Article 29 Working Party Clarifies Online Ad Rules and Tracking

Many of you know I just returned from a long month visit to the European Union. In that trip I attended MAAWG in Spain, Eloqua's office in the UK, and visited many additional cities (Berlin, Brussels, and Paris) where I was a U.S. IAPP privacy delegate and where we meet with many EU privacy advocates, experts, and many of the countries privacy commissioners.

During the last half of my trip, I attended a Digital Europe breakfast meeting and a Privacy Platform meeting in European Parliament (Brussels).

The Privacy Platform brings together different stakeholders on privacy related topics. During our visit, over 100 representatives from industry, privacy activists, EU institutions, governments, and European data protection supervisors discussed the privacy aspects of behavioral advertising. Behavioral advertising is the tracking of consumers on the internet, mainly with the use of cookies. The data are used for advertising targeted to the individual consumer's specific interests, based on his profile.

While in Parliament, we were a bit surprised, but glad when Mrs. Sophie In 't Veld, Member of European Parliament and chair of the Privacy Platform and Belgian Data Protection Supervisor Mr. Willem Debeuckelaere presented their official opinion at our meeting expressing the Article 29 Working Party's concern about the implications for privacy and data protection of the widespread practice of behavioral targeting. Mr. Debeuckelaere commented "that what is at stake is that many consumers are not aware that their surfing behavior is being monitored and data are being stored for advertising purposes".

Additionally in their release, the European Data Protection Authorities stated that when online behavioral advertising providers use cookies to build profiles on individuals and to server up targeted ads based on those profiles, they are bound by the new EU ePrivacy Directive, which "introduces the obligation for informed consent of users before tracking devices such as cookies are installed on users' computers." and goes on further to state that the data protection authorities call for "simple and effective mechanisms for users to affirmatively give and withdraw their consent for online behavioral advertising"

The opinion states that although online behavioural advertising may bring advantages to online business and users alike, its implications for personal data protection and privacy are significant.

Also in their opinion, they clarified the use of browsers as a method of consent when it comes to cookies acceptance. Originally when we blogged about this in "Me want cookie!, Me eat cookie!, Om Nom nom nom", Recital 66 of the amended ePrivacy Directive indicated that the user's consent may be expressed by using the appropriate settings of a browser or other application, but in this opinion, it doesn't.

1. Based on the definition and requirements for valid consent, generally speaking data subjects cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information. Average data subjects are not aware of the tracking of their online behaviour, the purposes of the tracking, etc. They are not always aware of how to use browser settings to reject cookies, even if this is included in privacy policies."
2. For browsers settings to be able to deliver informed consent, it should not be possible to "bypass" the choice made by the user in setting the browser. However, in practice deleted cookies may be easily "respawned" by so-called flash cookies, enabling the ad network provider to continue monitoring the user. The availability and increasing use of such technology challenges the ability of browser settings to deliver informed, valid and effective consent."
3. Consent by browser setting to receive cookies in bulk implies that users will accept future processing, possibly without any knowledge of the purposes or uses of the cookie. Consent in bulk for any future processing without knowing the circumstances surrounding the processing cannot be valid consent."

Currently, of the four major browsers, only one browser blocks 3d party cookies by default from the moment the browser is installed. The other three major browsers have as a default setting to allow all cookies. In these cases, cookies are being sent and information is collected prior to obtaining consent, thus clashing with the need for prior consent.

In order for browsers or any other application to be able to 'deliver' valid consent, they must overcome the above problems.

So, what this means is that in the EU you will STILL need to get informed consent from a visitor to place a tracking cookie on their systems and begin to provide valid and easy ways for them to withdraw that consent and tracking when they want.

For consent in terms of time, you should need to re-obtain consent for a tracking cookie vs. setting the cookie expire date to "forever". In this published opinion, the Article 29 Working Party feels that most individuals who agree to be tracked using a cookie that would last forever could and would perhaps forget they agreed to tracking a year ago when in the future they may not want to be tracked anymore. Consent to be monitored should not be 'forever' but it should be valid for a limited period of time, for example, to one year.

In their conclusion they state this:

• Behavioral advertising techniques enable advertisers, mainly ad providers, to track individuals when they surf the internet, to build profiles and to use them to serve tailored advertising. In most cases, individuals are simply unaware that this is happening.
• The Article 29 Working Party is deeply concerned about the privacy and data protection implications of this increasingly widespread practice. Whilst data protection legislation requires, among other things, obtaining informed consent from individuals to engage in this practice, in reality it is very doubtful whether average individuals are aware of, much less that they consent to, being monitored to receive tailored advertising.
• So far, the ways in which the industry has provided information and facilitated individuals to control whether they want to be monitored have failed. Notices provided in general terms and conditions and/or privacy policies, often drafted in rather obscure ways fall short of the requirements of data protection legislation. In some Member States industry has made some efforts to complement existing law with self-regulation. Such efforts are welcome as they specify the general principles contained in the regulatory framework. However, the Article 29 Working Party considers that there is a long way to go. Industry should step up efforts to comply with the reinvigorated applicable laws.

If your feeling up to it, you can see video's of each speaker during the Privacy Platform by visting here and can read all the LONG details of this opinion by visiting here Download WP 171 Opinion 2:2010 on online behavioural advertising

Hope this give you some insight into what you will need to comply with by middle part of 2011 in the EU. Feel free to post questions, concerns, and opinions to us here. Would love to hear from you on this.

-Dennis (glad to be home) Dayman
Eloqua

Don't Just Send, Deliver

Last 5 posts by Dennis Dayman

• Delivery and deliverability debunked - May 7th, 2012
• European Regulator Warns Silicon Valley About Privacy - April 28th, 2012
• Canada’s anti-spam law won’t take effect until 2013 - April 28th, 2012
• Mr. Dayman Goes to Washington - April 2nd, 2012
• EU proposes a reform of the data protection rules - March 28th, 2012