Feeds

Ad slingers - obeying EU snoop code is NOT GOOD ENOUGH

Industry rules at odds with cookie laws, say watchdogs

Internet Security Threat Report 2014

Website operators that track internet users' online activity in order to serve targeted adverts do not automatically comply with EU privacy laws by following the industry code. This is according to a committee of all of the EU's national data protection regulators.

The Article 29 Working Party said that solely adhering to rules set out in the self-regulatory Online Behavioural Advertising (OBA) code [PDF] would not in itself be enough to comply with the EU's Privacy and Electronic Communications (e-Privacy) Directive, because the code does not demand that operators obtain clear enough user permission to track online activity.

Publishers and advertising networks use cookies – small text files that record internet users' activity on websites – to track user behaviour in order to target adverts to individuals based on that behaviour.

Last year the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) set out rules on OBA in a new code which many leading content providers, including Microsoft and the BBC, have committed to.

The IABE/EASA code requires operators to give users access to any easy method for turning off cookie tracking on their site and make it known that they collect data on them for behavioural advertising. Operators must also display an interactive icon, telling users that the adverts track their online activity and enable them to manage information preferences or stop receiving behavioural advertising by clicking the icon to visit a pan-European website, youronlinechoices.eu.

However, the Article 29 Working Party – which is a committee made up of representatives from each of the EU national data protection regulators – said that following the code was not enough for operators to be said to be complying with the law.

"In the present context and taking into account the current lack of knowledge and awareness of the web users with regard to behavioural advertising, the above-mentioned icon approach is not sufficient in itself to properly inform the users about the use of cookies," the Working Party said in its opinion [12-page / 85KB PDF].

Under the e-Privacy Directive, storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing". Consent must be "freely given, specific and informed".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

'Icon' not clear enough

The icon does not contain sufficient "additional language" to explain to the average internet user what its "underlying meaning" is and does not enable consent to be given until after tracking has begun, the Working Party said.

"In order for information to be provided in an understandable way, it is necessary to use clear language, allowing users to immediately understand that their activities are being tracked when they browse the web and they may ultimately receive targeted ads. The mere use of the word 'advertising' alongside the icon is not enough to inform the user that the ad uses cookies for the purpose of behavioural advertising. The wording should as a minimum include the element of 'personalised advertising'," the watchdogs' opinion said.

"The icon can serve as additional information and as a reminder notice after the subscriber or user has provided his/her consent for the processing of his/her data for the purpose of behavioural advertising," it said. "Thus, the proposed icon approach cannot be used for the provision of prior information, as required under the current legal framework (unless it is combined with a way to obtain the user's consent).

"Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the code and the website do not meet the requirement set out at the revised e-Privacy Directive," it said.

Secure remote control for conventional and virtual desktops

More from The Register

next story
MI6 oversight report on Lee Rigby murder: US web giants offer 'safe haven for TERRORISM'
PM urged to 'prioritise issue' after Facebook hindsight find
Assange™ slumps back on Ecuador's sofa after detention appeal binned
Swedish court rules there's 'great risk' WikiLeaker will dodge prosecution
NSA mass spying reform KILLED by US Senators
Democrats needed just TWO more votes to keep alive bill reining in some surveillance
'Internet Freedom Panel' to keep web overlord ICANN out of Russian hands – new proposal
Come back with our internet! cries Republican drawing up bill
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.