In an opinion issued on June 22, 2010, the EU Data Protection Authorities (Article 29 Working Party) clarified the legal framework applicable to online behavioral advertising – an activity that is becoming a hot topic for discussion as its popularity grows. Online behavioral advertising is, at its most basic level, the practice of gathering data, generally via cookies, about computer users for the purposes of serving tailored advertising. Some argue that such information gathering constitutes an invasion of people’s privacy. Most of the time, data subjects are not even aware that their personal data are being collected and used to create detailed user profiles and provide them with tailored advertising.

In order to remedy this lack of notice, it is becoming a common practice for advertising network providers to offer “opt-out” mechanisms so that users may, if they so wish, decline to receive targeted advertising.

Until now, the legality of such mechanisms under the EU Directive was questionable. That is no longer the case.

In its June 22 opinion, the Article 29 Working Party (the group responsible for overseeing the EU data protection regime) stated that, even if opt-out mechanisms were welcomed and should be encouraged, such mechanisms could not be regarded as complying with the EU Directive’s requirements regarding the necessity to deliver prior sufficient and effective notice to users and obtain the data subjects’ express consent before processing their personal data.

The Article 29 Working Party clearly took the position that it is incumbent upon advertising network providers to “create prior opt-in mechanisms requiring an affirmative action by the users indicating their willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.”

According to Article 5(3) of the ePrivacy Directive, advertising network providers must obtain the informed consent of users to lawfully store information or to gain access to information stored in a user’s computer. According to the Article 29 Working Party, this means that prior to placing cookies or similar devices, advertising network providers must obtain the informed consent of the users.

Informed consent requires that users be informed about the identity of the advertising network provider, the purpose of the processing and the fact that the cookie will allow the advertiser to collect information about visits to other websites. Such information can be provided directly on the screen and it is recommended that it not be hidden in general terms and conditions or privacy statements. (see also our discussion of the Sears case here.)

However, the EU Data Protection Authorities are conscious that in practice it could be burdensome to obtain consent every time a cookie is read for the purposes of delivering targeted advertising. As such, they recommend:

  • limiting the time and the scope of the consent
  • offering the possibility to revoke it easily
  • creating visible tools to be displayed where the monitoring takes place.

Furthermore, when placing cookies or similar devices, advertising network providers must also abide by the principles of the EU Directive of 1995 relating to the processing and free movement of personal data if the data being collected are considered personal.

Consequently, advertising network providers may be considered data controllers and thus need to:

  • inform users beforehand of the purposes of the processing
  • guarantee to data subjects their rights of access, rectification, erasure, limitation of retention, confidentiality, and security
  • inform the appropriate Data Protection Agency of the processing to the extent necessary

The Opinion invites industry to suggest technical and other means to comply with the aforesaid legal obligations.

As far as France is concerned, it should be noted that in 2009 the French Data Protection Agency (CNIL) reminded everyone that:

  • online behavioral advertising systems were subject to the data protection regulations given that they enable collection of personal data;
  • the analysis of behaviors on the Internet was possible only if the Internet user had been duly informed of such a practice and could easily and quickly oppose it;
  • professionals of that sector were highly encouraged to issue codes of conduct