On 26 August, 2011, the Article 29 Working Party, a group of European data protection authorities, published a letter to the Online Behavioural Advertising Industry regarding the proposed industry self-regulatory framework, known as the Best Practice Recommendation on Online Behavioural Advertising (the “Code”). The letter sets out the main data privacy concerns identified by the Working Party arising from the Code. The Working Party takes a strict view regarding the application of the European Data Protection and ePrivacy Directives to the use of cookies for purposes of tracking consumer behaviour online. The main issues discussed in the letter are set out below:
1. Clear Consent. The Working Party emphasizes that European data privacy laws require users’ freely given, specific and informed consent to be obtained before cookies can be placed on their terminal equipment to track their online behaviour. The suggestion in the Code that such consent could be inferred from the inaction of the user is rejected – in the Working Party’s view, not objecting to being tracked for purposes of receiving behavioural advertising is not the same as exercising a real choice. Similarly, the Working Party considers that only browser settings that reject third party cookies by default and require some positive action from users to accept cookies for specific purposes meet the current legal requirements.
2. Streamlined Procedures for Multiple Ad Network Providers. While the Working Party accepts that a large number of ad network providers on a website may result in multiple pop-ups, users should nevertheless be entitled to choose whether to receive or reject specific cookies. Website operators and ad network providers could, for example, consider setting up streamlined procedures whereby users could accept or decline cookies for the various ad network providers in a centralized way.
3. Clear and Comprehensive Information.The Working Party is not convinced that, as suggested in the Code, an icon could act as a notice of behavioural advertising – such an icon is unlikely to convey enough information to most Internet users. Rather, it states that clear and comprehensive language should be used making clear to users that their activities are being tracked and they are being profiled for advertising purposes.
4. Targeted Information. The Working Party also states that information about online behavioural advertising must be given directly to individuals – it is not enough to simply make the information available somewhere online. Therefore, the mechanism suggested in the Code, which requires users to click several times on an icon before receiving additional information about behavioural advertising and being able to opt-out, is considered inadequate by the Working Party.
Annexed to the Working Party letter is a communication from the Federal Trade Commission (“FTC”) to the Working Party, setting out the FTC’s position on online behavioural advertising. The FTC, while not commenting on the Code itself, agrees with the Working Party that consumers should receive clear information about how their data is collected and used and be provided meaningful means to control these behavioural advertising practices.