On December 8, 2011, the European Union’s Article 29 Working Party issued Working Paper 188 entitled “Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavioural Advertising” (“WP 188”). WP 188 addresses the online behavioral advertising guidance (the “EASA/IAB Code” or the “Code”) issued by the European Advertising Standards Alliance (“EASA”) and the Internet Advertising Bureau Europe (“IAB”), which was adopted by those organizations in April 2011. WP 188 details the Article 29 Working Party’s concerns with the EASA/IAB Code, including the fact that compliance with the Code does not achieve compliance with the 2009 Directive 2009/136/EC which revised the 2002 e-Privacy Directive (“Revised e-Privacy Directive”).
The European Union follows seven principles for privacy protection, namely: notice, purpose, consent, security, disclosure, access, and accountability. WP 188 principally addresses the Code’s approach to the principles of notice and consent. First, as to notice, WP 188 remarks that the Code’s recommendation is to place an icon on a website which indicates where the user can go to opt-out of tracking. WP 188 states that the icon is insufficient because: users do not recognize the icon’s purpose, the icons are not clearly marked to convey the purpose of the icon, and the icon does not provide complete information regarding tracking. For these reasons, the Code’s icon approach is not sufficient to give the user notice of tracking under the Revised e-Privacy Directive. Second, as to choice, WP 188 notes that the standard for tracking is informed consent, and the Code’s requirement to opt-out of tracking is not consistent with the Revised e-Privacy Directive. WP 188 notes that an opt-in option would be more consistent with the requirements of the Revised e-Privacy Directive.
Aside from these two major complaints about the Code, WP 188 also notes that: the 12 year-old threshold for processing of children’s data is appropriate but not based in a legal standard, the Code must recognize that it is national regulators who are responsible for assessing legal compliance with the privacy requirements, and that the Code must specify the amount of data collected by the tracking and the specific purposes of the tracking. Last, WP 188 seeks to clarify that, while the information obtained in tracking qualifies as personal data, consent is not required for every type of cookie. WP 188 recognizes that a site need not obtain informed consent to track a user if the tracking is necessary to carry out a transmission or if the tracking is strictly necessary in order to provide a service. For those sites that do require informed consent, WP 188 recommends various ways to collect the consent aside from placing a pop up screen on the site.
Although the specific approaches to online behavioral advertising vary between the European Union and the United States, both share the view that, although tracking is an important online tool for behavioral advertisers, protecting the privacy of users is the top priority.