EU Article 29: Working Party publishes Opinion on Online Behavioural Advertising

In the context of OBA, network providers often use cookies to recognise a former visitor who returns to that web site or visits any other website that is a partner of the advertising network. Such repeated visits enable that network provider to build a profile of the visitor which can then be used to deliver personalised advertising. In most cases, internet browser settings do allow users the option to ‘block’ third party cookies. However, in general, average internet users may not be aware of the tracking of their online behaviour or, even if they are, may not be fully informed as to the purposes of the tracking, or as to how to use browser settings to reject cookies.

As such, the EU Article 29 Data Protection Working Party has expressed the view that the use of such cookies is incompatible with current data protection legislation, as governed by EU E-Privacy Directive (2002/58/EC) (the “E-Privacy Directive”) and Directive 95/46/EC. The E-Privacy Directive has recently been amended (such amendments to come into force on 25 May 2011) to the effect that the use of cookies is only allowed on the condition that “the user concerned has given his or her consent having been provided with clear and comprehensive information…about the purposes of the processing”. In the Working Party’s published Opinion, the Working Party has made a number of recommendations which it considers should be followed by advertisers and network providers, in order to achieve compliance with the provisions of the E-Privacy Directive. A brief summary of those recommendations is set out below.

Informed Consent

Informed consent should be obtained from users before setting the cookie and retrieving information from it; opt-out mechanisms in general do not constitute an adequate mechanism for these purposes. Therefore, network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behaviour for the purposes of sending tailored advertising.

Where browser settings are predetermined to accept all cookies, such consent would not comply with the E-Privacy Directive because it would neither be specific, nor prior to the data processing. Further, any consent given by a user must be revocable.

Repeated requests

The Working Party has noted that there would be significant practical issues in requiring network providers to obtain consent from individual users every time a cookie is read. It therefore recommends that a user’s acceptance to receive a cookie could also constitute his or her acceptance for subsequent readings of the cookie, and hence for the monitoring of his or her internet browsing. However, to ensure that data subjects remain aware of the monitoring over time, and to prevent a user’s acceptance being unlimited in duration, advertising network providers should:

i) limit in time the scope of the consent;

ii) offer the possibility for users easily to revoke their consent to being monitored for the purposes of serving behavioural advertising; and

iii) create a symbol or other tools which should be visible in all the web sites where the monitoring takes place (the website partners of the advertising network provider).

Purpose of information

Network providers/ publishers must provide information to users in compliance with Article 10 of Directive 95/46/EC. In practical terms, they should ensure that individuals are told, at a minimum, who (i.e. which entity) is responsible for serving the cookie and collecting the related information. In addition, they should be informed in simple ways that:

(a) the cookie will be used to create profiles;

(b) what type of information will be collected to build such profiles;

(c) the fact that the profiles will be used to deliver targeted advertising; and

(d) the fact that the cookie will enable the user's identification across multiple web sites.

Network providers/ publishers should provide the above information directly on the screen, interactively, through layered notices. In any event, the information should be easily accessible and highly visible.

Comment

The Working Party’s strict interpretation of the amended E-Privacy Directive, resulting in the need to require users to opt-in to using cookies, will come as a disappointment to many online advertisers who had originally opposed the amendments to the E-Privacy Directive, on the basis that it may threaten the use of OBA going forward. Further, UK website operators who claimed that website functionality may be affected by the implementation of an opt-in policy, may also be dissatisfied with the Working Party’s approach in this regard.

The Opinion does not provide specific detail as to what technological measures need to be implemented by website operators in order to achieve compatibility with data protection legislation. However, the Working Party has invited the industry to engage in a process of constructive dialogue in order to best achieve these goals, and has also invited input from interested stakeholders, who are encouraged to send their contributions to the Secretariat of the Article 29 Working Party.

The amended E-Privacy Directive must be implemented in EU member states’ national law by 25 May 2011. It remains to be seen how each country will implement the new provisions, and to what extent they will follow the Working Party’s interpretation.