The warning from the privacy supervisors, who meet regularly in an EU-level group called the Article 29 Working Party, comes as member states are transposing the revised directive on e-privacy.
The opinion by the European privacy watchdog group establishes that users should give their prior consent to advertisers before cookies are downloaded on their computers.
Once downloaded, cookies are able to track users' navigation on the Web, allowing advertisers to prepare advertising tailored to their interests, also called behavioural ads.
“Member states shall ensure that the storing of information in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information,” reads the new directive adopted at the end of 2009.
The online advertising industry has applied this provision by adopting a code and setting up a website in different languages which offers internet users the possibility to opt-out from receiving cookies from specific companies.
However, privacy watchdogs argue that this approach “is not consistent with the requirement for prior informed consent,” which should be given every time a cookie is placed on the user’s computer. It was an opt-in rather than an opt-out approach that was chosen by EU policy-makers, they argue.
“If we ask for consent each time, internet navigation will become a very user-unfriendly experience,” replied Kimon Zorbas, vice president of the European branch of the Interactive Advertising Bureau (IAB).
This controversy over online ads has erupted because of the ambiguities of the e-privacy directive, which leaves room for different interpretations. Some countries, like Germany, are not even changing their existing laws considering that the directive is not bringing any new elements to their legal framework.
Other states, like the Netherlands, have opted for stricter approaches, saying that cookies are personal information, although this is not mentioned in the directive.
Moreover, six months after the expiration of the transposition deadline (May 2011), almost half of EU member states have not incorporated the directive into national law.
Asked by EurActiv, Neelie Kroes, the EU Commissioner in charge of the dossier, avoided addressing this issue. “There will be a stakeholder meeting on 18 January,” her spokesperson Ryan Heath said.
The data protection trump card
While Kroes seems unwilling to react on the privacy watchdogs’ pressure, the European Commission could take action via its Commissioner in charge of fundamental rights, Viviane Reding.
By the end of January, Reding is set to launch a comprehensive overhaul of the EU data protection directive which has remained unchanged since 1995 despite the internet boom.
Behavioural ads are not strictly under Reding's remit, but they do fall under a wider review of data protection rules which she is in charge of.
Reding knows the subject well, as it was part of her portfolio in the previous Commission when she was in charge of information society. Known for her propensity to launch controversial initiatives, Reding is likely to push for radical solutions in a bid to make data protection a subject of wider attention.
Indeed, early drafts of the document on which Reding is still working suggest making explicit consent the general rule in all dealings with personal data. Even the concept of what constitutes personal information could be widened under the new definition.
As happened with the telephone roaming regulation, Reding is likely to get the backing of consumer groups but will also likely attract harsh criticism from the industry, notably the online advertising sector.
“We should be more pragmatic,” an industry expert told EurActiv. “Explicit consent is useful as a warning. If we multiply its usage, users will end up giving their consent without even reading the conditions.”
