Who: European Data Protection Board (EDPB)
Where: European Union
When: 13 December 2023
Law stated as at: 9 February 2024
What happened:
In an opinion letter dated 13 December 2023, the EDPB issued a response to the European Commission’s draft cookie-pledge principles. The principles (which online platforms may adhere to on a voluntary basis) are the backbone of the Commission’s cookie-pledge initiative that aims to address issues related to cookies and targeted advertising. They have been proposed in the context of many online users losing patience with the heavy use of advertising trackers and constantly having to engage with cookie banners.
The EDPB has confirmed that it supports actions that provide users with more control over their own data, through simplifying management of cookies and personalised advertising choices. It did note, however, that these voluntary commitments do not substitute or guarantee compliance with applicable data protection laws.
The EDPB also shared its feedback specific to the Commission’s draft principles. Below we have set out some of the EDPB’s views on the advertising-specific aspects of the initiative, but, by way of summary on a few key issues, the EDPB is of the view that:
- there needs to be greater clarity on the consequences of not accepting cookies or ad-related tracking, which may require a case-by-case analysis;
- providing a service based on contextual advertising as a fall back option is likely to constitute a less privacy-intrusive option to sit alongside any “consent (to personalised ads) or subscribe” model;
- when an “accept all cookies” option is given, a “reject all cookies” option should also be provided; and
- while it is possible to consent to numerous related processing activities and sharing of data with several third parties, where this is carried out for a clearly defined purpose, a consent is less likely to be valid if the purpose involves sharing with a very large number of third parties.
Cookie Pledge draft principles B, C and D
“B. When content is financed at least partially by advertising it will be explained upfront when users access the website/app for the first time.
C. Each business model will be presented in a succinct, clear and easy to choose manner. This will include clear explanations of the consequences of accepting or not-accepting trackers.
D. If tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less privacy intrusive form of advertising.”
The EDPB’s view is that:
- These principles relate to whether consent is freely given and informed and can only be valid if the data subject is able to exercise a real choice.
- As previously ruled by the European Court of Justice, users must be able to refuse to give consent and still be able to use the service, meaning an alternative which does not make use the same data processing techniques should be offered. The EDPB urged that contextual advertising should therefore be included in draft principles C and D, as an example of a less privacy-intrusive form of advertising, to permit users to make a real choice.
- Contextual advertising is also not mentioned in draft principle B as a means for a business to obtain revenue. While contextual advertising involves accessing or storing information in terminal equipment to a lesser extent and in a less intrusive manner than models which track users in order to deliver behavioural or personalised advertising, users should still be informed. The EDPB added, however, that providing information on business models is not a substitute for informing users that information will be accessed from or stored on their terminal equipment, meaning that information about the business model would need to sit alongside the mandatory information about using cookies that the e-Privacy Directive requires.
- The EDPB therefore concluded that these draft principles should be modified to “reflect the need for a case by case analysis of whether consent is freely given and valid, taking into account the different options provided to the user“.
Cookie Pledge draft principle E
“E. Consent to cookies for advertising purposes should not be necessary for every single tracker. For those interested, in a second layer, more information on the types of cookies used for advertising purposes should be given, with a possibility to make a more fine-grained selection.”
The EDPB’s view:
- This principle also relates to what constitutes a valid consent. The EDPB quoted its Guidelines 05/2020, in which it was stated that valid consent must be “freely given” and it must be “specific”.
- The EDPB commented that individuals should therefore be given the chance to “reject” all cookies that are not strictly necessary at the first layer of the cookie banner. At a minimum, if an “accept” button is presented at any point, then a “reject” button should also be given at the same time.
- It is possible to consent to cookies for a specific advertising purpose without necessarily requiring users to consent separately to every tracker or partner first off; however, it is unlikely that this would be proportionate where there is a very large number of partners involved for a specific purpose.
Cookie Pledge Draft Principle F
F. No separate consent for cookies used to manage the advertising model selected by the consumer (e.g. cookies to measure performance of a specific ad or to perform contextual advertising) will be required as the consumers have already expressed their choice to one of the business models.
The EDPB’s view:
- The EDPB reminded the Commission that consent must be requested for a specific, well defined and precise purpose, which should not be combined with any other purposes. For example, rather than the user simply consenting to an advertising model, they should be asked to consent to the use of cookies required for that advertising model.
- It also flagged that consent given for specific advertising purposes would not extend to other processing operations not strictly necessary for that purpose, such as the use of email addresses to send marketing emails.
Why this matters:
The EDPB is committed to assisting the Commission in ensuring that the pledge principles mean users will be empowered to be more in control of their own data by being able to make informed decisions more easily. Its response also brought a useful reminder that voluntary commitments, while they can be useful, should not be used to bypass legal obligations.
The Commission is keen to receive full endorsement from the EDPB and will now take the its comments into account to fine-tune the pledge principles and ensure the aims of the initiative are met. The Commission has said that it is hoping to finalise the principles by April 2024.
