2024 might finally be the year we forget about cookies. Or rather, look beyond cookies to all other technologies that perform similar functions but under a less catchy moniker.
With the ePrivacy Regulation still missing in action, cookies and other tracking technologies continue to be regulated primarily by Article 5(3) of the ePrivacy Directive. Article 5(3) concerns storing information on a user’s device and accessing any information already stored. In November last year, the EDPB released draft guidance on the technical scope of Article 5(3), causing shockwaves throughout the online ecosystem.
It has long been accepted that Article 5(3) applies much more broadly than just to cookies, encompassing similar technologies that perform reading or writing operations on a user’s device. The EDPB, however, has decided it includes pretty much any operation on a device concerned with connectivity. Activities within the sights of the EDPB include ephemeral storage such as caching and RAM, sending an IP address, and even the ‘storage’ that takes place when a user completes a form prior to submission. Unless these activities are “strictly necessary” to provide the service “explicitly requested” by the user, they need GDPR-standard consent.
The draft guidance prompted a very significant furore, with 58 formal responses to the consultation. People have argued that the EDPB’s interpretation will break the internet, disincentivise Privacy Enhancing Technologies, and make even contextual advertising subject to consent. There is also a parallel debate on whether the EDPB is overreaching by releasing guidance on ePrivacy at all and should stick to the GDPR.
As a general rule, EDPB guidance doesn’t tend to change much as a result of the consultation phase. Given the strength of feeling on this one, however, hopefully, it will prove the exception, and the EDPB will have a bit of a rethink.
Meanwhile, on a similar theme, the ad tech industry continues to prepare for a world beyond third-party cookies as more browsers end support for them. Safari and Firefox now block third-party cookies by default. In January, Chrome began phasing out third-party cookies, starting at 1% (although in April, Google announced a delay until Q1 2025, and it is still subject to addressing competition concerns). Not one to be left out, Microsoft Edge announced in March this year that it would begin experimenting with deprecating third-party cookies, continuing throughout 2024 (but with no firm timeline given).
All of this has prompted the ads ecosystem to think very hard about alternatives. Chrome has its Privacy Sandbox, and Microsoft has announced the Ad Selection API. More broadly, though, we’re seeing a greater emphasis on first-party identifiers such as encouraging account sign-ins, federated identity solutions and online and offline data matching. Recent privacy-enhancing technologies such as ‘trusted execution environments’ have also created opportunities for parties to match and share information about users without necessarily disclosing personal data. Even if third-party cookies become a thing of the past, behavioural advertising seems here to stay.
This article is part of our Data Protection Top 10 2024 publication.