The less invasive measurement of reach on websites through the processing of visitors’ IP addresses has not previously required consent.
However, the European Data Protection Board (EDPB) has now made statements in its guidelines interpreting Article 5(3) of the ePrivacy Directive that challenge this basic principle. According to an updated guidance document for providers of digital services issued by the German Data Protection Conference (DSK), however, everything still seems to remain unchanged.
EDPB guidelines require for reach measurement
On 7 October 2024, the EDPB published the final version of the Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive (PDF). The first draft had already been published for public discussion at the end of 2023. Nearly 60 stakeholders from academia and industry submitted comments on it.
The EDPB’s approach to contributing to a uniform understanding and thereby facilitating easier application was generally welcomed.
However, the EDPB’s very broad understanding of “access to information” (gaining access) caused major surprise and considerable criticism. Instead of limiting the scope, as before, to active access, the EDPB now seems to also want to include passive methods. Chapter 3.3, specifically paragraph 54 and the associated footnote 28, state that consent may be necessary if there is no exception within the meaning of Art. 5 (3) of the ePrivacy Directive applies. Moreover, it is explicitly emphasised that it should make no difference whether the transmission of the IP address was triggered by the provider as the recipient.
This understanding would have significant consequences, particularly in the area of so-called reach measurement of online content, as it would extend the scope of Article 5(3) of the ePrivacy Directive to passive use of IP addresses or other information that flows automatically and by design during internet communication.
The mere collection of IP addresses, which are sent from a device over the internet, would thus be considered as access. As a result, all information that is exchanged as part of the intended communication between an end device and a server via network protocols would fall under this scope,
- on the one hand, they can only be used if this is technically necessary so that these two devices can communicate with each other
- or, on the other hand, insofar as this is absolutely necessary to provide the service requested by the user.
Anything else would only be permitted with consent.
In other words, consent-free reach measurement would be at an end.
DSK orientation aid contradicts EDSA design for range measurement
In its recently updated guidance, however, the DSK takes a different view. In para. 24, it explicitly states that it is also considered access if properties are actively read out, e.g. via a script. The server-side passive reading of information that is delivered by default with IP packets would therefore not be covered.
Accordingly, it seems that nothing has changed: reach measurement via IP collection generally does not require consent.
Collecting IP addresses is one of the most common methods for analysing how visitors interact with and use an online service. The IP address is transmitted automatically and without any action by the user whenever they visit a provider’s web server. The provider does not need to do anything to trigger the transmission. Nor does the provider access information stored on the user’s device; instead, it merely reads what is already and purposefully transmitted.
Therefore, the integrity of the protected device (the website visitor’s device) remains untouched. It is neither manipulated nor is any information stored on it.
Under this, and likely correct, interpretation, such server-side reach measurement does not fall under the requirement for prior consent, as incorporated into German law in Section 25 (1) TDDDG
In this context, though slightly differently phrased, the updated DSK guidance now also states that access requires that properties of the end device are “actively” read out.
Conclusion
There is a contradiction, or at least a lack of clarity, between the EDPB Guidelines on the understanding of Art. 5 (3) of the ePrivacy Directive and the DSK Guidance. This is surprising, given that the latter explicitly states in Section 8 of its introduction that it is intended as a supplement to the EDPB guidelines It would have been helpful to receive a clear answer to the issues raised. Whether such clarification will follow remains to be seen.
For controllers subject to the supervision of German data protection authorities, there currently appears to be no need for action. The previous rules can likely continue to be applied. As long as the transmission of properties of the end device is not actively initiated, § 25 TDDDG does not apply, and processing can be carried out solely under general data protection law if personal data is involved.
Finally, a clear note: What the EDPB states is neither law nor a binding court ruling. It is an opinion of the executive branch and therefore primarily serves as an indication of the expected practice of supervisory authorities. In Germany, however, this practice now appears unlikely to change.
Furthermore, any action taken by supervisory authorities would still have to withstand judicial review which is far from certain in this case. Whether companies are willing to risk legal proceedings is, however, a different matter. According to the updated guidance, there currently appears to be little risk in this regard.
