On June 22, 2010, the influential Article 29 Working Party ("Working Party"), consisting of all the European Union's national data privacy regulators, adopted Opinion 2/2010 on online behavioural advertising (the "Opinion").
In what is being widely viewed as a significant challenge to the future of digital advertising, the Working Party has made it clear that national implementation of amended Directive 2002/58/EC (the "ePrivacy Directive") will require a complete overhaul of existing technology and practice, including currently available browsers and opt-out mechanisms, to achieve the level of informed consent from users that they say the law requires.
The Legal Framework
Article 5(3) of the ePrivacy Directive was amended last year to provide as follows:
...the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information...
Member States are required to implement the provisions of the ePrivacy Directive in national law by May 2011 at the latest, so the clock is ticking while a technical and practical solution is sought.
In addition to the ePrivacy Directive, the European Data Protection Directive 95/46/EC (the "Data Protection Directive") also applies to the processing of personal data. As most online behavioural advertising will result in the creation of detailed user profiles, it is almost inevitable that the vast majority of uses will require compliance with the host of obligations and principles arising from the Data Protection Directive.
Who is affected by the ePrivacy Directive?
The Working Party identifies three main players in behavioural advertising activity that will be affected:
- Advertising/Ad network providers – those such as digital advertising agencies who connect publishers with advertisers
- Advertisers looking to promote a product or service to a specific audience
- Publishers who are looking to sell space for advertisements on their websites
In practice, there will be a significant degree of overlap with these roles, and many clients could well be affected by the new legal framework because they fall within more than one category.
What Activity is Within the Scope of the ePrivacy Directive?
The focus of the Working Party's concern is, broadly, "tracking and advertising technologies used to deliver behavioural advertising" – activity that is mainly done by using "tracking cookies" of various types. Whilst acknowledging the key role and importance of online advertising in terms of the growth and expansion of the Internet economy, the Opinion advocates significant restrictions on such activity and technology in the future.
In the view of the Working Party, the current practice of those engaged in behavioural advertising – the placement of cookies upon accessing a website that is part of the ad network unless the user's browser is set to reject cookies, combined with the provision of information about cookies used for behavioural advertising in general terms and conditions and/or privacy policies – does not meet the requirements of Article 5(3), which emphasises the need to provide information and obtain consent before the start of any processing.
What Consent is Required?
The level of consent necessary to be valid under both Directives is the same. It is based on the requirements of the Data Protection Directive. Consent to placing cookies or similar tracking technologies on users' computers or other devices must be:
- Freely given
- A clear and positive indication of the user's wishes, i.e., opt-in rather than opt-out
- Obtained before any personal data are collected
- Capable of being revoked
The Opinion makes it clear that in the view of the Working Party, "browser settings may only deliver consent in very limited circumstances." In effect, these would be where:
- The browser's default settings were to reject all cookies
- The user has then changed those settings to affirmatively accept cookies
- Such acceptance is based on the user having been provided with all the information required for that choice to be an informed one
Unfortunately, these circumstances bear little or no relation to reality for the vast majority of users.
How Can Such Consent be Achieved?
On the face of it, the Opinion presents significant obstacles to, and disruption of, the user experience of the Internet if the law requires users to opt-in to every cookie put on to their computer. One of the few concessions to practicality that does appear to be acknowledged by the Working Party is the recognition of a need for some kind of single acceptance of cookies and what they do. This could amount to user consent both to receive a cookie in the first place, and also for that cookie then to be used subsequently to monitor the user's Internet browsing.
However, the Opinion does not go so far as to accept that such "one for all" consent is acceptable as a one-off, or "all for one," solution. The Working Party goes on to recommend the need for additional safeguards, such as:
- A time-limit on such "one for all" consent
- The need for additional transparency for users about the perceived privacy-invasive risks of behavioural advertising
- A way of making sure users can easily revoke their consent if and when they want
Delivering a solution that meets these safeguards without impeding the online interaction between advertisers and users presents further practical compliance challenges to the industry. These challenges require the input of those responsible for designing and developing browser technology to come up with "privacy by design" solutions to address the problem.
Challenges for the Industry
The Opinion challenges the digital advertising industry to provide "a simple explanation on the uses of the cookie to create profiles in order to serve targeted advertising," which has to be "clear and comprehensive" and provided in a ay that is "as user friendly as possible."
The Working Party is not prescriptive about how this is achieved, and appears to be open to proposals from the industry and other key players as to possible solutions, encouraging providers, advertisers and publishers to "spare no effort...to...ensure the maximum level of awareness among internet users as to how behavioural advertising works." To this end, the Working Party has called upon industry "to put forward technical and other means to comply with the framework...and to exchange views with [them] regarding such means."
Directive 95/46/EC and Wider Compliance Obligations
Aside from the very specific challenges presented by the ePrivacy Directive, the Opinion makes it clear that all the obligations of the Data Protection Directive are likely to require consideration when publishers, advertisers and providers engage in behavioural advertising and related personal data-processing in any EU Member State. The range of additional considerations includes:
- Compliance with data quality principles, including those relating to purpose limitation and data minimization
- Specific and effective data retention policies
- Enabling the exercise of users' rights of access, correction and objection
- Submission of any requisite registration filings with national data protection authorities
- Compliance with the specific provisions of the Data Protection Directive regulating transfers of personal data to servers located outside the EU, and in a country that does not provide an adequate level of protection
If the Working Party's Opinion holds sway with the Commission and national law-makers responsible for implementing the ePrivacy Directive, then the digital advertising industry will be required to review and completely overhaul existing technology and practice in the area of behavioural advertising in order to achieve the level of informed consent from users that the Working Party says the law requires.
We await more details of how the ePrivacy Directive, and Article 5(3) in particular, is going to be implemented at the national level. We also note that the approach of the European Commission to implementation of the ePrivacy Directive may accommodate more of a role for self-regulation. In the meantime, those operating in the industry and affected by the proposed new law are encouraged to make their views known both to the Working Party and the Commission.