On 22 June 2010 the Article 29 Working Party (“Art. 29 WP”) adopted Opinion 2/2010 dealing with the privacy and data protection issues raised by online behavioural advertising. This briefing note summarises the main themes of the Opinion.
1. An overview of behavioural advertising
Opinion 2/2010 focuses on behavioural advertising only. Advertising is ‘behavioural’, as opposed to another form of online targeted advertising, when an advertiser tracks the user’s online movements to build a profile  of that user over time. The eventual profile is used to send advertisements to that user matching their apparent interests.
The Art. 29 WP identifies three key players in online behavioural advertising:
Opinion 2/2010 does not deal with the issues raised by ANPs entering into agreements with ISPs to understand the user’s activities to which the ISP has access as a result of its position as a service provider, e.g. as in Phorm’s service.
There are various ways that an ANP can obtain information about users:
- Tracking cookies, which may track a user’s online movements over time and over different internet domains (generating “predictive profiles”); and/or
- User-generated information that the user provides (e.g.) where they register for an online service (“explicit profiles”).
Typically, the ANP (rather than the publisher) places the cookie on a user’s computer equipment; the cookies therefore belong to the (third party) ANP and may not be anticipated by the user.
The Art. 29 WP expresses particular concern about so-called ‘flash cookies’, which can defy user preference settings, allowing behavioural advertising even if the user indicates that it does not wish to receive targeted advertisements.
2. What are the legal implications of behavioural advertising?
Previous Art. 29 WP Opinions have determined that behavioural advertising can result in the collection of personal data because:
- cookies may be used to attribute unique identifiers to a user’s terminal equipment, which can be used to ‘identify’ particular users even without knowing their name; and
- by its nature this form of advertising has to relate to the user and their online behaviour. Information gathered by ANPs is used to influence the way in which a particular person is treated (e.g. what categories of advertising they will be sent).
The Data Protection Directive will apply to the collection of certain information for behavioural advertising purposes. The Art. 29 WP views the parties’ roles as follows:
Although Member States have until 25 May 2011 to implement the amendments to the ePrivacy Directive, the Art. 29 WP presupposes that the amendments have been implemented into national legislation. This assumes that Member States will implement the amendments uniformly, which has yet to be seen.
Art. 5(3) of the amended ePrivacy Directive will invariably apply to behavioural advertising because it applies to the access to or storage of (whether by the publisher, an ANP or other entity) information stored in a user’s terminal equipment (e.g. cookies).
Note: The ‘information’ does not have to be personal for Art. 5(3) to apply. The ePrivacy Directive therefore works in tandem with the requirements of the Data Protection Directive.
Under the ePrivacy Directive (as amended), the Art. 5(3) obligations apply to the party that stores or accesses cookie information on user terminal equipment. This will usually be the ANP, which is therefore responsible for:
- providing clear and comprehensive information about the use and purpose of the cookie to the user before
- obtaining informed user consent before the use of that cookie on their terminal equipment. This consent must be revocable
If ANPs intend to offer advertising of a sensitive nature, they must obtain the explicit opt in consent of the user, separate to obtaining informed consent to the use or storage of cookies.
If consent is to be informed, Opinion 2/2010 sets out the information that should be provided to users before obtaining their consent:
- the identity of the ANP;
- the purpose(s) of processing; and
- that the cookie will allow the ANP to collect information about that user’s online habits (e.g. what other websites they visit, what advertisements they have been shown, what advertisements they have expressed an interest in).
- the browser rejects third party cookies by default (i.e. the user has to actively amend the browser setting so as to allow cookies);
- it is impossible to bypass user settings (as can be the case with flash cookies); and
- the browser does not allow general acceptance of all cookies, including those which may be used in the future. To the extent that the browser allows future cookies, consent cannot be informed as the user cannot know in advance the purposes and uses of those cookies. Non-specific statements about cookies are not sufficient to make consent ‘informed’.
Subsequent cookies and opting out
Notwithstanding that browsers must not generally allow cookies, the Art. 29. WP accepts that users should not have to consent to cookies every time an ANP accesses a cookie on a user’s terminal equipment, i.e. consent may cover the initial deployment of and any subsequent access to a cookie, subject to a limited life span. Once an ANP has obtained consent, it may use that cookie to track the user’s online behaviour across its network without having to obtain consent each time it accesses that cookie to do so. The Art. 29 WP suggests that consent should be renewed at least annually.
In the Art. 29 WP’s view, the amended ePrivacy Directive clearly requires opt in consent. Opt out cannot of itself constitute appropriate consent under Art. 5(3) (as amended). ANPs are, however, encouraged to provide a mechanism to subsequently allow users to opt out of receiving behavioural advertising at any time to complement the initial opt in. This mechanism should include adequate information about the opt out process.
4. Invitation to participate
The Art. 29 WP uses Opinion 2/2010 to encourage the online advertising industry to come up with inventive means to tackle the privacy and data protection issues of behavioural advertising. If industry players are able to suggest technical or other means of dealing with data protection, they should communicate these measures to the Art. 29 WP, which may take any such proposals into consideration going forward.
5. Impact of the Opinion
It is unfortunate that the Opinion anticipates how Member States will implement the amended Directive, as this pre-empts local variation.
Directive 2002/58/EC (as amended) imposes a consent obligation. However, Opinion 2/2010 exaggerates what needs to be done to satisfactorily obtain consent. For example, the amended Directive does not necessitate the need to renew consent on an annual basis. Further, by downplaying Recital 66, the Art. 29 WP denies industry a potentially workable solution to the consent requirement. These stringent requirements sit at odds with the seemingly ANP- and user-friendly indication that consent needs only be obtained once a year. This may come as a welcome relief when the alternative would require consent every time a cookie is accessed.
For these reasons, it is important to remember that Opinion 2/2010 does not have the force of law; it provides an indication of how data protection authorities may apply the amendments to the ePrivacy Directive. How the new rules will operate in practice remains to be seen; their application is likely to vary by country.
It will be interesting to see if industry accepts the Art. 29 WP’s invitation to engage with it to develop a solution to the perceived problems with behavioural advertising. Given the Art. 29 WP’s stance indicated by the Opinion, industry players may instead (or in addition) choose to direct their efforts and resources at lobbying for industry-friendly implementation at Member State level.
 See also the Council of Europe’s Draft Recommendation on the Protection of Individuals with Regard to Automatic Processing of Personal Data in the Context of Profiling. This recommendation sets out restrictive obligations where profiling takes place