In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.
What Went Wrong
Much of the opinion is dedicated to describing what elements of self-regulatory proposal, in the opinion of the Working Party, violate EU law, particularly in the areas of notice, choice, and data retention. Though some of these criticisms are not new, the Working Party crystallized its viewpoints on the issue, including the following.
(1) An icon accompanying targeted ads that is linked to the information website www.youronlinechoices.eu does not provide adequate notice.
The Working Party also took the opportunity to reiterate its position from its 2010 OBA opinion that at minimum, notice for OBA should include:
- what entity is responsible for serving the cookie and collecting the related information;
- that the cookie will be used to create profiles;
- what type of information will be collected to build such profiles;
- the fact that the profiles will be used to deliver targeted advertising; and
- the fact that the cookie will enable the user’s identification across multiple websites.
(2) The use of an opt-out cookie is not sufficient to provide consent.
The industry proposal would permit consumers who visit the www.youronlinechoices.eu website to download an opt-out cookie to record their refusal to participate in OBA. In addition to criticizing the proposal for not following an opt-in approach, the Working Party noted other aspects of the opt-out system that it believed violated EU law, including that:
- “it has been demonstrated that” ad networks continue to collect information from users’ computers even after the opt-out cookie is downloaded;
- the approach does not offer the possibility of managing and deleting previously installed tracking cookies; and
(3) The notice to users lacks necessary provisions on the scope of data collection and data retention.
The Working Party took the position that notice to users about OBA must disclose how much data is collected by the different advertising networks, how long it is stored, and for what purposes it is processed. At minimum, the notice should address the period during which consent can be considered valid, and after which data must then be deleted.
What Went Right
The Working Party did commend the industry proposal in a couple areas. It noted the proposal’s “interesting approaches” on how to make consent mechanisms more effective, such as industry’s commitment to engaging in educational initiatives to inform individuals and businesses about OBA. The opinion also, unsurprisingly, welcomed the proposal’s principle that a user’s explicit consent is required prior to creating or targeting OBA segments that make use of sensitive data (i.e., data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life).
Suggestions for Consent
One of the most frequent complaints about the Working Party’s position on OBA has been that by requiring opt-in consent for targeted advertisements, users will be subjected to countless pop-up requests whenever a website wishes to place a cookie. The Working Party opinion attempted to dispel this notion by proposing a number of alternatives to or ways to mitigate the annoyance of pop-ups, including:
- An opt-in cookie approach: Under such an approach, the first time a user visits a website served by an ad network, the ad network can display a message on the page prompting the user for consent to participate in OBA (the Working Party suggests that this message can be where the ad normally would appear). If the user then opts in, he or she can receive targeted advertising on all websites associated with that ad network without having to be prompted again for consent. If the user declines, the ad network should place an opt-out cookie.
- A splash screen upon entering a website: Users would be presented with the option to consent before entering the website, such as when breweries require users to confirm they are of age before they enter the site.
- Click-to-consent: The Working Party singled out the method used by the German e-zine Heise that defaults a button associated with cookies to light grey. Only once the user clicks on and “activates” the button will the cookie be placed and the third party be able to send and receive user data. This process, however, would need to be transparent to users.
- Browser plug-ins: Though the Working party repeatedly has said that browser settings permitting users to opt out of cookies are not sufficient to provide informed consent, it would support default opt-out browser settings accompanied by ad network plug-ins and extensions through which users would indicate their wish to opt in to online tracking. Interestingly, this is the polar opposite of the opt-out browser plug-ins available today, which assume tracking as the default and permit users to opt out of OBA.
- Where a website uses several ad providers, group together all necessary consent requests in one presentation: This would the need for users to confront multiple, serial pop-ups. As an example, the Working Party cited the interface on www.youronlinechoices.eu, which provides a single interface to permit users to opt out of multiple ad networks.
The Working Party also noted that EU law does not require informed consent for certain cookies necessary to facilitate the user’s requested services, such as session cookies, shopping basket cookies, and security cookies (though notice is required before placing these cookies). Therefore, no additional consent mechanisms are required to place these cookies.