Privacy & Information Security Law Blog

On December 8, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Advertising Standards Alliance (“EASA”) and IAB Europe best practice recommendations for the online behavioral advertising (“OBA”) industry to comply with Article 5.3 of the revised e-Privacy Directive 2002/58/EC (the “cookie clause”). The cookie clause requires a user’s informed consent for the use of cookies and similar technologies that store and access information in the user’s terminal device. Finding practical ways of complying with the cookie clause has proven challenging for the OBA industry, which relies heavily on these kinds of tracking mechanisms.

In an attempt to clarify the new rules, the Working Party stated in its Opinion 2/2010 that it favors prior opt-in mechanisms to comply with the new cookie clause. The Working Party confirmed this statement in its Opinion 15/2011. Meanwhile, the OBA industry (represented by both EASA and IAB Europe) adopted a self-regulatory code of conduct for online behavioral advertising (the “Code”). The Code includes a commitment to place on each targeted ad a small and easily-recognizable icon that links to www.youronlinechoices.eu, a site that provides information about OBA and the option to object to targeted advertising.

According to the Working Party, the Code “is not adequate to ensure compliance with the current applicable European data protection legal framework.” In August 2011, the Working Party had already sent an open letter to EASA and IAB Europe to outline its data protection concerns with respect to the Code. The December 8 Opinion offers more specific analysis regarding why the Code fails to comply with the relevant legal provisions. In particular, the Working Party found that the proposed icon and linked website provide inaccurate and confusing information about the different controllers (advertising networks) and their purposes for the processing. The Opinion also stresses that the proposed mechanism for opting out of receiving targeted advertising is inconsistent with the cookie clause.

Importantly, the Opinion clarifies which kind of cookies may be exempted from the consent requirement. According to the cookie clause, placing a cookie may not require informed consent if the cookie is necessary to carry out “the transmission of an electronic communications network” or if “it is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user to provide that service.” The Working Party gives the following examples of cookies that would not require informed consent:

• A secure login session cookie, which identifies a user from the moment he/she has logged-into his/her session
• A shopping basket cookie, which remembers the items the user has selected to purchase throughout his/her session
• Security cookies, which are essential to comply with security requirements

The Working Party also provides the following practical examples (that are more user-friendly than pop-up screens) of how to legally obtain consent where required:

• A static information banner at the top of a website requesting the user’s consent to set some cookies, with a hyperlink to a more detailed privacy statement (as is currently employed by the UK data protection authority)
• A splash screen on entering the website explaining what cookies will be set by what parties if the user consents
• A default setting that prevents data from being transferred to external parties unless a user clicks a button to indicate consent for tracking purposes
• A default setting in browsers that would require the user to engage in an affirmative action to accept both the placement of cookies and the continued transmission of information contained in cookies by specific websites

Finally, the Opinion clarifies that “if a third party ad network on a website receives consent for an OBA cookie, this consent will not only be valid on other pages of the same website, but also for other websites that share the same OBA network. Consequently, for an average user, the number of consent requests will decrease as he/she navigates and expresses his/her choices.”