ePrivacy, Cookies and Consent for Data | DataSupplier
DataSupplier
Insights EN · ES Log in Request a Quote
Insights / Compliance & Governance

ePrivacy, cookies and consent for data

DataSupplier·13 min read

Much valuable data, web behaviour, app usage, device location, originates from tracking that the ePrivacy rules govern. This guide explains how ePrivacy and consent shape what can lawfully be sourced from these signals.

What the ePrivacy rules cover

The ePrivacy Directive and national implementations govern confidentiality of communications and access to information stored on devices, the legal basis for cookies and similar tracking. It operates alongside the GDPR, and a future ePrivacy Regulation is anticipated.

Why it matters for data sourcing

Data derived from cookies, device identifiers, app SDKs or network signals exists only because of tracking that requires a lawful basis, usually consent. If that basis is weak or absent at source, downstream data carries legal risk.

Consent as the usual basis

For most non-essential tracking, valid consent, freely given, specific, informed and unambiguous, is required. Sourcing data that depends on tracking means understanding whether proper consent underpins it.

Web and app-derived data

Web-behaviour, app-usage and panel data raise questions about how it was collected and whether terms of service and consent were respected. Provenance here is not optional.

Location and device data

Location signals are especially sensitive. Lawful use generally requires consent at source and robust aggregation or anonymisation before reuse.

What it means for sourcing

Assess the collection basis behind tracking-derived data, prefer aggregated and anonymised forms, and document the chain. A managed partner can vet these foundations and keep suppliers confidential.

What valid consent requires

For most non-essential tracking, the ePrivacy rules require consent that is freely given, specific, informed and unambiguous, a real choice, not a pre-ticked box or a cookie wall. Data derived from such tracking is only as lawful as the consent behind it. When sourcing web, app or device-derived data, the key question is whether proper consent underpins the collection, because a defect at source flows downstream to you.

The post-identifier shift

As third-party identifiers are deprecated, the lawful and durable approaches are first-party and consented data, aggregation, contextual signals, and privacy-preserving techniques such as clean rooms. Sourcing strategies built on these are more robust than those reliant on cross-site tracking, both legally and operationally, and they are where the market is moving.

Key takeaways
  • ePrivacy rules govern cookies, device access and tracking, alongside the GDPR.
  • Tracking-derived data usually depends on valid consent at source.
  • Web, app and location data need provenance on how they were collected.
  • Prefer aggregated, anonymised forms and document the chain.

Sources & further reading

  • EUR-Lex: ePrivacy Directive 2002/58/EC and national implementations.
  • European Data Protection Board: guidance on consent and tracking.
  • EUR-Lex: Regulation (EU) 2016/679 (GDPR).
  • Proposed ePrivacy Regulation materials.
Sourcing tracking-derived data?

We vet the collection basis and deliver aggregated, anonymised data with documented provenance. Get a no-obligation quote.

Request a Quote Book a 30-minute call
Related
Mobility & telco-derived footfall data and privacy →Anonymisation vs pseudonymisation vs aggregation →