Archive for the ‘Targeted advertising’ Category

Belgian research report claims Facebook tracks the internet use of everyone

Posted on April 1st, 2015 by

A report published by researchers at two Belgian universities claims that Facebook engages in massive tracking of not only its users but also people who have no Facebook account. The report also identifies a number of other violations of EU law.

When Facebook announced, in late 2014, that it would revise its Data Use Policy (DUP) and Terms of Services effective from 30 January 2015, a European Task Force, led by the Data Protection Agencies of the Netherlands, Belgium and Germany, was formed to analyse the new policies and terms.

In Belgium, the State Secretary for Privacy, Bart Tommelein, had urged the Belgian Privacy Commission to start an investigation into Facebook’s privacy policy, which led to the commissioning of the draft report that has now been published. The report concludes that Facebook is acting in violation of applicable European legislation and that “Facebook places too much burden on its users. Users are expected to navigate Facebook’s complex web of settings in search of possible opt-outs“.

The main findings of the report can be summarised as follows:

Tracking through social plug-ins

The researchers found that whenever a user visits a non-Facebook website, Facebook will track that user by default, unless he or she takes steps to opt-out. The report concludes that this default opt-out approach is not in line with the opt-in requirements laid down in the E-privacy Directive.

As far as non-users of Facebook are concerned, the researchers’ findings confirm previous investigations, most notably in Germany, that Facebook places a cookie each time a non-user visits a third-party website which contains a Facebook social plug-in such as the Like-button. Moreover, this cookie is placed regardless of whether the non-user has clicked on that Like button or not. Considering that Facebook does not provide any of this information to such non-users, and that the non-user is not requested to consent to the placing of such cookie, this can also be considered a violation of the E-privacy Directive.

Finally, the report found that both users and non-users who decide to use the opt-out mechanism offered by Facebook receive a cookie during this very opt-out process. This cookie, which has a default duration of two years, enables Facebook to track the user or non-user across all websites that contain its social plug-ins.

Other data protection issues identified

In addition to a number of consumer protection law issues, the report also covers the following topics relating to data protection:

  • Consent: The researchers are of the opinion that Facebook provides only very limited and vague information and that for many data uses, the only choice for users is to simply “take-it-or-leave-it”. This is considered to be a violation of the principle that in order for consent to be valid, it should be freely given, specific, informed and unambiguous as set-out in the Article 29 Working Party’s Opinion on consent (WP 187).
  • Privacy settings: The report further states that the current default settings (opt-out mechanism) remain problematic, not in the least because “users cannot exercise meaningful control over the use of their personal information by Facebook or third parties” which gives them “a false sense of control”.
  • Location data: Finally, the researchers consider that Facebook should offer more granular in-app settings for the sharing of location data, and should provide more detailed information about how, when and why it processes location data. It should also ensure it does not store the location data for longer than is strictly necessary.


The findings of this report do not come as a surprise. Indeed, most of the alleged areas of non-compliance have already been the object of discussions in past years and some have already been investigated by other privacy regulators (see e.g. the German investigations around the ‘like’ button).

The real question now surrounds what action the Belgian Privacy Commission will take on the basis of this report.

On the one hand, as of late, data protection enforcement has been put high on the agenda in Belgium. It seems the Belgian Privacy Commission is more determined than ever to show that its enforcement strategy has changed. This can also be situated in the context of recent muscular declarations from the State Secretary of Privacy that companies like Snapchat and Uber must be investigated to ensure they comply with EU data protection law.

Facebook, on the other hand, questions the authority of the Belgian Privacy Commission to conduct such an investigation, stating that only the Irish DPA is competent to discuss their privacy policies. Facebook has also stated that the report contains factual inaccuracies and expressed regret that the organisation was not contacted by the researchers.

It will therefore be interesting to see how the discussions between Facebook and the Belgian Privacy Commission develop. The President of the Belgian Privacy Commission has declared a number of times that it will not hesitate to take legal action against Facebook if the latter refuses to implement the changes for which Privacy Commission is asking.

This could potentially lead to Facebook being prosecuted, although it is more likely that it will be forced to accept a criminal settlement. In 2011, following the Privacy Commission’s investigation into Google Street View, Google accepted to pay 150.000 EUR as part of a criminal settlement with the public prosecutor.

Will no doubt be continued…



Working Party 29 releases results of EU cookies sweep

Posted on February 18th, 2015 by

On February 3, 2015, the Article 29 Working Party (“WP 29“) released a report (the “report“) analysing the results of an EU cookies sweep, which was announced by the CNIL last July.

The sweep was conducted by several EU Data Protection Authorities (“DPAs“) with the aim to informing the WP 29 on the current usage of cookies and likely state of compliance with Article 5(3) of the ePrivacy Directive across the EU in a range of specific sectors. The cookies sweep did not aim to assess the level of compliance with cookie rules, but rather to assess the extent of the use cookies, the level of information provided and to review the controller mechanisms in place on the websites that were visited.

Who conducted the cookies sweep?

The cookies sweep was conducted on 15 – 19 September 2014 by the DPAs and other national regulators who are competent for enforcing Article 5(3) of the ePrivacy Directive under national law in eight EU Member States: Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom.

What was the scope of the cookies sweep?

The cookies sweep focused essentially on three sectors, namely media, e-commerce and the public sector, which are perceived by the WP 29 as presenting the greatest data protection and privacy risks to EU citizens. The target websites were selected among the 250 most frequently visited sites by individuals within each Member State taking part in the sweep.

What are the results of the cookies sweep?

Essentially, the cookies sweep was conducted in two phases:

Phase 1 comprised a statistical review of cookies used by websites and their technical properties. Without going into the full details of the report, the following key points can be highlighted:

– a total of 478 sites were audited in eight Member States;

– a total of 16555 cookies were set on all 478 sites (on average: 34,6 cookies per site);

– 70% of the 16555 cookies recorded were third party cookies and 86,09% were persistent cookies;

– media sites set on average the highest number of cookies (e.g., 83,1% in the UK);

– media sites also contained the highest proportion of third party cookies (78,95%) and persistent cookies (89,61%) as compared with other sectors;

– the average duration of first-party persistent cookies is 14,34 years while the average duration of third party persistent cookies is 1,77 years;

– third party domains are mainly involved in the advertising business.

Phase 2 comprised of a more in-depth manual review of cookie information and consent mechanisms. The report indicates that the most common method used for notifying users is either the cookie banner (59%) or a link in the header or footer (39%), or both.

In 57% of the cases, it was considered that the site provided an appropriate level of information regarding the types of cookies used.

50% of the sites audited requested consent from the user to store cookies, whereas the remaining 50% used broader language such as “we use cookies” or “cookies are being set”.

Finally, in a minority of cases (only 16%), users were offered a granular level of control of the types of cookies they accept or decline. In the majority of cases, the sites simply require the user to review their browser settings to control cookie usage.

What should organizations take away from this report?

From a legal perspective, it is interesting to note that the majority of the websites inform their users about the use of cookies but only half of them obtain consent from their users. Very few websites enable users to access and change their cookies settings via granular controls, while most of the websites simply refer to the user’s Internet browser. And thus, this shows there is still room for improvement and creativity both in relation to consent mechanisms and user control of the data.

The report provides interesting facts and figures regarding the use of cookies in Europe, but unfortunately fails to deliver a comprehensive overview of the situation in Europe due to the limited scope of the cookies sweep. Indeed, geographically, the cookies sweep was carried out in a small number of EU Member States, and as a result, some key markets (such as Germany, Poland and Italy) are not mentioned in the report because the DPAs of those countries did not take part in the sweep.

The report also only focuses on three sectors (namely media, e-commerce and the public sector) without assessing the use of cookies in other important economic sectors (such as banking and finance, hotel and leisure or retail) which also rely heavily on the use of cookies to carry out their business.

But perhaps the biggest oversight of the report is its failure to acknowledge the growing technological trends of the market, such as device fingerprinting and cross-device targeting. The report focuses principally on the use of cookies on websites without analysing how cookies are used by mobile apps providers, which is currently the fastest growing market for advertisers. Therefore, while the report does provide a high-level overview of the use of cookies and the notice and consent mechanisms that are put in place by organizations, the report does not address some of the key technological issues or trends that are already re-modelling the advertising market, which inevitably will raise further questions for the EU legislator, businesses and privacy practitioners.

Therefore, although the report seems to indicate that most businesses have done their homework when it comes to the use of cookies on websites, the real challenge for companies in the months to come will be to comply with the law in a technologically diverse environment with ever more sophisticated technologies enabling them to track their users.

You thought consent applies only to cookies?! Then guess again!

Posted on December 13th, 2014 by

Imagine this: you walk into a big department store. You pick up a pair of running shoes and take them to the counter to purchase. The store has thousands of visitors every day, so to the sales assistant, you’re just another nameless face in the crowd.

As you’re buying the shoes, the sales assistant hands you a note. On it is written some kind of seemingly meaningless number “Hteushrbt6123987!”. You ask the sales assistant what this means. “Oh,” he says, “it’s just a way for us to remember that you like sports equipment. This number is unique to you, so we make a note of it and record the fact that you like running shoes. Next time you come in, we’ll ask you for the number and look it up on our systems. That’ll tell us that you like running shoes, so we’ll then show you other sports products we think may interest you.”

Slightly bemused, you pocket the paper, leave the store and return home. But, sometime later, you return to the store. As you enter, another shop assistant asks you if the store has ever given you a piece of paper with a number on it. You root around in your pockets, find the note, and hand it over. The shop assistant examines it, and taps away on a little handheld device he’s carrying. “Ah!” he says, “Number Hteushrbt6123987! You like running shoes, don’t you? Maybe you’d like to see some other running gear we have in stock? We have some new running vests in, you know – let me show you!”

If such a thing existed, this is how cookie-based targeted advertising would work in the offline world. The note handed to you by the shop assistant represents, of course, a cookie: a piece of information stored with you that enables you (and so your shopping preferences) to be recognized next time you visit the shop so that the merchant can show you products it thinks will interest you – all without knowing your real name, address or other directly identifying details.

Depending on your personal preferences, you may think this is great (“They showed me stuff I wanted but without needing to know my personal details!”) or creepy (“They may not know my name, but that number is all they need to track and surveil me!”) That’s a debate that fiercely divides opinion in the privacy community.

Imagining fingerprinting in the offline world

But cookies aren’t the only way to identify someone. Imagine if instead of being handed a note, the sales assistant instead jotted down some of your personal characteristics: your age, height, weight and gender; the color of your hair (and whether you have any hair at all!); whether or not you wear glasses; your nationality and so on. We’re all unique, so if the sales assistant recorded enough of these details, the store wouldn’t need your name or to give you a number – they could recognize you simply from the information they’d collected about you: “Ah, yes, you’re the 6 foot, 36 year old dark-haired British male, weighing 180 pounds and wearing glasses, who likes running shoes. Let me show you our latest sportswear items!”

In privacy terms, we call a uniquely defining aggregation of personal characteristics a ‘fingerprint’. Perhaps you have heard the term ‘device fingerprinting’ discussed as an alternative technology to cookies in the online world? In an online context, websites can collect device characteristics about the desktop or mobile based device visiting them – such as its IP address, browser type, screen resolution, installed font pack and so on. Gather enough of these details and you have a ‘device fingerprint’.

Fingerprinting and consent

Over the past few years, some businesses have been swinging away from using cookies and towards using other tracking technologies, like device fingerprinting, because of concerns about EU “cookie consent” requirements. The thinking goes that if website cookies require consent, then a ‘cookieless’ technology like device fingerprinting should avoid the need for consent.

For online businesses, the attractions are obvious: no more ugly cookie banners, no cumbersome user consent experiences, no more paying third party cookie compliance vendors. That logic may seem sound; unfortunately, it’s wrong.

This is because “cookie consent” is a misnomer: it isn’t about cookies at all – it’s about online tracking, in whatever form that takes. This is clear both from the wording of Article 5(3) of the e-Privacy Directive (which creates the consent requirement but never uses the term “cookie”, referring instead to “information”) and from recent guidance on device fingerprinting published by the Article 29 Working Party (here). The long and short of it is that when an online service tracks its visitors by any means – cookies, device fingerprinting, LSOs, pixels, scripts or any other technology – consent requirements will apply.

Choosing a consent strategy

What’s less clear is what form that consent needs to take – namely, whether consent needs to be obtained on an opt-in basis (i.e. the assistant asks you if it’s ok to hand you the piece of paper with the number on it) or whether it can be implied if the visitor doesn’t opt-out (i.e. the assistant hands you the note with the number, and tells you to throw it away if you don’t want it). Because of this complexity, we keep a table of these different opt-in and opt-out standards around the EU, which you can see here.

Deciding on the correct consent strategy for your online operations can be tricky, and depends on a number of factors including the necessity of the tracking you do, the context in which you do it, and the countries across which you operate (do you, for example, want a ‘one size fits all’ consent standard across all website operations or a country-by-country approach to consent based on local legal requirements and risk?)

But, whatever you do, don’t do nothing. That would be like having the shop assistant reach over the till to superglue the number to you while your back was turned.

And none of us would want a world where that would be acceptable.

The legal and practical realities of “personal data”

Posted on September 3rd, 2014 by

Are IP addresses personal data?  It’s a question I’m so frequently asked that I thought I’d pause for a moment to reflect on how the scope of “personal data” has changed since the EU Data Protection Directive’s adoption in 1995.

The Directive itself defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity“.

That’s not the beginning and the end of the story though.  Over the years, various regulatory guidance has been published that has further shaped what we understand by the term “personal data”.  This guidance has taken the form of papers published by the Article 29 Working Party (most notably Opinion 4/2007 on the Concept of Personal Data) and by national regulators like the UK’s Information Commissioner’s Office (see here).  Then throw in various case law that has touched on this issue, like the Durant case in the UK and the European Court of Justice rulings in Bodil Lindqvist (Case C-101/01) and the Google Right to Be Forgotten case (C-131/12), and it’s apparent that an awful lot of time has been spent thinking about this issue by an awful lot of very clever people.

The danger, though, is that the debate over what is and isn’t personal data can often get so weighted down in academic posturing, that the practical realities of managing data often get overlooked.  When I’m asked whether or not data is personal, it’s typically a loaded question: the enquirer wants to know whether the data in question can be retained indefinitely, or whether it can be withheld from disclosures made in response to a subject access request, or whether it can be transferred internationally without restriction.  If the data’s not personal, then the answer is: yes, yes and yes.  If it is personal, then the enquirer needs to start thinking about how to put in place appropriate compliance measures for managing that data.

There are, of course, data types that are so obviously personal that it would be churlish to pretend otherwise: no one could claim that a name, address or telephone number isn’t personal.  But what should you do when confronted with something like an IP address, a global user ID, or a cookie string?  Are these data types “personal”?  If you’re a business trying to operationalise a privacy compliance program, an answer of “maybe” just doesn’t cut it.  Nor does an answer of “err on the side of caution and treat it as personal anyway”, as this can lead to substantial engineering and compliance costs in pursuit of a vague – and possibly even unwarranted – benefit.

So what should you do?  Legal purists might start exploring whether these data types “relate” to an “identified or identifiable person”, as per the Directive.  They might note that the Directive mentions “direct or indirect” identification, including by means of an “identification number” (an obvious hook for arguing an IP address is personal data).  They might explore the content, purpose or result of the data processing, as proposed by the Article 29 Working Party, or point out that these data types “enable data subjects to be ‘singled out’, even if their real names are not known.”  Or they might even argue the (by now slightly fatigued) argument that these data types relate to a device, not to a person – an argument that may once have worked in a world where a single computer was shared by a family of four, but that now looks increasingly weak in a world where your average consumer owns multiple devices, each with multiple unique IDs.

There is an alternative, simpler test though: ask yourself why this data is processed in the first place and what the underlying individuals would therefore expect as a consequence.  For example: Is it collected just to prevent online fraud or is it instead being put to use for targeting purposes? Depending on your answer, would individuals therefore expect to receive a bunch of cookie strings in response to a subject access request?  How would they feel about you retaining their IP address indefinitely if it was held separately from other personal identifiers?

The answers to these questions will of course vary depending on the nature of the business you run – it’s difficult to imagine a Not For Profit realistically being expected to disclose IP addresses contained in web server logs in response to a subject access request, but perhaps not a huge stretch, say, for a targeted ad platform.   The point is simply that trying to apply black and white boundaries to what is, and isn’t, personal will, in most cases, prove an unhelpful exercise and be wholly devoid of context.  That’s why Privacy Impact Assessment are so important as a tool to assess these issues and proposed measured, proportionate responses to them.

The debate over the scope of personal data is far from over, particularly as new technologies come online and regulators and courts continue to publish decisions about what they consider to be personal.  But, faced with practical compliance challenges about how to handle data in a day-to-day context, it’s worth stepping back from legal and regulatory guidance alone.  Of course, I wouldn’t for a second advocate making serious compliance decisions in the absence of legal advice; it’s simply that decisions based on legal merit alone risk not giving due consideration to data subject trust.

And what is data protection about, if not about trust?


EU cookie issues alive and well

Posted on June 16th, 2014 by

It’s hard to believe that it has been a few years since the updated cookie “consent” rules came into effect across Europe. At that time, it was pretty much the hot topic in the data privacy world as we all grappled with the rules’ implications and how to implement appropriate compliance mechanisms. However in recent times, one would be forgiven for almost forgetting those days. The early forecasts of intense DPA cookie enforcement activity didn’t quite happen and we’ve also had the minor issue of the new draft Regulation and the Snowden affair (not to mention the on-going daily challenges presented by data security, data processing contracts, BYOD, cloud computing issues etc) to keep us all occupied.

Therefore, it’s nice to hear that there have been enough recent cookie developments in various EU member states to remind us that it is still an important compliance issue for any organisation that uses cookies and related tracking technologies. Here’s a run-down of what’s been happening in Europe:


The Italian Data Protection Authority (Garante) has published guidance on complying with the cookie requirements in Italy in order to obtain the express consent of the user. The main points are as follows:

  • Website operators are required to implement a web banner on the landing page outlining cookies used, the right to refuse cookies and a link to a separate notice setting out full details of the cookies used and the means by which a user can turn them on or off.
  • The requirement to notify the Garante where profiling cookies and related technologies are used.
  • Penalties under Italian data protection law can range from €6,000 to €120,000 (for example for serving cookies without obtaining the appropriate consent and failing to notify the Garante of such processing activities).
  • Operators shall benefit from a one-year grace period (expiring on 3rd June 2015) to implement the relevant measures.


After being the first EU member state to issue fines for infringement of its cookie rules (see here) the law regulating the use of cookies has been amended. We highlight the following changes. It has been clarified that it is an infringement to serve cookies without the individual’s consent. Due to a legislative error this was previously not the case and the Spanish DPA could not undertake enforcement action on this issue. Infringements may be ‘low’ or ‘serious’. The latter category will apply if the organisation infringes the cookie rules on several occasions within a period of three years. The enforcement powers available to the Spanish DPA have also changed so that it is able to issue warnings for failure to comply with the cookie rules, or decide that it will apply the lowest category of fines for serious infringements under certain circumstances. Advertising networks will also now be liable for their failure to comply with the cookie rules.


Following the Dutch DPA’s first investigation into an organisation’s use of cookies, the online advertising agency ‘YD Display Advertising Benelux’ (YD) was found to have infringed the Dutch cookie rules by placing tracking cookies on users’ web browsers in order to provide personalised advertising without the user’s consent. The cookies enabled YD and its network of advertisers to track the behaviour of visitors through multiple websites. The DPA found that the ability of users to opt-out of receiving personalised advertising was not sufficient to construe unambiguous consent and the information provided by YD to its users on the use of use of such cookies did not satisfy the notice requirements.

The Dutch DPA noted that such violations would still exist even if the proposed amendments to the current Dutch cookie rules (currently going through the Dutch Parliament) were applied because such tracking cookies would still require user consent. This investigation follows the Dutch DPA’s earlier announcement that one of its priorities for 2014 is to focus on the profiling, tracking and tracing of internet users.


This year has, and will continue to be, a busy year for the French Data Protection Authority (CNIL) (see here).  A new consumer rights law came into force on 17 March, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections (in addition to the existing on-site inspections). This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the online activities of companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing. One can expect the use of cookies to also fall under this remit.


Finally, the Belgian DPA has recently launched a public consultation on its draft cookie guidance (see our previous blog), stating that implied user consent may be an acceptable model for the use of cookies.

What this means now

Whilst the adoption of the draft Regulation may currently be grabbing all the headlines, regulating the use of cookies has not been completely forgotten by Europe’s national regulators. This presents challenges to organisations operating on an EU-wide basis as they attempt to understand and comply with the various developments and requirements in specific EU member states. Therefore the message is clear for businesses operating in Europe:

  • Audit your cookie use and find out what you’ve got
  • Assess the intrusiveness of those cookies
  • Adopt a notice and consent strategy
  • Implement forward-facing cookie management mechanisms

Belgian DPA launches public consultation on its draft cookie guidance

Posted on May 22nd, 2014 by

When looking at the action undertaken in other European countries, you might argue that cookies have not been a real priority for the Belgian regulators in the past. Not in the least because it took the European Commission to initiate infringement proceedings before the Belgian legislator decided to transpose the EU cookie consent rules. But also because of the fact that compliance with the cookie consent rules was not high on the agenda of neither the Belgian data protection authority nor the Telco regulator.

In the absence of any guidance or enforcement action, many website operators did not implement any measures, whereas the more compliance driven ones had to look abroad for inspiration on how to tackle this issue.

It seems this is now about to change. Last month, the Belgian Data Protection Authority published a draft recommendation with regard to the use of cookies and launched a public consultation about it.

Starting off with a short recap of (i) the evolution of cookie use throughout history and (ii) the different types of cookies that exist, the draft recommendation examines in detail the legal framework and the different purposes for which cookies can be used as well as the different actors and their particular role (e.g. the internet user, the owner of a website, the website administrator, etc.).

As for the consent requirement, the draft recommendation repeats the position adopted by the Working Party 29, indicating that a user must give his or her specific, informed, unambiguous and freely given consent before the processing of personal data commences.

One of the questions that are often raised is whether it is possible to rely on implied consent. In the draft recommendation, the Belgian DPA expressly confirms that implied consent may be acceptable provided it is unambiguous. We welcome the fact that the Belgian DPA expressly confirms that an implied consent mechanism may be compliant with the cookie consent rules; However, it should be noted that the Belgian DPA continues to say that it will be difficult to qualify the total inactivity of the user as an implied consent.

It is indeed clear that many websites currently don’t pass the test of unambiguously given implied consent. As we have pointed out in the past, a proper implied consent mechanism should give the user a real choice rather than simply informing him or her about the fact that the website uses cookies

The draft recommendation also contains a helpful list of cookies that are exempt from prior consent (session cookies, cookies with regard to the change of user interface, cookies focused on user security, etc.).

Other points that are covered in the draft recommendation relate to:

  • that users have the opportunity to accept certain cookies and refuse others and that they should be able to change their choices in a later stage;
  • that the refusal of cookies should not have negative consequences for the user (e.g. completely impossible for the user to access a website);
  • that each website should provide information relating to the identity of the data controller, details of the different categories of cookies and which information is stored, retention period, to whom users can address their rights to, how to delete cookies, the applicable formalities to withdraw consent, etc.

Finally, the draft recommendation also provides examples of cookie policies.

As mentioned, this is not yet the final position of the the Belgian DPA and it has invited all stakeholders to communicate their feedback and suggestions to the text. All opinions, comments or other suggestions should be addressed to the Belgian DPA by mail (Drukpersstraat 35, 1000 Brussel/Rue de la Presse 35, 1000 Bruxelles) or by e-mail (

This public consultation shall be closed on 31 July 2014, after which the Belgian DPA will evaluate all statements and publish a final recommendation.

Tim Van Canneyt and Aagje De Graeve

Getting cookie consent throughout the EU – latest Working Party guidance

Posted on October 19th, 2013 by

Thinking back to the early days when Europe’s controversial “cookie consent” law first passed, many in the privacy community complained about lack of guidance on obtaining consent.  The law required them to get consent, but didn’t say how.

In response to this, legislators and regulators – at both an EU and a national level – responded that consent solutions should be market-led.  The thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen.

As it transpired, this is precisely what happened.  In the four years since Europe adopted cookie consent, online operators have now evolved and embraced implied consent models across the EU to obtain their visitors’ consent to cookies.  However, this is not where the story ends.

In an opinion last week, the Article 29 Working Party published further guidance on obtaining cookie consent (“Working Document 02/2013 providing guidance on obtaining consent for cookies” – available here).   This supplements several previous opinions that, directly or indirectly, also address cookie consent requirements (see here, and here, and here, and here, for example).

The rationale behind the latest opinion, on the face of it, is to address the question: “what [cookie consent] implementation would be legally compliant for a website that operates across all EU Member States?”  But in answering this question, the guidance veers towards a level of conservatism that all but ensures it will never see widespread – let alone pan-European – adoption.

It doesn’t start off well: in discussing how a user can signify choice over whether or not to receive cookies, the guidance at one point states: “it could include a handwritten signature affixed at the bottom of a paper form“.

It then goes on to say that “consent has to be given before the processing starts … As a result a website should deliver a consent solution in which no cookies are set to user’s device … before that user has signalled their wishes regarding such cookies.”  In other words, the guidance indicates the need for a pop-up or a barrier page for users to click through before cookies can be set, harking back to the worst fears of industry at the time the cookie consent law was originally proposed.

When we’re talking about a fundamental human right, like privacy, the attraction of prior consent is obvious.  Unfortunately, it’s practically and technically very challenging.  However easy it sounds in theory (and it does sound easy, doesn’t it?), the realities are much more problematic.  For example, do you really require website operators to build two versions of their websites: one with cookies, and one without?  What happens to ‘free’ content on the web whose cost is subsidised by targeted advertising currently – who wants to return to a subscription-funded Internet?  If you’re a third party service provider, how do you guarantee prior consent when it is your customer (the website operator) who has the relationship with its visitors?

More importantly, prior consent is not what the e-Privacy Directive requires.  The word ‘prior’ never appears in the revised Article 5(3) of the e-Privacy Directive (the Article that imposes the consent requirement).  In fact, the word ‘prior’ was originally proposed, but was later dropped during the course of legislative passage.  Contrast this with Article 6(3), for example, which deals with processing of communications metadata (think PRISM) and DOES call for ‘prior’ consent.  Article 13 on unsolicited communications also uses the word ‘prior’ next to its requirement for consent.

What conclusions should we draw from this?  That’s a debate that lawyers, like me, have been having for a long time.  But, frankly, it’s all pretty academic.  Let’s deal instead in realities: if we were to be faced with cookie pop-ups or barrier pages on entry to EVERY website on the Internet, how quickly would we would become fatigued and simply click away the notices just to get rid of them?  What would that say about the validity of any ‘prior’ consents we provide?

Industry evolved implied consent as a solution that struck a balance between protecting individuals’ rights, addressing legal compliance and enabling online business.  Over time, it has done wonders to improve online tracking transparency and choice – implied consent has now become so widespread in the EU that even companies for whom cookies are their lifeblood, like Google, have implemented cookie consent transparency and choice mechanisms.

Critically, when done right, implied consent models fully satisfy the legal requirement that users’ consent must be “freely given, specific and informed”.  So here’s my suggestion: if you are looking to implement a cookie consent solution across Europe, don’t automatically jump to the most conservative standard that will put you out of alignment with your competitors and that, in most cases, will go further than national legislation requires.

Consider, instead, implied consent – but, if you do, embrace it properly:  a slight revision to your privacy policy and a new link to a cookie policy in the footer of your website won’t suffice.  Your implied consent model needs to provide prominent, meaningful notice and choice to visitors.  And to see how to do that, see our earlier post here.

Implied consent getting ever closer in the Netherlands

Posted on May 25th, 2013 by

On 20 May 2013, Dutch Minister Kamp (Minister for Economic Affairs) presented a bill to amend Article 11.7a of the Dutch Telecommunications Act (‘the cookie law’). Once it passes into law the bill will, among other things, allow website operators to rely on visitors’ implied consent to serve cookies and will also exempt analytics cookies from the consent requirement.

Why these changes are needed

In February this year the Dutch government concluded that the cookie law had overshot its intended objective. The current cookie law require website owners to obtain visitors’ opt-in consent to virtually all types of cookies, except those which are strictly necessary. This led to widespread adoption of opt-in consent barriers and pop-up screens which, the Government accepts, is undesirable from both a consumer and business standpoint.

The Government believes the problem with the current law is that it applies equally to all cookies, even those with little privacy impact. Because of this, it proposes that the scope of the consent exemptions should expand to include more types of cookies.

New exemptions: analytics cookies, affiliate cookies and a/b-testing cookies

Currently, a website operator does not have to obtain consent if cookies are strictly necessary to provide a visitor-requested service. Once the bill enters into effect, a further category of cookies will be exempted from the consent requirement – those which are “absolutely necessary […] to obtain information about the quality and effectiveness of an information society service provided  – provided that this has no or little consequences for the privacy of the user.

First-party and third-party analytics cookies, affiliate referral cookies and a/b testing cookies all seem likely to fall within the scope of this new exemption.  However, to ensure that these cookies qualify as having “no or little consequences for the privacy of the user”:

  • the data collected by these cookies must not be used to make a profile of the visitor (e.g. for targeting purposes); and
  • if the website operator shares cookie data with a third party (e.g. an analytics service provider), it must conclude an agreement with the third party that either requires the third party not to use the data for its own purposes or, alternatively, only for defined purposes that have no or little effect on visitors’ privacy.

Implied Consent

For other types of cookies (in particular, targeted advertising cookies), the consent requirements of the cookie law apply in full.  However, the explanatory memorandum to the bill discusses the interpretation of ‘consent’ in great detail and advocates the legal validity of implied consent solutions.

In particular, it advocates that implied consent may be legally derived from the behavior of the visitor of a website – for example, in the case where a visitor is presented with a clear notice about the website’s use of cookies and given options to control those cookies but continues to browse the website.  This is at odds with previous regulatory opinions of the ACM (formerly the OPTA, the relevant regulator for these purposes) which said that implied consent would not constitute valid consent.

Although Dutch recognition of implied consent has been anticipated for a while (see here), this is a critical development for online businesses in the Netherlands.  Once the bill enters into force, website operators will be able to replace their current explicit consent barriers and pop-ups with more user-friendly implied consent banners indicating that continued use of the website without changing cookie settings will constitute consent.

All in all, the bill is a major step towards a more pragmatic implementation of the cookie law. With these changes, Dutch law will better balance the privacy interests of website visitors with online businesses’ legitimate data collection activities.

When will the bill enter into force?

The bill is open for public consultation until 1 July 2013, and the Minister must also consult the Council of State and the Dutch Data Protection Authority. On the basis of the consultation responses, the minister may then decide to amend the bill or submit it to Parliament as currently drafted. Parliamentary discussion can be completed within a few months, but may potentially take up to a year. However, given the current momentum behind adopting a more pragmatic cookie regime in the Netherlands, it is anticipated that the overall process will be toward the shorter end of this timescale.

With thanks to our friends Nicole Wolters Ruckert and Maarten Goudsmit, Privacy Attorneys at Kennedy Van der Laan, for this update. 


Cookie consent update – implied consent now widespread

Posted on May 15th, 2013 by

Our latest EU cookie consent tracking table has just been published here.

Latest regional developments:

Our latest table reveals:

* ‘Implied consent’ is currently a valid solution for cookie compliance in nearly three-quarters of EEA Member States.

* Since our last update, cookie consent implementations have been introduced in Norway and Poland.

* Ongoing cookie regulatory developments in Denmark, the Netherlands, Slovenia and Spain.

Other notable developments

Aside from the regional developments shown in our table, other notable developments include:

* Growing recognition that cookie consent is every bit as relevant in mobile platforms as in desktop platforms – see, for example, the Working Party’s latest opinion on mobile apps (here).

* Major online players like Facebook and Google are adopting notice and choice solutions, likely driving wider industry compliance efforts (see here).

* Consumer protection and advertising regulatory bodies like the OFT and ASA are increasingly showing interest in online tracking and notice/choice issues (see here and here).

* Increasing co-operation between global DPAs on online privacy compliance issues (see here).

All in all, online privacy compliance continues to attract ever greater attention, both within data protection circles and from the wider regulatory environment.  As this issue continue to run and run, the picture emerging is that implied consent is the clear compliance front-runner – both from a regulatory and also from a market-adoption perspective.

If Google cares about cookie consent, so should you.

Posted on April 16th, 2013 by

Over the weekend, Google made a subtle – but significant – modification to its online search service in the EU: nearly two years after Europe’s deadline for EU Member States to adopt national cookie consent laws, Google rolled out a cookie consent banner on its EU search sites.

If you’re a visitor from the US, you may have missed it: the banner shows only if you visit Google sites from within the EU. However, EU visitors will clearly see Google’s consent banner placed at the bottom of its main search page and at the top of subsequent search results. As well as informing visitors that “By using our services, you agree to our use of cookies“, the banner provides a “Learn more” link that visitors can click on to watch a video about Google’s cookie use and to see disclosures about the cookies it serves.

This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon (another implied consent solution for targeted adverts) on ads served through its FBX exchange, the implications become huge for the following reasons:

* CPOs will find selling cookie consent adoption much easier now. Selling the need to implement cookie consent to the business has always been a challenge. The thinking among marketing, analytics and web operations teams has always been that cookie consent is expensive to implement, time consuming to maintain, and disruptive to the user experience and data collection practices. Other than the occasional penned letter by regulators there’s been no “real” enforcement to date and, with patchy market adoption of cookie consent, many businesses have performed a simple cost / benefit analysis and chosen inaction over compliance. But when two of the Internet’s most heavily scrutinised businesses actively engage with cookie consent, they clearly think it’s an issue worth caring about – and that means it’s an issue YOU need to care about too. The “Google does it” argument is a powerful tool to persuade the business it needs to re-think its strategy and adopt a cookie consent solution.

* Regulatory enforcement just got easier. Rightly or wrongly, a perceived challenge for regulators wanting to enforce non-compliance has been that, before taking measures against the general publisher and advertiser population, they need first to address the behaviours of the major Internet players. While never overtly acknowledged, the underlying concern has been that any business pursued for not adopting a cookie banner would cry “What about them?”, immediately presenting regulators with a challenge: do they continue to pursue that business and risk public criticism for overlooking the bigger fish, or do they pursue the bigger fish and risk getting drawn into expensive, resource-draining legal battles with them? The result to date has been regulatory stalemate, but these developments could unlock this perceived barrier. While it’s not the case that they will result in a sudden flurry of enforcement activity overnight, they are one of many factors that could start to tip the scales towards some form of meaningful enforcement in future.

* Implied consent IS the accepted market standard. When the cookie consent law was first proposed, there were huge concerns that we would be set upon by an avalanche of consent pop-up windows every time we logged online. Whizz forward a few years, and thankfully this hasn’t happened, whatever regulatory preferences may exist for cookie opt-ins. Instead, over time, we’ve seen Member States and – perhaps more importantly – the market grow more and more accepting of implied consent solutions. Adoption by major players like Facebook and Google lend significant credibility to implied consent and smaller businesses will undoubtedly turn to the approaches used by these major players when seeking their own compliance inspiration. Implied consent has become the de facto market standard and seems set to remain that way for the foreseeable future. Businesses delaying compliance adoption due to concerns about the evolution of consent requirements in the EU now have the certainty they need to act.

This post first appeared in the IAPP’s Privacy Perspectives blog, available here.