European Directive 2009/136/EC, which revises the e-Privacy Directive (2002/58/EC), was adopted in November 2009. One of the major changes to this Directive was that the processing of information via terminal equipment, such as cookies, can no longer be based on an “opt-out” regime (where the user can reset the default settings of his/her computer in order ensure that no cookies will remain on his/her computer), but rather an informed consent of the user should be obtained.  

Since the online behavioural advertising companies rely heavily on the use of cookies, the members of the European Advertising Standards Alliance (EASA) and the Internet Advertising Bureau Europe (IAB) have adopted a self-regulatory Best Practice Recommendation on online behavioural advertising, the EASA/IAB Code. Furthermore, the website: www.youronlinechoices.eu (“the Website”) has been set up in which users can participate.  

The Article 29 Working Party has voiced a number of concerns with regard to data protection compliance as laid down in the Code. EASA and IAB have stated that the Code is intended to create a level playing field and was not aimed to achieve compliance with the revised e-Privacy Directive. Consequently, the Article 29 Working Party has decided to adopt an opinion containing a specific analysis of the extent to which the Code complies with the e-Privacy Directive.  

The Working Party’s main concern is that data subjects are given the wrong impression that it will be possible to choose not to be tracked when visiting websites. Furthermore, an information icon referring to information on the Website is used when cookies are placed on a website. Both the icon and the Website do not provide accurate and easily understandable information about the different advertising networks that are involved in the processing of the personal data, nor the purposes for the data processing.

More importantly, the fact that a user of a website needs to go to the Website in order to choose that he will not be tracked boils down to an opt-out regime, whereas the e-Privacy Directive requires the user’s informed consent. At the same time, the “opt-out” cookie used on the Website does not make it possible to delete previously installed cookies and, at the same time, the “opt-out” choice is being tracked by the website itself. Finally, the Article 29 Working Party comments in its opinion on the use of sensitive data, the lack of provisions regarding the retention periods of the personal data of the users as well as the compliance procedures mentioned in the opinion.  

The Opinion also clarifies the relationship between the use of different cookies and the need to seek consent. Consent for the use of cookies is not always necessary. For instance, where secure login session cookies or shopping basket cookies are concerned, these cookies are necessary to carry out the transmission over an electronic communications network, or these can be seen as strictly necessary in order to provide a service which is explicitly requested by the user. Furthermore, the Working Party explains that a pop-up window is not the only way to obtain a user’s consent. Consent can also be obtained via, e.g., default settings in a browser or a static information banner on top of a website in which consent is asked for certain cookies to be used, and a hyperlink to a privacy statement containing more information is also made available. Therefore, it is not always necessary for a user to click through multiple pop-up windows.  

The Working Party concludes that it does not question the economic benefits of behavioural advertising, but that the user’s rights to privacy and data protection must be respected. The Code, in combination with the Website, do not result in compliance with the current e-Privacy Directive. (FVDJ)