EU privacy watchdogs urge stricter rules on ‘cookies’

Internet screen.JPG

This article is part of our special report Data protection.

A group of European privacy watchdogs has called for a stricter interpretation of rules on behavioural advertising, condemning the industry's self-regulation code as giving users a “wrong presumption” of how their online browsing habits are being tracked by advertisers using web 'cookies'.

The warning from the privacy supervisors, who meet regularly in an EU-level group called the Article 29 Working Party, comes as member states are transposing the revised directive on e-privacy.

The opinion by the European privacy watchdog group establishes that users should give their prior consent to advertisers before cookies are downloaded on their computers.

Once downloaded, cookies are able to track users' navigation on the Web, allowing advertisers to prepare advertising tailored to their interests, also called behavioural ads.

“Member states shall ensure that the storing of information in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information,” reads the new directive adopted at the end of 2009.

The online advertising industry has applied this provision by adopting a code and setting up a website in different languages which offers internet users the possibility to opt-out from receiving cookies from specific companies.

However, privacy watchdogs argue that this approach “is not consistent with the requirement for prior informed consent,” which should be given every time a cookie is placed on the user’s computer. It was an opt-in rather than an opt-out approach that was chosen by EU policy-makers, they argue.

“If we ask for consent each time, internet navigation will become a very user-unfriendly experience,” replied Kimon Zorbas, vice president of the European branch of the Interactive Advertising Bureau (IAB).

This controversy over online ads has erupted because of the ambiguities of the e-privacy directive, which leaves room for different interpretations. Some countries, like Germany, are not even changing their existing laws considering that the directive is not bringing any new elements to their legal framework.

Other states, like the Netherlands, have opted for stricter approaches, saying that cookies are personal information, although this is not mentioned in the directive.

Moreover, six months after the expiration of the transposition deadline (May 2011), almost half of EU member states have not incorporated the directive into national law.

Asked by EURACTIV, Neelie Kroes, the EU Commissioner in charge of the dossier, avoided addressing this issue. “There will be a stakeholder meeting on 18 January,” her spokesperson Ryan Heath said.

The data protection trump card

While Kroes seems unwilling to react on the privacy watchdogs’ pressure, the European Commission could take action via its Commissioner in charge of fundamental rights, Viviane Reding.

By the end of January, Reding is set to launch a comprehensive overhaul of the EU data protection directive which has remained unchanged since 1995 despite the internet boom.

Behavioural ads are not strictly under Reding's remit, but they do fall under a wider review of data protection rules which she is in charge of.

Reding knows the subject well, as it was part of her portfolio in the previous Commission when she was in charge of information society. Known for her propensity to launch controversial initiatives, Reding is likely to push for radical solutions in a bid to make data protection a subject of wider attention.

Indeed, early drafts of the document on which Reding is still working suggest making explicit consent the general rule in all dealings with personal data. Even the concept of what constitutes personal information could be widened under the new definition.

As happened with the telephone roaming regulation, Reding is likely to get the backing of consumer groups but will also likely attract harsh criticism from the industry, notably the online advertising sector.

“We should be more pragmatic,” an industry expert told EURACTIV. “Explicit consent is useful as a warning. If we multiply its usage, users will end up giving their consent without even reading the conditions.”

“Adherence to the EASA/IAB Code on online behavioural advertising and participation in the website does not result in compliance with the current e-Privacy Directive. Moreover, the code and the website create the wrong presumption that it is possible to choose not be tracked while surfing the Web. This wrong presumption can be damaging to users but also to the industry if they believe that by applying the Code they meet the requirements of the Directive,” read the conclusions of the Article 29 Working Party opinion drafted by its Dutch chairman Jacob Kohnstamm.

Monique Goyens, director general of the European Consumers’ Organisation (BEUC) commented: “It’s a question of information and control. The collecting, buying and selling of personal information cannot be some kind of secret, off-screen marketplace not subject to essential rules and standards.”

“Data protection authorities have outright rejected this poor self-regulatory code on Online Behavioural Advertisement. It fails to hit acceptable standards and achieves the opposite of what it was supposed to do. It creates a false impression by making consumers think they can prevent being tracked online,” she added in a note.

Kimon Zorbas, IAB vice president, considered the website and the code a part “of a bigger exercise to provide transparency which should be judged as a whole, and not on the basis of specific elements.” He added that the industry has provided a joint standard which is more than necessary to give a bit of legal certainty in an environment made partially inconsistent by “an ambiguously-drafted directive which has made difficult for member states to implement it.”

Behavioural advertising is based on information stored on users’ computers, better known as cookies. Cookies track users in their online navigation and send back information to advertisers, which are therefore informed about the online behaviour of potential customers, who the industry claim remain anonymous.

The advertising industry also argue that cookies are instrumental in their business models and that the European Commission should avoid introducing burdensome consent or privacy notices that could hamper their business practice.

Privacy watchdogs warn instead of dangers of tracking users online.

The review of the e-privacy directive in 2009 addressed these issues and imposed informed consent as a precondition to place cookies on users’ computers, and therefore applying behavioural ads.

  • 18 Jan. 2012: EU stakeholder meeting on behavioural ads.
  • End of Jan. 2012 : Commission to propose overhaul of data protection directive.

Subscribe to our newsletters