy in the electronic communications sector.

Arguably, the impact of the ePrivacy Directive has been just as great as the GDPR given it is the progenitor of the endless and annoying cookie banners. The cookie rules are, at least, very shortly stated in a single sub-paragraph, Art 5(3):

“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information… inter alia, about the purposes of the processing.

This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”*

There are a number of important points about the cookie rules: 

• Scope: The crux of these rules is its scope – i.e. is there “storing of information, or the gaining of access to information already stored, in the terminal equipment” of a subscriber or user? The exact meaning of these words is not clear but, as we discuss below, may be expanded dramatically.

• Consent: Where the rules apply, they do so in a blunt and binary manner. Consent is required unless one of the narrow exemptions apply. That consent must meet the GDPR standard, which is burdensome and requires an informed and active choice.
• One-stop-shop: The one-stop-shop in the GDPR does not apply to the ePrivacy Directive and, in some cases, it is not even enforced by the national data protection authority. This has sometimes been used by national regulators to reformulate an alleged breach of the GDPR as an ePrivacy issue to side-step the constraints of the one-stop-shop and take direct action against a business with a main establishment in another Member State.

The Art. 5(3) cookie rules clearly apply to http cookies as the website provider first stores the cookie on the user’s browser and then accesses it on subsequent visits. It also applies to spyware programmes designed to access information on an individual’s computer without their consent.

The rules’ application in other situations – such as browser fingerprinting and tracking pixels – has been controversial given these activities can involve the unilateral transmission of information from the individual’s computer, without there necessarily being previous contact with the recipient website.

Expansion in the UK – All automatically emitted information caught

The UK intends to address this uncertainty by greatly expanding the scope of the “gaining access” concept in the cookie rules. Section 111 of the Data (Use and Access) Bill states that:

“a reference (however expressed) to storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user includes a reference to instigating the storage or access, and

except as otherwise provided, a reference (however expressed) to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment”

The second limb of this amendment is most important. This might be intended to apply narrowly to Wi-Fi MAC tracking and similar activities, albeit this is arguably now unnecessary as many phones now randomise MACs. However, it is drafted in extraordinarily wide terms to cover any information that comes out of a computer, phone, smart TV or IoT connected device; to the extent that it is produced “automatically” and “collected” or “monitored”.

The Data (Use and Access) Bill also expands the exceptions to the cookie rules. There will be no need for consent in the following situations:

• Strictly necessary: The list of situations in which processing is strictly necessary will expressly include security, fraud detection, detecting faults, authentication and maintaining details of the selections made.
• Analytics: The use of analytics cookies will be permitted without consent.
• Website appearance: The use of cookies will be permitted where needed to customise the appearance or functions of the service.
• Emergency assistance: There is an exception for geolocation to provide emergency assistance.

This expansion appears helpful. However, the exceptions need a detailed and case-by-case review, and some are subject to strict limitations (for example, only applying where the “sole use” of the information is for the identified exemption). The effect of crystallising these exceptions might even narrow them in some cases.

The exceptions also only apply to providers of “information society services”. They therefore might not apply to a broadcast streaming service (if the service is not at the individual request of the recipient), IoT manufacturers and similar.

Expansion by the EDPB – All online tracking requires consent?

The EDPB Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive (here) takes a similarly expansive approach to the scope of the cookie rules. However, the Guidelines are not always easy to follow and are an unfortunate mixture of very detailed technology analysis, and loose and inconsistent application of the law. It is also not clear the EDPB has competence to issue guidance on the ePrivacy Directive.

In any event, the guidelines take a broad approach to the concepts of “terminal equipment” and “electronic communications networks”. The guidelines also address the key requirement that there is the “storing of information, or the gaining of access to information already stored”. In relation to this:

• Passive v active “gaining access”: The guidelines make it clear that it is not necessary for both “storage” and “access” to take place, such that merely “gaining access” to information falls under the cookie rules. The question is whether that applies to “passive” behaviour (e.g. where the recipient website does nothing to instigate the access) or just where there have been “active” steps? Section 2 suggests this must be active in that “an entity takes steps towards gaining access” to information. However, the examples in section 3 include cases where “passive” behaviour is sufficient, such as simply receiving IP addresses.
• Storage and access can be by separate people: The person who stored information on the device and the person to whom the information is sent can be different people. For example, the fact party A sends the individual the code for a tracking pixel which then leads to a connection to the website of party B, does not take the activity outside the scope of these laws.
• Storage is broad: Similarly, the concept of storage is broad and includes placing any information on the relevant terminal equipment, including instructing the terminal equipment to generate and store information. There is no upper or lower time limit on storage so this would include transitory processing in RAM.

Reading between the lines, it appears the EDPB wants all online tracking to be subject to consent. However, that is not what the law says, even in light of the loose application of technical concepts in the ePrivacy Directive by the CJEU (see StWL C-102).

The EU intended to replace these rules entirely through the proposed EU ePrivacy Regulation. That included significant new detail about the operation of the cookie rules, but the proposed Regulation has made slow progress and may now be shelved.

Conceptual problems and examples

The expansion of the cookie rules raises a number of difficult conceptual problems. The main concern is that mere “passive” receipt of information from a terminal device seems to be sufficient to engage these rules. The UK amendments appear to expressly capture “passive” receipt and the EDPB guidelines provide mixed messages (see above). Even if there must be “active” steps to gain access, what does that mean in practice? For example, does the mere fact party B has a website that accepts http connections count as “taking steps”?

This is important as where the information is used for mixed purposes, all of those purposes must fall within an exemption to avoid the need for consent. (“While it is possible to use a cookie for several purposes, such a cookie may only be exempted from consent if all the distinct purposes for which the cookie is used are individually exempted from consent” WP194).

It is worth considering what this could mean in practice. For example, this could mean standard IP address logging by a website will fall under the cookie rules – the website would need to identify all the uses cases for those IP addresses, confirm if they are exempt and, if not, obtain consent. This might capture all sorts of other online interactions. For example, there is no reason why it would not capture other ‘business as usual’ interactions with websites, such as user input into a website search function.

In the real world

In practice, it is unlikely that regulators will start using the ePrivacy Directive to fine websites for logging IP addresses or offering search functionality. Enforcement will be targeted at existing areas of concern, such as tracking pixels and browser fingerprinting.

However, it is not beyond the realms of possibility that inventive claimant law firms will use the recast cookie rules to construct new and unexpected class actions. Or that some EU regulators exploit the changes to side-step the one-stop-shop provisions in the GDPR.

The messy legal and technical analysis above also highlights how difficult it will be to get to grips with this extension to the cookie rules and how many different situations are potentially affected. The cookie rules, in theory, create a new “law of everything” regulating almost all internet interaction.

It would be better if the scope of the cookie rules was clearer and more principled. In the UK at least, the Government should either remove section 111(2) from the Data (Use and Access) Bill or limit it to clearly defined “cookie-like” use cases that raise meaningful privacy concerns.

A longer version of this article containing a more detailed analysis of the implications of the new cookie rules for IP addresses and ‘business as usual’ user interactions will appear in the January edition of Privacy Laws & Business: UK Report.