Feeds

Ad slingers - obeying EU snoop code is NOT GOOD ENOUGH

Industry rules at odds with cookie laws, say watchdogs

Secure remote control for conventional and virtual desktops

Website operators that track internet users' online activity in order to serve targeted adverts do not automatically comply with EU privacy laws by following the industry code. This is according to a committee of all of the EU's national data protection regulators.

The Article 29 Working Party said that solely adhering to rules set out in the self-regulatory Online Behavioural Advertising (OBA) code [PDF] would not in itself be enough to comply with the EU's Privacy and Electronic Communications (e-Privacy) Directive, because the code does not demand that operators obtain clear enough user permission to track online activity.

Publishers and advertising networks use cookies – small text files that record internet users' activity on websites – to track user behaviour in order to target adverts to individuals based on that behaviour.

Last year the Internet Advertising Bureau Europe (IABE) and European Advertising Standards Alliance (EASA) set out rules on OBA in a new code which many leading content providers, including Microsoft and the BBC, have committed to.

The IABE/EASA code requires operators to give users access to any easy method for turning off cookie tracking on their site and make it known that they collect data on them for behavioural advertising. Operators must also display an interactive icon, telling users that the adverts track their online activity and enable them to manage information preferences or stop receiving behavioural advertising by clicking the icon to visit a pan-European website, youronlinechoices.eu.

However, the Article 29 Working Party – which is a committee made up of representatives from each of the EU national data protection regulators – said that following the code was not enough for operators to be said to be complying with the law.

"In the present context and taking into account the current lack of knowledge and awareness of the web users with regard to behavioural advertising, the above-mentioned icon approach is not sufficient in itself to properly inform the users about the use of cookies," the Working Party said in its opinion [12-page / 85KB PDF].

Under the e-Privacy Directive, storing and accessing information on users' computers is only lawful "on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information ... about the purposes of the processing". Consent must be "freely given, specific and informed".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

'Icon' not clear enough

The icon does not contain sufficient "additional language" to explain to the average internet user what its "underlying meaning" is and does not enable consent to be given until after tracking has begun, the Working Party said.

"In order for information to be provided in an understandable way, it is necessary to use clear language, allowing users to immediately understand that their activities are being tracked when they browse the web and they may ultimately receive targeted ads. The mere use of the word 'advertising' alongside the icon is not enough to inform the user that the ad uses cookies for the purpose of behavioural advertising. The wording should as a minimum include the element of 'personalised advertising'," the watchdogs' opinion said.

"The icon can serve as additional information and as a reminder notice after the subscriber or user has provided his/her consent for the processing of his/her data for the purpose of behavioural advertising," it said. "Thus, the proposed icon approach cannot be used for the provision of prior information, as required under the current legal framework (unless it is combined with a way to obtain the user's consent).

"Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the code and the website do not meet the requirement set out at the revised e-Privacy Directive," it said.

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.