The US FTC says it should be “opt out” with clear disclosure. In the UK, ICO and now the OFT are also firmly in the same camp, but now the “Article 29 Working Party”, a club of EU data protection regulators which includes ICO, has now pronounced for OBA “opt-in.” Stephen Groom throws up his hands.
Topic: On-line advertising
Who: Article 29 Working Party
When: June 2010
Where: Brussels
Law stated as at: 1 July 2010
What happened:
In a bombshell of an "Opinion", the "Article 29 Working party" ("29WP"), a group of EU data protection regulators who really should seek expert advice on a new name, has confirmed the worst fears of commentators on recent amendments to the Privacy and Electronic Communications Directive.
The subject of the Opinion was behavioural advertising. Its focus was behavioural targeting technology. "OBA" relies on attaching a cookie or similar gizmo to your laptop or other terminal device when you visit a particular website or click on a banner ad or respond to an email and thereby tracks future online activity on that terminal, enabling a use profile to be created and used as a basis for targeted advertising.
The Opinion took a clear position in favour of prior opt-in before this technology can be deployed, whereas leading US and UK regulators have up till now nailed their colours firmly to the "clear disclosure and opt out" mast. Included in these ranks are America's FTC, the UK's Office of Fair Trading and the UK's Information Commisisoner's Office, which bizarrely is also a member of the 29WP and has hitherto been a leading light of that body.
Here are some key sound bites from the Opinion:
- On opt-in: "It follows from the literal wording of Article 5.(3) that: i) consent must be obtained before the cookie is placed and/or information stored in the user's terminal equipment is collected, which is usually referred to as prior consent and ii) informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user…The Article 29 Working Party is of the view that prior opt-in mechanisms, which require an affirmative data subject's action to indicate consent before the cookie is sent to the data subject, are more in line with Article 5(3)."
- On browser settings: "…generally speaking data subjects cannot be deemed to have consented simply because they acquired/used a browser or other application which by default enables the collection and processing of their information… consent by browser setting to receive cookies in bulk implies that users will accept future processing, possibly without any knowledge of the purposes or uses of the cookie. Consent in bulk for any future processing without knowing the circumstances surrounding the processing cannot be valid consent."
- On opt-outs: "In light of the above, the Article 29 Working Party considers that cookie-based opt-out mechanisms do not provide average users with the effective means to consent to receive behavioural advertisement. In this regard, they fail to fulfil the requirement of Article 5(3)."
The full Opinion is available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf.
Why this matters:
Opinions from the 29WP are not the word of law. It also has to be said that this is not the first time the 29WP has come out with "opinions" which have struck well informed data privacy commentators as decidedly out of whack with existing orthodoxy and quickly sunk without trace. Another example was the 29WP opinion that even though social media sites were hosted on servers located outside the EEA, the fact that large numbers of EU citizens were using them meant that EU data protection laws must apply.
Having said this, this call for OBA opt-in could if followed through have a profound impact on the online behavioural advertising community and its efforts to self-regulate on an opt-out basis. Revenue generated through targeted advertising is increasingly viewed as vital to funding Internet content, and moving towards opt-in could drive advertising revenues down substantially – with the potential consequence that consumers will end up paying more for the content they want.
How could "opt-in" be achieved in practice?
It is also far from clear how opt-in would be implemented in practice – consumers visiting a website with targeted advertising served by multiple advertisers may find themselves having to click through a barrage of pop-up windows asking for their consent.
The Opinion has already been lambasted in a joint communiqué from leading industry bodies like the Internet Advertising Bureau, the World Federation of Advertisers, the European Association of Communications Agencies and the Federation of European Direct and Interactive Marketing.
Clearly there are legitimate privacy concerns here, but in practice, for this Opinion to be implemented, (probably in 2011 by way of the amended Privacy and Electronic Communications Directive which could be interpreted in a way consistent with this 29WP Opinion) would surely present, without exaggeration, a real threat to the world wide web as we know it. Let us hope that good sense prevails and this Opinion goes the way of numerous previous 29WP pronouncements, but only time will tell, so watch this space!
