The latest Opinion adopted by the Article 29 Working Party focuses on online behavioural advertising. The Working Party’s views on cookies and consent to their use has been keenlt awaited.
The Opinion stresses that online behavioural advertising providers, when they use cookies, are bound by the new EU rules on electronic privacy. The revised ePrivacy Directive introduces the obligation for informed consent of users before tracking devices such as cookies are installed on users’ computers.
Addressing online behavioural advertising networks and browser vendors, the European Data Protection Authorities call for simple and effective mechanisms for users to affirmatively give their consent for online behavioural advertising. Equally simple and effective mechanisms should be established for users to withdraw their consent.
Currently, three out of the four most widely used browsers have as default setting to accept all cookies. Not changing a default setting cannot be considered, in most cases, as meaningful consent. Advertising networks and publishers should provide information about the purposes of tracking in a clear and understandable manner to enable users to make informed choices about whether they want their browsing behaviour to be monitored.
Taking into account the vulnerability of children, the Opinion takes the view that online behavioural advertising networks should not serve behavioural advertising to children.
The Opinion contains its own executive summary and this is set out below. The Opinion can be read in full here.
Executive Summary
Behavioural advertising entails the tracking of users when they surf the Internet and the building of profiles over time, which are later used to provide them with advertising matching their interests. While the Article 29 Working Party does not question the economic benefits that behavioural advertising may bring for stakeholders, it firmly believes that such practice must not be carried out at the expense of individuals’ rights to privacy and data protection. The EU data protection regulatory framework setting forth specific safeguards must be respected. To facilitate and encourage compliance, the present Opinion clarifies the legal framework applicable to those engaged in behavioural advertising.
In particular, the Opinion notes that advertising network providers are bound by Article 5(3) of the ePrivacy Directive pursuant to which placing cookies or similar devices on users’ terminal equipment or obtaining information through such devices is only allowed with the informed consent of the users. The Opinion notes that settings of currently available browsers and opt-out mechanisms only deliver consent in very limited circumstances. The Opinion asks advertising network providers to create prior opt-in mechanisms requiring an affirmative action by the data subjects indicating their willingness to receive cookies or similar devices and the subsequent monitoring of their surfing behaviour for the purposes of serving tailored advertising. The Opinion considers that users’ single acceptance to receive a cookie may also entail their acceptance for the subsequent readings of the cookie, and hence for the monitoring of their internet browsing. Thus, to meet the requirements of Article 5(3) it would not be necessary to request consent for each reading of the cookie. However, to keep data subjects aware of the monitoring, ad network providers should: i) limit in time the scope of the consent; ii) offer the possibility to revoke it easily and iii), create visible tools to be displayed where the monitoring takes place. This approach would address the problem of burdening users with numerous notices while ensuring that the sending of cookies and the subsequent monitoring of Internet surfing behaviour for the purposes of serving tailored advertising only takes place with data subjects’ informed consent.
Because behavioural advertising is based on the use of identifiers that enable the creation of very detailed user profiles which, in most cases, will be deemed personal data, Directive 95/46/EC is also applicable. The Opinion comments on how advertising network providers should comply with the obligations that arise from this Directive, notably, with respect to rights of access, rectification, erasure, retention, etc. Taking into account that publishers may share certain responsibility for the data processing that takes place in the context of behavioural advertising, the Opinion calls upon publishers to share with ad network providers the responsibility for providing information to individuals and encourages creativity and innovation in this area. Given the nature of the practice of behavioural advertising, transparency requirements are a key condition for individuals to be able to consent to the collection and processing of their personal data and exercise effective choice. The Opinion sets out the information obligations of advertising network providers/publishers vis-à-vis data subjects, referring in particular to the ePrivacy Directive, which requires that users be provided with “clear and comprehensive information”.
The Opinion analyses and clarifies the obligations set forth by the applicable legal framework. However, it does not prescribe how, from a technology point of view, such obligations must be complied with. Instead, in different areas, the Opinion invites industry to undertake a dialogue with the Article 29 Working Party with the view to put forward technical and other means to comply with the framework as described in the Opinion as soon as possible. Towards this end, the Article 29 Working Party will contact stakeholders to request their input. Entities that are not explicitly consulted are welcomed to send their contributions to the Secretariat of the Article 29 Working Party.