This article is also available in:
Deutsch: Verhaltensorientierte Online-Werbung: EU-Datenschützer weiterhin unzu...
In a letter sent to IAB Europe and European Advertising Standards Alliance (EASA), Article 29 Working Party (WP) made some observations regarding the self-regulatory framework for online behavioural advertising.
The WP considers that the companies having signed the self-regulatory code may still be in breach of the EU laws in the use of cookies to track users' online behaviour for targeted advertising.
The self-regulatory code, established in April 2011 by IAB Europe and EASA, imposes the display of an icon on the companies' websites that tells users that the adverts track their online activity. By using the icon, users may manage information preferences or stop receiving behavioural advertising.
The code also says that operators must give users access to an easy method to turn off cookies and must inform users that they collect data on them for behavioural advertising and give details on the advertisers they provide the respective data. They also have to publish details of how they collect and use the data, including whether personal or sensitive personal data is involved.
However, Article 29 WP has shown in its letter that it did not consider these measures enough to comply with the EU's e-Privacy Directive which provides in its new form that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information about the purposes of the processing".
The Directive establishes an exception where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user.
"The mechanisms proposed by the EASA/IAB Code enable people to object to being tracked for the purposes of serving behavioural advertising. However, tracking and serving ads takes place unless people exercise the objection," said Jacob Kohnstamm, chairman of the Working Party, in the letter. The WP believes the advertising icon used by companies that signed up to the online behavioural advertising code did not actually provide users with "the legally required information allowing them to make informed choices about cookie tracking."
In Article 29 WP's opinion, the text of the code is rather confusing and insufficiently clear which could lead to some users thinking "tracking has no privacy implications for them". Kohnstamm says in the letter that the information made available through clicking the icon should be more accessible and be directly visible.
Ad network providers should "provide the necessary information before the cookie is sent and rely on users' actions ... to signify their agreement to receive the cookie and to be tracked". Valid consent can be received by the provider by asking users to click a box to "accept" cookie tracking. Each advertising network must also obtain consent from users even when websites work with multiple ad network providers.
By obtaining prior, informed consent from the users, the ad provider no longer needs to ask the user for subsequent access and transmissions of cookies for the same purpose. However, the "opt out" ability should still be available.
Kohnstamm also says that browser settings will not be enough to meet the cookie consent requirements until they automatically reject third-party cookies as default and allow users to take "affirmative action to accept cookies from specific websites for a specific purpose." Browsers must also advise users that the cookies tracking their data are being used by ad network providers, in addition to informing them of what network providers do with the cookies.
In June 2011, EU Commissioner Neelie Kroes told EU companies that they had a year to find methods that achieve the legal standard for gaining consent, as failure to do so would result in the Commission's action toward non-compliant businesses.
Letter from the Article 29 Working Party addressed to Online Behavioural
Advertising (OBA) Industry regarding the self-regulatory Framework
(23.08.2011)
http://ec.europa.eu/justice/data-protection/article-29/documentation/o...
Advertising code not cookie law compliant, data protection watchdogs say
(29.08.2011)
http://www.out-law.com/en/articles/2011/august/advertising-code-not-co...
EDRi-gram: Article 29 WP issues opinion on cookies in the new ePrivacy
Directive (30.06.2010)
http://www.edri.org/edrigram/number8.13/article-29-cookie-eprivacy