A stricter regime for profiling07 June 2016
EU Article 29 Working Party Decrees Strict Opt-In Standards for Behavioral Advertising Data Collection
On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.
Behavioral Advertising is Regulated in the EU by Two Primary Sources
The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011.
The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.
Opt-In Consent Requirement and Opt-Out Deficiencies Explained
The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.
Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.
The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes.
Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.
Room for Innovation
While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”
The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:
- Ad networks should not create or use "interest categories" intended to track the Internet habits of children.
- Ad networks should not offer or use interest categories that could reveal “sensitive data” about an individual (as defined in the EU ) without explicit opt-in consent.
- Information must be deleted if no longer needed for the purpose for which it was collected, meaning that ad networks must implement policies to ensure that information collected each time a cookie is read is immediately deleted or anonymized once the necessity for retaining it expires.
- Individuals must be allowed to exercise their rights of access, rectification, erasure, and to object under the Data Protection Directive.
- Data controllers and processors must also keep in mind data security, data transfer, and database registration obligations.
Who is Responsible?
Though it laid out specific obligations, the Working Party was not prescriptive when it came to determining what participants in the behavioral advertising ecosystem would be responsible for complying with the obligations. For example, it stated that while ad networks, as ultimate controllers of the targeting data, are obligated to obtain informed consent, in some instances publishers of targeted advertisements have “some responsibility” in obtaining consent as well because they transfer user IP addresses to ad networks to facilitate advertising transactions. And the Working Party noted that advertisers too can be considered independent data controllers if they capture certain information when their ads are clicked (for example, demographic profiles such as “young mothers” or interest categories such as “extreme sports fans” for whom specific ads are selected) and combine it with an individual’s web browsing behavior or registration data.
The guidelines released by the Working Party represent a major change to the current behavioral advertising regulatory landscape. Nevertheless, the Working Party held out a lifeline for proponents of industry self-regulation and innovation, conceding that industry progress in the provision of notice to Internet users about behavioral advertising could lead the Working Party to accept innovations that may be less restrictive than the opt-in regime it announced. In that way, the opinion may serve a similar purpose to the Federal Trade Commission’s 2009 report on behavioral advertising that set forth its expectations for industry along with the not-so-subtle undertone that if industry did not comply with its “suggestions,” the Commission would formally regulate in the area. While companies have made progress on this front in the U.S., and consequently have succeeded in staving off formal FTC regulation or enforcement so far, those engaging in behavioral advertising in the EU should implement the guidelines set forth in the Working Party opinion immediately and stay tuned for developments regarding the EU's enforcement strategy.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016