Feeds

Ad slingers - obeying EU snoop code is NOT GOOD ENOUGH

Industry rules at odds with cookie laws, say watchdogs

New hybrid storage solutions

Website operators that track internet users' online activity in order to serve targeted adverts do not automatically comply with EU privacy laws by following the industry code. This is according to a committee of all of the EU's national data protection regulators.

The Article 29 Working Party said that solely adhering to rules set out in the self-regulatory Online Behavioural Advertising (OBA) code [PDF] would not in itself be enough to comply with the EU's Privacy and Electronic Communications (e-Privacy) Directive, because the code does not demand that operators obtain clear enough user permission to track online activity.

Publishers and advertising networks use cookies – small text files that record internet users' activity on websites – to track user behaviour in order to target adverts to individuals based on that behaviour.

Last year the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) set out rules on OBA in a new code which many leading content providers, including Microsoft and the BBC, have committed to.

The IABE/EASA code requires operators to give users access to any easy method for turning off cookie tracking on their site and make it known that they collect data on them for behavioural advertising. Operators must also display an interactive icon, telling users that the adverts track their online activity and enable them to manage information preferences or stop receiving behavioural advertising by clicking the icon to visit a pan-European website, youronlinechoices.eu.

However, the Article 29 Working Party – which is a committee made up of representatives from each of the EU national data protection regulators – said that following the code was not enough for operators to be said to be complying with the law.

"In the present context and taking into account the current lack of knowledge and awareness of the web users with regard to behavioural advertising, the above-mentioned icon approach is not sufficient in itself to properly inform the users about the use of cookies," the Working Party said in its opinion [12-page / 85KB PDF].

Under the e-Privacy Directive, storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing". Consent must be "freely given, specific and informed".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

'Icon' not clear enough

The icon does not contain sufficient "additional language" to explain to the average internet user what its "underlying meaning" is and does not enable consent to be given until after tracking has begun, the Working Party said.

"In order for information to be provided in an understandable way, it is necessary to use clear language, allowing users to immediately understand that their activities are being tracked when they browse the web and they may ultimately receive targeted ads. The mere use of the word 'advertising' alongside the icon is not enough to inform the user that the ad uses cookies for the purpose of behavioural advertising. The wording should as a minimum include the element of 'personalised advertising'," the watchdogs' opinion said.

"The icon can serve as additional information and as a reminder notice after the subscriber or user has provided his/her consent for the processing of his/her data for the purpose of behavioural advertising," it said. "Thus, the proposed icon approach cannot be used for the provision of prior information, as required under the current legal framework (unless it is combined with a way to obtain the user's consent).

"Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the code and the website do not meet the requirement set out at the revised e-Privacy Directive," it said.

Providing a secure and efficient Helpdesk

More from The Register

next story
Net neutrality protestors slam the brakes on their OWN websites
Sites link up to protest slow lanes by bogging down pages
Italy's High Court orders HP to refund punter for putting Windows on PC
Top beaks slam bundled OS as 'commercial policy of forced distribution'
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Uber alles-holes, claims lawsuit: Taxi biz sued by blind passengers
Sueball claims blind passengers ditched, guide dogs abused
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
Heavy VPN users are probably pirates, says BBC
And ISPs should nab 'em on our behalf
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.