Out-Law News 6 min. read
29 Aug 2011, 2:58 pm
Cookies are small text files that record internet users' online activity and which websites store on users' machines. Publishers and advertising networks use cookies to track user behaviour on websites in order to show certain adverts to individuals based on that behaviour.
In April the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) established a new self-regulatory code on online behavioural advertising.
Companies that adopt the code have to display an icon telling users that the adverts track their online activity. Through the use of the icon web users will be able to manage information preferences or stop receiving behavioural advertising via a new pan-European website, www.youronlinechoices.eu. A user can click on the icon to see the relevant information. The initiative is supported by many leading content providers, including the BBC, Financial Times and Telegraph Media Group, as well as AOL, Microsoft and Yahoo!
Operators must also give users access to any easy method for turning off cookie tracking on their site, and must make it known to users that they collect data on them for behavioural advertising, the new regulations stipulate.
Websites adhering to the regulations also have to publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.
The European committee of national data protection regulators, the Article 29 Working Party, said that the code's requirements were not sufficient to ensure websites complied with EU cookie laws.
The EU's Privacy and Electronic Communications Directive provides that storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
The Directive takes its definition of 'consent' from EU data protection laws, which states that consent must be "freely given, specific and informed". The new laws were implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain "informed consent" to tracking users through cookies.
"The mechanisms proposed by the EASA/IAB Code enable people to object to being tracked for the purposes of serving behavioural advertising. However, tracking and serving ads takes place unless people exercise the objection," Jacob Kohnstamm, chairman of the Working Party, said in a letter (9-page / 642KB PDF) to the advertising bodies.
"While this mechanism is welcome and constitutes an improvement to the current situation, it does not meet the requirement to obtain the aforementioned informed consent. For such mechanism to be a valid form of consent, it should leave no doubt about the users wishes. It can not be concluded that users who have not objected to being tracked for purposes of serving behavioural advertising have exercised a real choice," Kohnstamm said.
"The Working Party 29 considers that the proposed mechanisms would lead to consent of many internet users being wrongly assumed. Online behavioural advertising will therefore rely on consent that is, in fact, illusory," Kohnstamm said.
Kohnstamm sent the letter to the IABE and EASA ahead of a September meeting with the bodies' representatives. He said that the advertising icon used by companies signed up to the online behavioural advertising code did not currently carry enough meaning to provide users with "the legally required information" that would enable them to make informed choices about cookie tracking.
"In the future, it is possible that the icon might eventually be recognised by average internet users who, depending on how it is provided, may be able to understand its underlying meaning. However, nowadays a[n] icon will mean very little to users," he said.
Kohnstamm said information on the youronlinechoices site "seems ambigious" because it does not clearly inform users that they are being tracked across websites, and the site also "appears to lack detailed information on the procedure of [user] profiling," he said.
Confusing and insufficiently clear wording of the code means users could not be properly informed about cookie tracking and the purpose of the behaviour and could also lead some to believe that "tracking has no privacy implications for them", Kohnstamm said.
Information made available through clicking the icon should be more accessible and "be directly visible", Kohnstamm said.
Kohnstamm said that "ad network providers must provide the necessary information before the cookie is sent and rely on users' actions ... to signify their agreement to receive the cookie and to be tracked". Providers could obtain "valid" consent by asking users to click a box to 'accept' cookie tracking, Kohnstamm said.
Kohnstamm said each advertising network must obtain consent from users even when websites work with "multiple ad network providers".
"The Working Party notes that as each ad network provider is a different entity which sends a cookie to the user terminal equipment, each provider engages separately in profiling and the subsequent sending of targeted ads. Thus, the legal provisions apply to each ad network provider," Kohnstamm said.
"Furthermore, the Working Party considers that users should not be deprived of their statutory right to decide to receive cookies (or not) simply because the website operator has contracts with multiple ad network providers," he said.
Advertising industry representatives have previously expressed concern about methods that could "heavily disrupt users' online experience, reduce consumer trust in the digital marketplace, and create considerable uncertainty for businesses". Kohnstamm said that internet users will experience fewer cookie consent "pop ups" the more they "navigate" the internet.
"Once the user has agreed to let a specific ad network transmit and access specific cookies on his terminal, this ad provider does not need to ask the user again for subsequent access and transmissions of cookies serving the same purpose (though the ability to 'opt out' should be available)," Kohnstamm said.
"When the user arrives on a new website, it is thus possible that he will already have expressed his wishes regarding some (or even all) of the cookies distributed by ad networks present on that website. Consequently, the potential number of pop-ups will naturally decline as the user navigates on the Net," he said.
Kohnstamm said that it "should be feasible" to set up a centralised system for obtaining single consent to all advertising network's cookie tracking and that the Working Party "encourages all industry-stakeholders to work together towards finding workable solutions".
Browser settings will not be sufficient to meet the cookie consent requirements until they automatically reject third-party cookies as default and allow users to take "affirmative action to accept cookies from specific websites for a specific purpose," Kohnstamm said. Browsers would also have to provide users with information telling them that the cookies are being used by ad network providers and what the network providers themselves do with the cookies, he said.
"The Article 29 Working Party's view that the so-called "advertising option" icon is not compliant with the new laws comes as no surprise", says Claire McCracken, technology law specialist with Pinsent Masons, the law firm behind OUT-LAW.COM. "Since 2010 their view has been that users' consent must be obtained prior to the cookie being set. Whilst the icon does give greater transparency in the use of cookies for behavioural advertising, it doesn't comply with the new requirements. It also doesn't make it abundantly clear that users are being tracked for the purposes of targeted advertising, which is one of the major privacy concerns".
In the UK the Government has said it is working with browser manufacturers, including Mozilla, Microsoft and Google to find a technical solution that complies with the cookie laws. EU Commissioner Neelie Kroes told EU companies in June that they had a year to find methods that achieve the legal standard for gaining consent, and said failure to do so would result in Commission action against businesses that do not comply.
"It is now over three months since the new laws took effect in the UK and most organisations are no further forward with how to deal with the prior consent issue. Various bodies are keen enough to point out non-compliance and to stress that prior consent is required, but as yet we are still waiting for definitive guidance on how to ensure websites are compliant", McCracken said.
