Guidelines 2/2023 on the Technical Scope of Art. 5(3) ePrivacy Directive
The EDPB's adopted interpretation of exactly which technologies the ePrivacy "storage or access" rule catches — tracking pixels, tracked links, device fingerprinting, IP-based tracking, local processing and IoT reporting, not just cookies. The reference for deciding whether an audit finding engages the consent rule at all.
- Published by
- European Data Protection Board (EDPB)
- Type
- Guidelines — adopted (Version 2.0, 16 October 2024, following public consultation)
- Jurisdiction
- EU / EEA — ePrivacy Directive Art. 5(3); persuasive (not binding) for UK PECR regulation 6 analysis
- Primary audience
- DPOs, privacy counsel and adtech/martech owners interpreting what a website audit found
- Topic tags
- cookies & tracking · ePrivacy · pixels & fingerprinting · consent · audit interpretation
- Availability
- Free PDF, English, edpb.europa.eu. Expands on Art. 29 WP Opinion 9/2014 on device fingerprinting.
Why it matters
An audit tool tells you what your site sets and sends; it does not tell you which of those findings engage the consent rule. These Guidelines do. The EDPB works through the three conditions — "information", "terminal equipment of a subscriber or user", and "storage or gaining access" — and then applies them to the borderline cases that fill real audit output: tracking pixels and tracked URLs, device fingerprinting, ephemeral local processing, IoT telemetry and IP-only tracking. The practical consequence is uncomfortable and worth knowing: much tracking that involves no cookie at all still falls within Article 5(3), so a "cookieless" architecture is not a consent-free architecture. For a UK reader the Guidelines are not binding, but they are the most systematic regulator treatment of the technical-scope question available and a defensible reference when classifying WEC or EDPB audit-tool findings that are not cookies. Read alongside the ICO's 2026 storage-and-access guidance for the binding UK position.
