Article 29 WP issues opinion on cookies in the new ePrivacy Directive

By EDRi · June 30, 2010

This article is also available in:
Deutsch: [Artikel 29 Datenschutzgruppe zu Cookies in der neuen ePrivacy-Richtlinie | http://www.unwatched.org/node/2035]

The Article 29 Data Protection Working Party (WP) representing the European
data protection authorities published on 24 June an opinion clarifying the
application of the data protection rules in online behavioural advertising,
with a focus on the new text of the ePrivacy Directive.

Article 29 Working Party believes that while online behavioural advertising
may be beneficial for businesses and users alike, it still raises personal
data protection and privacy issues. The opinion states that the advertising
providers using tracking cookies are bound, through the revised ePrivacy
Directive, to obtain the informed consent of their users before the
installation of tracking devices such as cookies. According to the
Directive, storing and accessing information on users’ computers is lawful
only “on condition that the subscriber or user concerned has given his or
her consent, having been provided with clear and comprehensive information
about the purposes of the processing”. The only except is in the case a
cookie is absolutely necessary for the provision of a certain service
required explicitly by a user.

In its Opinion, the Working Party asks for simple and effective mechanisms
by means of which users can give their consent for online behavioural
advertising but also simple and effective mechanisms by means of which they
can withdraw their consent. Presently, allowing cookies is a default setting
with three out of the four major used browsers and Article 29 WP believes
that the users not changing a default setting does not necessarily means
consent. The users should be clearly informed, in an understandable manner,
on the purposes of tracking and given the choice of having their behaviour
browsed or not.

“Average data subjects are not aware of the tracking of their online
behaviour, the purposes of the tracking, etc. They are not always aware of
how to use browser settings to reject cookies, even if this is included in
privacy policies,” says the opinion.

However, the Working Party considered the consent may be given to an
advertising network and not to every single website. “….the consent
obtained to place the cookie and use the information to send targeting
advertising would cover subsequent ‘readings’ of the cookie that take place
every time the user visits a website partner of the ad network provider
which initially placed the cookie.” Article 29 WP also said that this
consent should expire after a year, and that each advertising network should
request consent again after that period. It also said that the consent could
be withdrawn at any time.

The Internet Advertising Bureau Europe, the European Publishers Council and
other advertising and publishers’ trade bodies reacted to this opinion by
issuing a statement saying: “The industry believes this is a gross
misinterpretation of the intention of the Directive and a misrepresentation
of the type of data typically collected and processed for the purposes of
serving interest-based advertising to consumers on our websites.”

The Article 29 WG’s opinion is based on the opinion presented on 23 June
2010 during EP Privacy Platform Meeting by Belgian Data Protection
Supervisor Mr. Debeuckelaere which focused on “Transparency, Information,
Consent”. During the meeting, aspects of behavioural advertising were
discussed by more than 100 representatives from industry, privacy activists,
EU institutions, governments and European data protection supervisors.

The representatives of Privacy International and the Electronic Frontier
Foundation argued that the user control tools do not allow for the complete
erasure of profiles, and some data collection, for example by flash cookies,
remains invisible and outside the control of the user.

During the meeting, Mrs Sophia In ‘t Veld, rapporteur for competition issues
in the Economic Affairs committee, suggested that besides consent and
transparency, a key word should be “choice”. “Often internet users are more
or less obliged to give their consent, as there is no alternative. Users
must have a real choice, otherwise it is just token consent”, said In ‘t
Veld who also pointed out the necessity of having a single set of data
protection rules that would apply to the private as well as the public
sectors. “We must regulate the use of personal data for commercial purposes,
but the same standards of data protection should apply to the use of those
same data by public authorities for law enforcement purposes. We often do
not realise how government agencies are using data collected by companies
for commercial purposes. But different rules apply to the private and public
sectors. That must be corrected”.

Article 29 Data Protection Working Party Opt-out is not sufficient
(24.06.2010)
http://ec.europa.eu/justice_home/fsj/privacy/news/docs/pr_26_06_10_en.pdf

Opt-out is not sufficient – European Data Protection Authorities clarify EU
rules on online behavioural Advertising (22.06.2010)
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf

Cookie consent can’t be implied from browser settings, say privacy watchdogs
(25.06.2010)
http://www.out-law.com//default.aspx?page=11176

Transparency, Choice and Consent key words for cookies (24.06.2010)
http://www.d66.nl/europa/nieuws/20100624/transparency_choice_and_consent