Feeds

Ad slingers - obeying EU snoop code is NOT GOOD ENOUGH

Industry rules at odds with cookie laws, say watchdogs

Beginner's guide to SSL certificates

Website operators that track internet users' online activity in order to serve targeted adverts do not automatically comply with EU privacy laws by following the industry code. This is according to a committee of all of the EU's national data protection regulators.

The Article 29 Working Party said that solely adhering to rules set out in the self-regulatory Online Behavioural Advertising (OBA) code [PDF] would not in itself be enough to comply with the EU's Privacy and Electronic Communications (e-Privacy) Directive, because the code does not demand that operators obtain clear enough user permission to track online activity.

Publishers and advertising networks use cookies – small text files that record internet users' activity on websites – to track user behaviour in order to target adverts to individuals based on that behaviour.

Last year the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) set out rules on OBA in a new code which many leading content providers, including Microsoft and the BBC, have committed to.

The IABE/EASA code requires operators to give users access to any easy method for turning off cookie tracking on their site and make it known that they collect data on them for behavioural advertising. Operators must also display an interactive icon, telling users that the adverts track their online activity and enable them to manage information preferences or stop receiving behavioural advertising by clicking the icon to visit a pan-European website, youronlinechoices.eu.

However, the Article 29 Working Party – which is a committee made up of representatives from each of the EU national data protection regulators – said that following the code was not enough for operators to be said to be complying with the law.

"In the present context and taking into account the current lack of knowledge and awareness of the web users with regard to behavioural advertising, the above-mentioned icon approach is not sufficient in itself to properly inform the users about the use of cookies," the Working Party said in its opinion [12-page / 85KB PDF].

Under the e-Privacy Directive, storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing". Consent must be "freely given, specific and informed".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

'Icon' not clear enough

The icon does not contain sufficient "additional language" to explain to the average internet user what its "underlying meaning" is and does not enable consent to be given until after tracking has begun, the Working Party said.

"In order for information to be provided in an understandable way, it is necessary to use clear language, allowing users to immediately understand that their activities are being tracked when they browse the web and they may ultimately receive targeted ads. The mere use of the word 'advertising' alongside the icon is not enough to inform the user that the ad uses cookies for the purpose of behavioural advertising. The wording should as a minimum include the element of 'personalised advertising'," the watchdogs' opinion said.

"The icon can serve as additional information and as a reminder notice after the subscriber or user has provided his/her consent for the processing of his/her data for the purpose of behavioural advertising," it said. "Thus, the proposed icon approach cannot be used for the provision of prior information, as required under the current legal framework (unless it is combined with a way to obtain the user's consent).

"Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the code and the website do not meet the requirement set out at the revised e-Privacy Directive," it said.

Internet Security Threat Report 2014

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.