Under the Privacy and Electronic Communications Directive storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing". Consent must be "freely given, specific and informed".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.
The Article 29 Working Party recently met with the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) to discuss the industry bodies' self-regulatory code. The European committee of national data protection regulators sent the bodies a letter prior to the meeting detailing its reasons behind why it thinks the code's requirements are not sufficient to ensure websites comply with EU cookie laws.
The Working Party said that it would consider the points raised by the representatives of the IABE and EASE when forming its opinion later in the year.
"The Chairman [of the Working Party] invited the representatives to address the concerns raised in his letter to the OBA industry of 3 August 2011," a Working Party statement (1-page / 48KB PDF) said.
"The Working Party will take these answers into account in order to prepare an informed opinion on the self-regulatory code by the end of the year," the statement said.
In April the IABE and EASA established a new self-regulatory code on online behavioural advertising.
Website operators must give users access to any easy method for turning off cookie tracking on their site, and must make it known to users that they collect data on them for behavioural advertising, the code said.
Operators must also publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.
Companies that adopt the code will also have to display an icon telling users that the adverts track their online activity. Through the use of the icon web users will be able to manage information preferences or stop receiving behavioural advertising via a new pan-European website, www.youronlinechoices.eu. A user can click on the icon to see the relevant information. The initiative is supported by many leading content providers, including the BBC, Financial Times and Telegraph Media Group, as well as AOL, Microsoft and Yahoo!
The Working Party said that the advertising code does not guarantee that website operators will comply with cookie laws.
"Consent can only be deemed valid if given after the user has been provided with clear and comprehensive information," the Working Party said.
"The proposal of EASA and IAB Europe provides for a possibility to object against having data being used for personalised online advertising purposes. This means that in most cases the industry legitimizes processing on the basis of inaction or silence of the user. However, as the Working Party already stressed in its recent opinion, only statements or actions, not mere silence or inaction, constitute valid consent," the watchdogs said in the statement.
Representatives of the advertising bodies that met with the Working Party said that the OBA code provides "pragmatic privacy control" and should be viewed as only one of a number of measures for implementing the cookie-law requirements.
"Information is provided contextually where relevant and is instantly available," Stephan Noller, chair of IABE's Policy Committee, said in a statement.
"We use the dynamism and interactivity of the internet to provide pragmatic privacy control for OBA”, Noller said.
"Our self-regulatory initiative should be viewed as part of an overall set of several measures to implement [the cookie consent requirements under] the revised ePrivacy Directive," Angela Mills Wade, vice chairman of EASA, said in the statement.
"Some of these measures will be statutory and others self-regulatory which together will ensure an overall package of compliance," she said.
Nick Stringer, director of regulatory affairs at the IAB UK, told Out-Law.com when the Working Party previously criticised the the self-regulatory code that it "pre-dates" the EU Directive on ePrivacy and was therefore "not intended to specifically address compliance" with those laws.
"The self regulatory EU Framework for online behavioural advertising intends to provide consumers across Europe with information, enhanced notice and greater transparency about behavioural advertising," Stringer said.
"Through the icon and information provided, users’ knowledge and ability to control customised advertising will be enhanced. This has been welcomed by the UK Government as a part of its package for compliance with the revised ePrivacy directive. It should be noted, however, that the work on the EU Framework pre-dates the legislation and is not intended to specifically address compliance with [the EU laws on cookie consent]. We will continue to work with the European Commission, the Government and regulators on this," Stringer said.
The IABE and EASE representatives re-emphasised this point during their meeting with the Working Party and the watchdogs "noted that this statement differs from the expectations voiced by [European Commission] Vice-President Kroes with regard to the aim of the code", the Working Party's statement said.
In June Neelie Kroes said that the OBA industry had "understood that the ... [Privacy and Electronic Communications] Directive is addressed to them and requires action".
Companies should not view the OBA code as a "safe haven" and should avoid investing in "abiding by a code that does not fully comply with European and national legal requirements," Jacob Kohnstamm, chairman of the Working Party, said, according to the watchdogs' statement.
"European data protection authorities have the task to ensure compliance and will, where necessary, enforce on the basis of the law," the Working Party said in its statement.
The amended EU Directive was implemented into UK law in May. The Privacy and Electronic Communications Regulations state that website owners must obtain "informed consent" to tracking users through cookies.
The Information Commissioner's Office has the power to impose penalties of up to £500,000 on websites that breach the new regulations.