behavioral advertising

On January 9, 2022, the cookie guidelines (“guidelines”) published by the Italian Supervisory Authority (“Garante”) on July 9, 2021 entered into force.  This means that all those companies that have not yet conformed to the guidelines’ provisions should do so promptly, to avoid incurring in future sanctions.  The guidelines include precise indications on, e.g., the categorization of cookies and other tracking technologies (“cookies”), the recommended design of the cookie banners, the collection, review and renewal of consent, and on the information notices.

Continue Reading New Italian Guidelines on the Use of Cookies and Other Tracking Technologies Now in Force

The last two weeks have brought two important decisions in the ongoing litigation over behavioral advertising firm NebuAd’s alleged use of a device to intercept data from ISP networks. Several ISPs allegedly permitted NebuAd to install an “appliance” on their networks in order to collect and analyze subscriber data for ad targeting purposes.  In lawsuits that began to be filed in 2008, plaintiffs have alleged that NebuAd–and the ISPs with which it allegedly partnered– violated Title I of the Electronic Communications Privacy Act (i.e., the Wiretap Act) as well as other federal and state laws.  Plaintiffs have sued the ISPs in separate suits around the country.  Two of these suits–against ISPs Embarq and WideOpen West (“WOW”)–yielded decisions in favor of the ISPs last week. 

Continue Reading Two New Decisions on the Wiretap Act and Secondary Liability

The group that develops technical standards and guidelines for the World Wide Web released a set of draft standards on Monday that are intended to allow consumers to limit and control how they are tracked online.

The standards, developed by the World Wide Web Consortium (known as the “W3C”), would allow consumers to set a “Do-Not-Track” preference using their browser or other tools.  The proposal effectively sets up an “opt-out” mechanism for online tracking because no preference is transmitted until the user affirmatively selects a setting.  The standard states that, absent laws, rules or other requirements to the contrary, servers may interpret the lack of an expressed preference “as they find most appropriate for the given user, particularly when considered in light of the user’s privacy expectations and cultural circumstances.”  Once set by the user, the Do-Not-Track preference would be transmitted to any website the user visits; the standard requires website servers that have implemented the standard to send a response signal indicating whether the website respects the tracking preference.  Users would be able to affirmatively allow tracking, block all tracking, or refuse tracking generally but allow tracking on certain sites.

Continue Reading Web-standards group releases draft “Do-Not-Track” mechanism

On October 26, 2011, the French Data Protection Authority, the CNIL, published guidance on the implementation of the new cookie rules arising from the amendments to the EU e-Privacy Directive 2002/58/EC (the “Directive”).  The new cookie rules have been implemented into French national law via the ordinance of August 24, 2011, relating to electronic communications (the “Ordinance”).

Under the old rules, companies offering websites, mobile applications and other online offerings had to inform users that cookies were utilized and to supply them with information as to how to “opt-out” if the users objected to the cookie being created on their devices.  Companies would often incorporate this information into the website’s main privacy statement.

According to the new rules, it is not permitted to deploy cookies (i) without the user’s prior consent (“opt-in”), and (ii) without the user having been provided with clear and comprehensive information about the cookies.  Apart from suggesting in the interpretative language of the Directive that browser settings might be used to obtain a user’s consent, the Directive does not specify how these requirements should be met.  Instead, the interpretation of the rules is left for individual member states.

Continue Reading French Data Protection Authority Releases Guidance on the Use of Cookies

Yesterday, the Digital Advertising Alliance (DAA) announced the release of new “Self-Regulatory Principles for Multi-Site Data,” voluntary self-regulatory standards to govern the collection, use, and sharing of data concerning user activity across non-affiliated websites.  The DAA, an umbrella organization for advertising trade groups, already maintains self-regulatory principles for online behavioral advertising (OBA).  Notably, while the OBA Principles apply only to data collected for behavioral advertising purposes, the new Multi-Site Data Principles encompass all collections, use, and disclosure of multi-site data regardless of purpose.  The DAA expects its new principles will be implemented in 2012.
Continue Reading DAA Releases “Self-Regulatory Principles for Multi-Site Data”

The representatives of IAB Europe and EASA, European advertising and marketing industry associations, met with the Article 29 Working Party, a group of European data protection authorities, on 14 September 2011 to discuss the industry’s self-regulatory code on Online Behavioural Advertising.  As we blogged here, the Article 29 Working Party had previously voiced concerns

By Dan Cooper and Helena Marttila

On 26 August, 2011, the Article 29 Working Party, a group of European data protection authorities, published a letter to the Online Behavioural Advertising Industry regarding the proposed industry self-regulatory framework, known as the Best Practice Recommendation on Online Behavioural Advertising (the “Code”). The letter sets out the main data privacy concerns identified by the Working Party arising from the Code. The Working Party takes a strict view regarding the application of the European Data Protection and ePrivacy Directives to the use of cookies for purposes of tracking consumer behaviour online. The main issues discussed in the letter are set out below:

Continue Reading Article 29 Working Party Voices Concerns Over Behavioural Advertising Code

This week, Stanford Security Lab reported preliminary results from a platform it has been developing, a chief application of which is to detect various forms of third-party tracking in an automated manner.  According to researcher Jonathan Mayer’s release, which emphasizes that these are “preliminary findings from experimental software,” Stanford’s system has detected that over half of the companies tested that belong to the self-regulatory Network Advertising Initiative (“NAI”) group leave tracking cookies on users’ computers even after a user opts out of online behavioral targeting.  Importantly, though, NAI member companies are required by the NAI guidelines only to allow and abide by requests to opt out of behavioral ad targeting, and the guidelines do not contain commitments with respect to tracking.   This distinction between targeting and tracking has been the subject of increasing attention, including from the Federal Trade Commission.    

The preliminary study results also reportedly show that at least eight NAI members—including prominent networks such as 24/7 Real Media and Audience Science—commit in their privacy policies to stop tracking users following an opt-out request, but nonetheless leave tracking cookies in place.  Although the media and, increasingly, plaintiffs’ counsel can be quick to latch onto these types of reports, it will be critical to closely examine each company’s privacy policy language in the context of the company’s actual practices.

Continue Reading Preliminary Results Reported From Stanford “Tracking the Trackers” Study