Feeds

Ad slingers - obeying EU snoop code is NOT GOOD ENOUGH

Industry rules at odds with cookie laws, say watchdogs

Next gen security for virtualised datacentres

Website operators that track internet users' online activity in order to serve targeted adverts do not automatically comply with EU privacy laws by following the industry code. This is according to a committee of all of the EU's national data protection regulators.

The Article 29 Working Party said that solely adhering to rules set out in the self-regulatory Online Behavioural Advertising (OBA) code [PDF] would not in itself be enough to comply with the EU's Privacy and Electronic Communications (e-Privacy) Directive, because the code does not demand that operators obtain clear enough user permission to track online activity.

Publishers and advertising networks use cookies – small text files that record internet users' activity on websites – to track user behaviour in order to target adverts to individuals based on that behaviour.

Last year the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) set out rules on OBA in a new code which many leading content providers, including Microsoft and the BBC, have committed to.

The IABE/EASA code requires operators to give users access to any easy method for turning off cookie tracking on their site and make it known that they collect data on them for behavioural advertising. Operators must also display an interactive icon, telling users that the adverts track their online activity and enable them to manage information preferences or stop receiving behavioural advertising by clicking the icon to visit a pan-European website, youronlinechoices.eu.

However, the Article 29 Working Party – which is a committee made up of representatives from each of the EU national data protection regulators – said that following the code was not enough for operators to be said to be complying with the law.

"In the present context and taking into account the current lack of knowledge and awareness of the web users with regard to behavioural advertising, the above-mentioned icon approach is not sufficient in itself to properly inform the users about the use of cookies," the Working Party said in its opinion [12-page / 85KB PDF].

Under the e-Privacy Directive, storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing". Consent must be "freely given, specific and informed".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

'Icon' not clear enough

The icon does not contain sufficient "additional language" to explain to the average internet user what its "underlying meaning" is and does not enable consent to be given until after tracking has begun, the Working Party said.

"In order for information to be provided in an understandable way, it is necessary to use clear language, allowing users to immediately understand that their activities are being tracked when they browse the web and they may ultimately receive targeted ads. The mere use of the word 'advertising' alongside the icon is not enough to inform the user that the ad uses cookies for the purpose of behavioural advertising. The wording should as a minimum include the element of 'personalised advertising'," the watchdogs' opinion said.

"The icon can serve as additional information and as a reminder notice after the subscriber or user has provided his/her consent for the processing of his/her data for the purpose of behavioural advertising," it said. "Thus, the proposed icon approach cannot be used for the provision of prior information, as required under the current legal framework (unless it is combined with a way to obtain the user's consent).

"Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the code and the website do not meet the requirement set out at the revised e-Privacy Directive," it said.

Next gen security for virtualised datacentres

More from The Register

next story
Britain's housing crisis: What are we going to do about it?
Rent control: Better than bombs at destroying housing
Top beak: UK privacy law may be reconsidered because of social media
Rise of Twitter etc creates 'enormous challenges'
Ex US cybersecurity czar guilty in child sex abuse website case
Health and Human Services IT security chief headed online to share vile images
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
GCHQ protesters stick it to British spooks ... by drinking urine
Activists told NOT to snap pics of staff at the concrete doughnut
What do you mean, I have to POST a PHYSICAL CHEQUE to get my gun licence?
Stop bitching about firearms fees - we need computerisation
Oz biz regulator discovers shared servers in EPIC FACEPALM
'Not aware' that one IP can hold more than one Website
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?