Late last year the European Parliament and
Council set the scene for a potentially dramatic challenge to the way online
advertising is developing, enabling targeting of advertising content based on online
activity collected via cookies.
Online behavioural advertising (OBA) uses information
to target the consumer with advertising messages
that match their interests and presumed buying intentions.
Information derived from online activity determines what ad or what
version is served to whom (or not), dramatically improving targeting and
reducing wastage.
OBA is a game changer, improving the
consumer experience, cutting out irrelevant content, and delivering a better
marketing return to brand owners.
As well as agreeing a revision of the EU
Telecoms Package - designed to update the legal framework for the
telecommunications sector – in slipped an e-Privacy Directive that requires
consent prior to the setting of cookies on a web browser. EU member states have until next May to
implement the package.
At the EU-level, MEPs claimed success in
introducing an opt-in regime; industry and some national governments maintain
that the wording implies keeping the opt-out. This leaves it to the national
governments to specify the meaning of “consent” when implementing the
Directive. Plus ca change, and a recipe for wildly differing local
implementations as we already have seen with the original Data Protection
Directive, where they range from explicit prior consent to implied consent and
soft opt-in for customers.
Against this backdrop the Article 29
Working Party published their opinion in the summer. It appears to
significantly extend the definitions of personal data and comes down heavily in
favour of explicit, prior consent prior to the collection of behavioural online
data via browser cookies.
1. That Article
5.3 of the ePrivacy Directive (the basis for setting and accessing cookies on a
browser) applies irrespective of whether the information constitutes personal data or not.
2. Where
the tracking process involves personal data, the relevant provisions of the
general Data Protection Directive have to be applied as well such as subject
access rights.
3. That
tracking usually involves personal data, because the cookies contain a unique
identifier, or are linked to an IP address, which either identify a data
subject or relate to them.
4. Any
party that stores or accesses a cookie must collect the user’s consent,
regardless of whether this party acts as a data controller or as a data
processor. In the
case of 3rd party OBA this obligation falls to the ad network provider.
5. The
opinion stresses that consent, which must be freely given and specific, needs
to be obtained before the cookie is
stored. In order for consent to be valid, highly visible information must be
provided. Information about the use of cookies also needs to be provided prior to the processing. In order to
collect valid, informed consent, the working party recommends that ad network
providers create prior opt-in mechanisms that require an affirmative action by
the data subjects. Once given, it would not be necessary to request consent for
each reading of a cookie.
All this begs the question, how clearly do
legislators really understand the use of anonymous cookies in 3rd
party OBA?
How would subject access requests work in
the situation where vast number of cookie IDs containing recent behavioural
data used in raw or aggregated form for advertisers from different sectors,
nonetheless contain no personal data?
Do legislators really think that cookies
are used to spy on consumers? Is there a common (mis)understanding of the
benefits cookies offer to faster navigation and better user experiences,
delivery of more appropriate offers, and data transparency?
The political dimension isn't helped of course when Wall
Street Journal publishes an ‘expose’ on how tracking technologies are designed
to share consumers’ secrets.
The WSJs investigation
found that the nation's 50 top websites on average installed 64 pieces of
tracking technology onto the computers of visitors, usually with no warning. A
dozen sites each installed more than a hundred. The nonprofit Wikipedia
installed none.
Tracking technology is
getting smarter and more intrusive, they concluded.
“Monitoring used to be
limited mainly to cookie files that record websites people visit. But the
Journal found new tools that scan in real time what people are doing on a Web
page, then instantly assess location, income, shopping interests and even
medical conditions. Some tools surreptitiously re-spawn themselves even after
users try to delete them.”
It’s time to address
key concerns of user protection and security, in applying key principles of
Data Protection to these burgeoning, global advertising channels.
a) For example, surely
we should be insisting that a broad definition of sensitive data be used to
ensure that offers such as dietary plans ought to be subject to explicit
consent.
b) Deep Packet
Inspection (DPI) has caused deep concerns for years, gaining Phorm notoriety, enabling an ISP uses
technology to inspect the entire clickstream of a browser, and inevitably will
end up subject to an explicit consent regime.
c) Where personal
information that identifies a user by name, sex, age, household composition
etc. is combined with online behavioural data, the use of that ensuing personal
profile ought to be notified as a specific and fresh use requiring consent.
d) Certain uses of
non-personally identifiable data collection may need to be proscribed such as
using tracking to support discriminatory pricing, an issue of concern to
legislators.
e) Lastly, Privacy
Enhancing Technologies (PETs), overlooked beyond the basics such as SSL
security over the last decade, may well be about to come of age, faced with an
internet-wide challenge of incomparable commercial scale.
Technologies that
separate data, that anonymise through splitting or masking and destroy personal
data, as well as those that limit use are urgently needed to demonstrate users
can be exceptionally well protected at the same time as experiencing the
benefits of OBA.
As the market for
well-executed OBA starts it’s long road towards maturity, organisations that
aggregate user behaviour data are perfectly placed to apply these technologies
to their platform, and must prepare to play their forthcoming role of
responsible and respected data controllers.
For now the focus is
on cookies. Browser settings do at least currently provide a consumer dashboard
to express preference. In a recital to the e-Privacy Directive, non-binding
guidance suggested that browser settings would indeed serve as a consent
mechanism, which was interpreted as a pointer towards an opt out regime. Whilst on the face of it, the Working
Party’s guidance blows that interpretation out of the water, no one should
conclude that that is the endgame.
This winter looks set
to be one of the most significant in the history of the Internet.
Thanks
to FEDMA for providing access to many of the source material used for this
article, and from which I have borrowed.