The joint European privacy authorities, united in the Article 29 Working Party, concluded in a letter from 3 August 2011 (pdf), once again, that within the context of online behavioural advertising (OBA) tracking cookies are only permitted after consent has been received from the computer user. 

Online behavioural advertising

Online behavioural advertising (OBA) continues to be a hot topic in privacy law. That is due to the fact that OBA differs fundamentally from classic advertising in one respect: the advertisements are geared to the online behaviour of the computer user. Instead of opening up the newspaper and reading the same advertisements as all other subscribers, with OBA individual users see advertisements on a website that are tailored to the search and click behaviour each of them demonstrates and/or to the profile of each of them that has been compiled. Since advertisements on a website are often provided for by an external advertising firm that also does the same for other websites, it is easily conceivable that in the process this advertising firm has compiled a profile based on each user’s online behaviour on several hundreds if not thousands of websites and that the advertisements are displayed based on this (rather) large profile. Identifying an individual user as the same person that visits various sites often takes place via cookies.

Advertisers arguing for opt-out regime

The European advertising agencies, united in the Internet Advertising Bureau Europe and the European Advertising Standards Alliance have recently presented a recommendation concerning online behavioural advertising. This recommendation states, among other things, that for the use of online behavioural advertising (OBA) an information icon must be used to alert the user thereto (Principle I), so that the user can then use that icon, for instance, to easily make an objection to the relevant compilation of personal data (Principle II):

Principle II – User choice over Online Behavioural Advertising A. Each Third Party that participates in the delivery of OBA should make available a userfriendly mechanism, in the form of an icon linking to the OBA User Choice Site, for web users to exercise their choice with respect to the collection and use of data for OBA purposes. This mechanism should be linked to the enhanced notice detailed in Principle I. Where a web user exercises his/her choice and objects to OBA data collection, OBA processes should no longer be used by that entity to facilitate the delivery of targeted online advertising to that user’s browser. This principle provides that all web users who receive OBA, either via a computer, or other device, should enjoy choice over OBA activity through the OBA User Choice Site.D

Consequently, the advertising agencies are proposing an opt-out regime. That is to say: compiling personal data (to gear the advertising thereto) is permitted according to the advertisers until the computer user objects thereto. This is an understandable position from the perspective of the advertising agencies. Every other position would, after all, mean the de facto end of OBA. The website where the opt-out right can be exercised has, for that matter, quickly become known as the “don’t follow me” register.

Article 29 Working Party demands opt-in regime

The Article 29 Working Party, of course, disagrees with this position.
The Working Party points out that in accordance with the new regulations consent must be requested for the placement of cookies:

ad network providers must provide the necessary information before the cookie is sent and rely on users’ actions (e.g. clicking a box stating “I accept”) to signify their agreement to receive the cookie and to be tracked for the purposes of serving behavioral ads 

Browser settings cannot be relied on

Consent may, according to the Working Party, not be assumed if the browser settings are by chance set to accept third-party cookies. That is incidentally completely in line with their previous position thereon. 

Requesting consent for each advertising network

Further, the Working Party points out that if various ad networks are operating on a website, each of those networks will have to request consent from the computer user.

Thus, the legal provisions apply to each ad network provider. Furthermore, the Working Party considers that users should not be deprived of their statutory right to decide to receive cookies (or not) simply because the website operator has contracts with multiple ad network providers.

The Working Party agrees, however, that an ad network need not request consent yet again from the end user for every access to a cookie, for instance for every advertisement thereafter. That said, a condition should be that the purpose for which the cookies are consulted/modified is not different in respect of the purpose as that is made known to the end user at the moment consent is given. 

Correctly, fully and actively informing end users

Valid consent can only exist, according to the Article 29 Working Party, if the relevant computer user is informed properly in advance and knows and understands for which purpose his/her consent is being requested (see in that context their recent opinion on consent as well). That means, among other things, that the information must be clear. An icon for information purposes is insufficient, because this will, according to the Working Party, not be understood as such. On the contrary, the relevant information must be actively presented to the end user:

It must be given in a way that average Internet users will understand it. (…) However, nowadays an icon will mean very little to users. (…) Information must be given directly to individuals, it is not enough for information to be available somewhere

Conclusion: repetition of moves, no practical solution

Is the letter new? No, definitely not. All of the foregoing has actually been stated many times before by the Article 29 Working Party. Practice shows, however, that the Working Party’s position on this point is barely being complied with. Online behavioural advertising is taking place on a (very) large scale. According to my estimates, the interests (for both providers and customers) have by now become so significant that it will turn out to be very difficult, if not impossible, to enforce compliance with the Working Party’s position.

A salient detail in all this is also the fact that the Working Party itself fails to come up with concrete solutions. Instead of presenting the sector with a (feasible?) alternative, the Working Party has to date issued only negative assessments of existing initiatives. Every time the industry is then urged to make another effort:

The Working Party encourages all industry-stakeholders to work together towards finding workable solutions

Another striking point is that such opinions only touch on the use of tracking cookies, while there are many other ways to follow internet users online. In a previous column in the Dutch-language publication Informatie Professional, I have already written that I expect that the fight against cookies will only result in an increase in the popularity of alternative following techniques. Some of those techniques can be used entirely invisibly (stealth). Isn’t theprivacy of the end user off much worse when stealth techniques are used than when (visible) cookies are used?

Mark Jansen