The Article 29 Working Party has met with Internet Advertising Bureau (IAB) Europe and European Advertising Standards Alliance (EASA) representatives to tell them in no uncertain terms that their otherwise well-received Best Practice Recommendation (BPR) and Framework on Online Behavioural Advertising (OBA) does not comply with the revised e-Privacy Directive provisions on cookies.
On 14 April 2011, the IAB Europe launched a pan-European self-regulatory Framework for online behavioural advertising, setting out good practice principles for behavioural advertisers. The Framework’s stated aim is to provide consumers with greater awareness and control over OBA, which is facilitated by “cookies”, small text files that store information about a user’s browsing preferences and history. In particular, the Framework introduces an icon that will appear in and around behavioural adverts and will provide a one click option for consumers to access further information, as well as manage preferences and, most importantly opt-out of receiving OBA via a new pan-European website, www.youronlinechoices.eu. Since the Framework obligations are only binding on signatory companies, the Framework is made part of, and complemented by, a new Best Practice BPR from the EASA, also published on 14 April. The IAB’s Framework is therefore supported by the EASA and its network of self-regulatory organisations (SROs), which include the Advertising Standards Authority for the United Kingdom.
Neelie Kroes, the European Commission Vice-President for the Digital Agenda, in a speech at the On-line Tracking Protection & Browsers Workshop in Brussels on 22 June 2011 welcomed the adoption by the EASA and IAB Europe of the BPRs and Framework. This, however, elicited an adverse response from the European Data Protection Supervisor who called upon the Commission to “avoid ambiguity” in light of the clear protections in the revised e-Privacy Directive against the “highly intrusive practice” of tracking and tracing consumer behaviour online and in light of the Commission’s insufficiently qualified approval of the IAB/EASA Framework and other initiatives such as the US “do-not-track” initiative, that “fall short of the e-Privacy Directive requirements”.
In his 3 August 2011 open letter to the OBA industry, the Chairman of the Article 29 Working Party says that, whilst the mechanisms proposed by the joint practice adopted by the IAB and the EASA enable people to object to being tracked for the purposes of serving behavioural advertising, they do not meet the requirement to obtain actual informed consent, as the tracking and serving of adverts takes place unless people object. Under the revised e-Privacy Directive, for consent to be valid it must be “freely given, specific and informed”.
The mechanism employed should therefore leave no doubt about the user’s wishes. As the Chairman states, “It cannot be concluded that users who have not objected to being tracked for the purposes of serving behavioural advertising have exercised a real choice”. In other words, an absence of action cannot indicate consent.
As for browser settings, the letter states that, to meet the requirements of the e-Privacy Directive, people cannot be deemed to have consented to cookie-use simply because they acquired or used a browser or other application that by default enables the collection and processing of their information. The Working Party considers that, in order for browsers to deliver valid consent, it must by default reject third party cookies and require the data subject to engage in an affirmative action to accept cookies from specific websites for a specific purpose.
Further, people must be given clear and comprehensive information about cookie-use before being asked to consent. Such information must be given in a way that average internet users will understand.
Finally, it is not enough for information to be available somewhere, it must be given to users directly. Under the EASA/IAB Code, once the user clicks on the icon, he/she will need to click at least two further times to obtain the additional information and be able to opt out. This does not comply with the provisions of the revised e-Privacy Directive.
At the subsequent meeting on 16 September, the representatives of the OBA industry stated that their code was intended primarily to create a level playing field and conceded that the current version in itself does not intend to provide compliance with the European and national legal requirements. Chairman Kohnstamm nevertheless warned that companies must not be misled into thinking that the code offers a “safe haven”. European data protection authorities have been tasked with ensuring compliance and will, where necessary, enforce it on the basis of the law.
The Chairman invited the representatives to address the concerns raised in his letter of 3 August and said that the Working Party will take these answers into account in order to prepare an informed opinion on the self-regulatory code by the end of the year.
There are already a number of responsible sites out there that feature a cookie notice on every page and feature a tick box requesting opt-in consent, but few if any will block access to other parts of the site that serve cookies when the user doesn’t actually tick the box. Informed consent doesn’t strictly mean explicit consent, but having a tick box that you don’t have to tick is nonsense. And in any event, as the Working Party will tell you, “only statements or actions, not mere silence or inaction, constitute valid consent”.