No Consent, No Cookie: New Rules for Online Advertising
On 22 June the Article 29 Data Protection Working Party (the
"Working Party"), the consultative body of the European
privacy protection authorities, published an
opinion that gives substance to the
amended rules for "online behavioral advertising".
Prior consent is required for the placing of cookies, and the
information requirements are also forced up.
Online
Behavioral Advertising?
Online advertising is one of the main forms of internet
marketing. In this advertising model website holders offer
advertising space on their websites, so that advertisers can
recommend their products and services there. The possibilities to
show these advertisements to specific internet users are still
growing rapidly. This article discusses the rules for
behavioral targeting; a form of online advertising in
which the advertisements that are shown to an internet user are
specifically targeted, based on his internet behavior. For this
purpose the advertiser usually makes use of a third party, a
provider of advertising networks. These providers monitor the
behavior of internet users on a (large) number of different
websites and can thus create profiles on the basis of, for
instance, lifestyle features of various groups of internet users.
When user X visits, for instance, sports websites, an online store
for men's sportswear and a number of stock exchange websites,
the advertising network can deduce from this that this user is very
probably (i) a man and (ii) very interested in sports. This
information can then be combined with other data such as the IP
address of user X, so as to create an even clearer profile of
him.
The information on the behavior of user X is obtained by placing
a 3rd party cookie. Every computer that visits websites on
the network of the provider (the 'third party') is
allocated a unique number. This number, the cookie, is stored on
the PC of the internet user, after which all search requests and
website visits of user X will be retained.
Rules for
Online Behavioral Advertising
On the basis of the current rules, user X does not have to give
consent for the placing of these cookies. As a standard, browsers
allow the placing of cookies. It should become an obligation,
however, to provide an opt-out mechanism. Section 5(3) of the new
e-Privacy Directive changes this. This
Directive seems to oblige the providers of advertising networks
to request prior consent for the placing of cookies. The text of
Article 5 (3) and consideration 66 of the Directive already
raised discussions before: it did not seem to be an
open-and-shut case entirely that indeed prior consent would have
to be obtained, since the option to obtain consent via the
browser settings still seemed possible. A
recent opinion of the European Data
Protection Supervisor already stated that no consent could be
given via browser settings. The Working Group now underwrites
this position in this opinion. Merely including a possibility to
opt out in the browser settings is therefore most certainly not
sufficient anymore. Only when browsers are set in such a way
that they refuse all cookies as a standard and subsequently user
X actively chooses to change these settings in specific cases,
the requirement of consent is met. In addition, in that case
users must also be provided with prior clear and comprehensive
information about, inter alia, the purposes for which
the cookie is placed. Therefore, it does not suffice to mention
only in a privacy statement that cookies are being placed and
how they can be disabled.
One-time Consent Will
Do
As a result, the obtaining of consent by means of browser
settings seems to become very hard. But not impossible, according
to the Working Group, who calls on providers of advertising
networks in its opinion to collaborate with browser manufacturers
so that browser settings can be adjusted. The Working Group
furthermore makes it clear that it strongly prefers cookies to be
placed with prior consent. In that case, further consent does not
have to be requested every time for reading out and using the
cookie. In principle, the consent given applies to all further use
of the cookie, provided that the consent can be easily withdrawn
and it is clearly visible for the user that cookies are used. In
addition, the consent is not a perpetual one: according to the
Working Group, consent must be asked again periodically, for
instance once a year. This can be done by limiting the lifetime of
the cookie to one year, after which the cookie automatically lapses
or deletes itself.
In short, prior consent must be obtained from users, whether or
not via the browser, before a cookie is placed on the computer of
an internet user. In this respect the Working Group also observes
that the requirement of consent of Article 5(3) of the e-Privacy
Directive also applies when no personal data are collected via the
cookie: the basis for the operation is formed by the fact that data
are left on the computer, and thus in the 'private life' of
the user.
Other Special Changes
The obligation to obtain the consent of users and to comply with
the duty to provide information may lie with the providers of the
advertising networks as well as the website holders. It is
important that the user is informed by the party that places or
reads out the cookie. The advertisers themselves keep out of
harm's way in this respect: the Working Group states that their
responsibility remains limited to the processing of data that they
perform after the users have clicked through to the websites of the
advertisers. Therefore, the new rules will particularly apply to
the providers and the website holders. According to the Working
Group, it is not absolutely important in this regard whether they
should be regarded as the data controller or the processor within
the meaning of the Personal Data Protection Act (Wet
bescherming persoonsgegevens (Wbp)): therefore, the fact that
a provider acts as a processor for the website holder will not
release him from the obligation to obtain the consent of users, to
inform him and to meet other obligations in the field of the
protection of personal data. The Working Group is of the view that
in the agreements between the website holders and providers of
advertising networks it must be laid down which party is
responsible when for obtaining the consent and informing internet
users.
If Anyone Knows, Speak Up!
The question is how providers of advertising networks can give
substance to the new requirements of consent and information in
practice in an effective manner; the opinion does not discuss
possible technical solutions to comply with the new rules. The
Working Group itself welcomes creative solutions: stakeholders are
invited to send their input to the secretariat of the Working
Group. So: if anyone knows, speak up! The matter is also rather
urgent: the new e-Privacy Directive must be implemented into Dutch
legislation in May 2011, after which Dutch providers, website
holders and, to a lesser degree, advertisers will have to comply
with the new rules.