EU privacy watchdog still displeased with online behavioural advertising

By EDRi · September 7, 2011

This article is also available in:
Deutsch: [Verhaltensorientierte Online-Werbung: EU-Datenschützer weiterhin unzufrieden | http://www.unwatched.org/EDRigram_9.17_Verhaltensorientierte_Online_Werbung_EU-Datenschuetzer_unzufrieden?pk_campaign=edri&pk_kwd=20110907]

In a letter sent to IAB Europe and European Advertising Standards Alliance
(EASA), Article 29 Working Party (WP) made some observations regarding the
self-regulatory framework for online behavioural advertising.

The WP considers that the companies having signed the self-regulatory code
may still be in breach of the EU laws in the use of cookies to track users’
online behaviour for targeted advertising.

The self-regulatory code, established in April 2011 by IAB Europe and EASA,
imposes the display of an icon on the companies’ websites that tells users
that the adverts track their online activity. By using the icon, users may
manage information preferences or stop receiving behavioural advertising.

The code also says that operators must give users access to an easy method
to turn off cookies and must inform users that they collect data on them for
behavioural advertising and give details on the advertisers they provide the
respective data. They also have to publish details of how they collect and
use the data, including whether personal or sensitive personal data is
involved.

However, Article 29 WP has shown in its letter that it did not consider
these measures enough to comply with the EU’s e-Privacy Directive which
provides in its new form that storing and accessing information on users’
computers is only lawful “on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and
comprehensive information about the purposes of the processing”.

The Directive establishes an exception where the cookie is “strictly
necessary” for the provision of a service “explicitly requested” by the
user.

“The mechanisms proposed by the EASA/IAB Code enable people to object to
being tracked for the purposes of serving behavioural advertising. However,
tracking and serving ads takes place unless people exercise the objection,”
said Jacob Kohnstamm, chairman of the Working Party, in the letter.
The WP believes the advertising icon used by companies that signed up to the
online behavioural advertising code did not actually provide users with “the
legally required information allowing them to make informed choices about
cookie tracking.”

In Article 29 WP’s opinion, the text of the code is rather confusing and
insufficiently clear which could lead to some users thinking “tracking has
no privacy implications for them”. Kohnstamm says in the letter that the
information made available through clicking the icon should be more
accessible and be directly visible.

Ad network providers should “provide the necessary information before the
cookie is sent and rely on users’ actions … to signify their agreement to
receive the cookie and to be tracked”. Valid consent can be received by
the provider by asking users to click a box to “accept” cookie tracking.
Each advertising network must also obtain consent from users even when
websites work with multiple ad network providers.

By obtaining prior, informed consent from the users, the ad provider no
longer needs to ask the user for subsequent access and transmissions of
cookies for the same purpose. However, the “opt out” ability should still be
available.

Kohnstamm also says that browser settings will not be enough to meet the
cookie consent requirements until they automatically reject third-party
cookies as default and allow users to take “affirmative action to accept
cookies from specific websites for a specific purpose.” Browsers must also
advise users that the cookies tracking their data are being used by ad
network providers, in addition to informing them of what network providers
do with the cookies.

In June 2011, EU Commissioner Neelie Kroes told EU companies that they had a
year to find methods that achieve the legal standard for gaining consent, as
failure to do so would result in the Commission’s action toward
non-compliant businesses.

Letter from the Article 29 Working Party addressed to Online Behavioural
Advertising (OBA) Industry regarding the self-regulatory Framework
(23.08.2011)
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2011/20110803_letter_to_oba_annexes.pdf

Advertising code not cookie law compliant, data protection watchdogs say
(29.08.2011)
http://www.out-law.com/en/articles/2011/august/advertising-code-not-cookie-law-compliant-data-protection-watchdogs-say/

EDRi-gram: Article 29 WP issues opinion on cookies in the new ePrivacy
Directive (30.06.2010)
http://www.edri.org/edrigram/number8.13/article-29-cookie-eprivacy