Opt Out Rejected by the EU Data Protection Authorities for Online Behavioral Advertising

Posted on July 22, 2010 by Cecile Martin

In an opinion issued on June 22, 2010, the EU Data Protection Authorities (Article 29 Working Party) clarified the legal framework applicable to online behavioral advertising – an activity that is becoming a hot topic for discussion as its popularity grows. Online behavioral advertising is, at its most basic level, the practice of gathering data, generally via cookies, about computer users for the purposes of serving tailored advertising. Some argue that such information gathering constitutes an invasion of people’s privacy. Most of the time, data subjects are not even aware that their personal data are being collected and used to create detailed user profiles and provide them with tailored advertising.

In order to remedy this lack of notice, it is becoming a common practice for advertising network providers to offer “opt-out” mechanisms so that users may, if they so wish, decline to receive targeted advertising.

Until now, the legality of such mechanisms under the EU Directive was questionable. That is no longer the case.

In its June 22 opinion, the Article 29 Working Party (the group responsible for overseeing the EU data protection regime) stated that, even if opt-out mechanisms were welcomed and should be encouraged, such mechanisms could not be regarded as complying with the EU Directive’s requirements regarding the necessity to deliver prior sufficient and effective notice to users and obtain the data subjects’ express consent before processing their personal data.

The Article 29 Working Party clearly took the position that it is incumbent upon advertising network providers to “create prior opt-in mechanisms requiring an affirmative action by the users indicating their willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.”

According to Article 5(3) of the ePrivacy Directive, advertising network providers must obtain the informed consent of users to lawfully store information or to gain access to information stored in a user’s computer. According to the Article 29 Working Party, this means that prior to placing cookies or similar devices, advertising network providers must obtain the informed consent of the users.

Informed consent requires that users be informed about the identity of the advertising network provider, the purpose of the processing and the fact that the cookie will allow the advertiser to collect information about visits to other websites. Such information can be provided directly on the screen and it is recommended that it not be hidden in general terms and conditions or privacy statements. (see also our discussion of the Sears case here.)

However, the EU Data Protection Authorities are conscious that in practice it could be burdensome to obtain consent every time a cookie is read for the purposes of delivering targeted advertising. As such, they recommend:

  • limiting the time and the scope of the consent
  • offering the possibility to revoke it easily
  • creating visible tools to be displayed where the monitoring takes place.

Furthermore, when placing cookies or similar devices, advertising network providers must also abide by the principles of the EU Directive of 1995 relating to the processing and free movement of personal data if the data being collected are considered personal.

Consequently, advertising network providers may be considered data controllers and thus need to:
 

  • inform users beforehand of the purposes of the processing
  • guarantee to data subjects their rights of access, rectification, erasure, limitation of retention, confidentiality, and security
  • inform the appropriate Data Protection Agency of the processing to the extent necessary

The Opinion invites industry to suggest technical and other means to comply with the aforesaid legal obligations.

As far as France is concerned, it should be noted that in 2009 the French Data Protection Agency (CNIL) reminded everyone that:

  • online behavioral advertising systems were subject to the data protection regulations given that they enable collection of personal data;
  • the analysis of behaviors on the Internet was possible only if the Internet user had been duly informed of such a practice and could easily and quickly oppose it;
  • professionals of that sector were highly encouraged to issue codes of conduct
     
Tags: , , , , ,

Update: Deep Discussion of DPI

Posted on July 29, 2008 by Brendon Tavelli

On July 17, 2008, the House Telecommunications and Internet Subcommittee examined the practice of deep packet inspection (DPI), a method for networks and third parties to determine what information users (identified by IP addresses or random ID numbers) are searching for and accessing on the Internet in order to tailor more relevant advertising based on an individual’s interests. DPI is often cookie-based and does not link personally identifiable information with user surfer behavior.

The House Subcommittee’s hearing focused on whether the online advertising industry should be required to use opt-in systems, or whether current opt-out systems adequately protect consumers’ privacy. The July 17 hearing is the latest in a series of efforts by regulators and legislators to better understand behavioral targeting.

As discussed here in our posts, in December 2007, the Federal Trade Commission issued for public comment proposed online behavioral advertising principles designed to guide the industry in self regulation. The proposed principles state that websites should provide clear notice when they collect an individual’s information and that data collectors should obtain affirmative, express consent before using certain categories of sensitive data for marketing purposes.  The FTC is in the process of reviewing and evaluating dozens of comments filed in response to the proposed principles.

On July 9, 2008, the Senate Committee on Commerce, Science, and Transportation held a hearing to consider the current state of the online advertising industry and the potential impact on user privacy. Industry representatives and consumer advocates, including Microsoft Corp., NebuAd Inc., the Center for Democracy and Technology, Google Inc., the Competitive Enterprise Institute, and Facebook Inc., testified. As noted in the FTC’s press release of July 9, according to the testimony of Lydia Parnes, Director of the FTC's Bureau of Consumer Protection, “behavioral advertising may provide a variety of benefits to consumers, including free content, personalization of ads, and a potential reduction in unwanted advertising. Consumer research has shown that consumers value online ads that are more personalized. These ads may facilitate shopping for specific products. Further, behavioral advertising may help subsidize and support a diverse range of free online content and services that might otherwise not be available or that consumers would have to pay for, for example, blogging, search engines, and instant access to news and other information.”

This is certainly not the end of the discussion – the industry awaits the FTC’s completion of its review regarding the proposed self-regulatory principles, and Congressional leaders have stated their intent to further explore behavioral targeting.

The author thanks Proskauer summer associate Julie Shah for her substantial contribution to this post.
Tags: , , , , , ,