Not opt out not opt in, but something in between

This article was first published in Data Protection Law & Policy in July 2010

A fascinating subject, a well thought out and constructed story line, some surprises and an intriguing open ending - if this was a movie, we would be heading for a Hollywood blockbuster. As it happens, it is just an Article 29 Working Party Opinion, but possibly a critical one for the development of the Internet. On 22 June, the Working Party adopted its second official Opinion of the year - a much awaited analysis and interpretation of the revised article 5(3) of the e-privacy directive, which affects the use of cookies and similar devices by those subject to EU data protection law. 

The Working Party’s Opinion starts by recognising that online advertising is an important factor in the growth and expansion of the Internet economy, but it then moves on quickly to flag up its concern: information gathered on the ‘surfing behaviour’ of individuals being analysed in order to build extensive profiles about those individuals’ interests. The depth of this concern is not explored any further but the Working Party suggests that such practices must not be carried out at the expense of individuals’ rights to privacy and data protection. Here is where the new article 5(3) fits in. 

Whilst the original EU regime affecting the use of cookies adopted in 2002 established two easily addressable obligations: notice and choice (the latter understood as the right to opt out of cookies being placed or read), the new framework uses a rather drained word: consent. So the language in the black letter of the law provides that in addition to the provision of information about the use of cookies, the consent of the user of the equipment in which the cookie is placed will also be required. This is the cornerstone of the Working Party’s Opinion and the focus of much debate in the months to come. 

In a clear departure from the current approach in the online advertising industry, the Working Party states straightaway that under article 5(3), it is irrelevant whether the entity placing or reading a cookie is a “data controller” or a “data processor”. In the context of behavioural advertising, the obligation to obtain informed consent falls on ad network providers. This adds a complication to an already complex web of relationships between advertisers, ad network providers and publishers. This is further aggravated by the unqualified statement that ad network providers have complete control over the purposes and means of the processing, which seems to contradict some of the careful reasoning in the other Working Party’s Opinion of 2010 on controllers and processors. Publishers do not come away unscathed either. The Working Party curiously argues that publishers also contribute to the serving of tailored advertising by redirecting users to the ad network provider and therefore, publishers will have some responsibilities as data controllers for these actions.

Irrespective of who is responsible for what, the main message that the Working Party is seeking to get across is that the amended article 5(3) clarifies and reinforces the need for the users’ informed prior consent. In other words, according to the Working Party, an ad network provider that wishes to store or gain access to cookies must first provide clear and comprehensive information about the purposes of that activity, and then obtain the user’s consent - which under EU law means a freely given and specific indication of that user’s wishes. Easier said than done.

Providing information about the use of cookies is no big deal. Not least because that has been a legal obligation across the EU since the original 2002 e-privacy directive came into force. The Working Party seems happy with a simple explanation about the use of cookies to create profiles aimed at serving targeted advertising and welcomes creativity in this area. The issue is who should be providing this information. Although the obligation primarily lies with the entity that sends and reads the cookie, namely the ad network provider, the Working Party points out that from a user’s perspective, it is more intuitive if they receive the notice from the publisher’s website. In the end, ad network providers and publishers are called to cooperate and decide who will provide notice and how.

But what about the really crunchy issue? What’s the Working Party’s advice on how to obtain consent? First of all, if you were thinking of simply relying on the browser settings, forget it. Given that browsers do not normally block cookies by default, Internet users cannot be deemed to have consented by using a browser that allows cookies. Reverting to an opt-out approach seems out of the question because not opting out is not the same as positively consenting. So the logical conclusion reached by the Working Party is that an opt in mechanism requiring an affirmative action to indicate the individual's consent before a cookie is placed or accessed (although not necessarily every time this happens) is the way to go.

Is this it then? Do providers of online behavioural advertising have to slap in an opt in pop up box every time a new cookie is set? Not quite. The Working Party still leaves a tiny bit of room for discussion on this matter. It is not obvious how much room for manoeuvre there is, but the Working Party urges ad network providers and publishers to be creative in this area and come forward with technical and other means to comply with this framework. Right now the ball is in the industry’s court and the Working Party seems prepared to listen to practical suggestions – as long as they are not just opt out.

For more information, please contact Eduardo Ustaran.