Online Behavioral Advertising in the EU – The Need for User ‘Consent’

BY CCIA Staff
September 30, 2011
The advertising industry has drafted a self-regulatory framework this year to meet legal requirements regarding the placement of cookies on Internet users’ machines for the purpose of online behavioral advertising. This framework, drafted in response to legal requirements, is based on an opt-out approach. The approach would enable Internet users to obtain relevant information about the purpose of data collection, and then have the possibility to opt out of behavioral advertising schemes, if requested.

This approach, however, does not satisfy the EU’s Article 29 Working Party, which is composed of national data protection officers and oversees the implementation of data protection laws in the EU. According to the Art. 29 WP, the self-regulatory framework does not meet the requirements of EU law since ‘consent’ to OBA can only be given in an opt-in framework with the Internet user actively agreeing to it. This interpretation of existing law was recently confirmed in a meeting between representatives of the Art. 29 WP and the advertising industry.  Even though the opinions of the Art. 29 WP are not legally binding, they provide guidance in implementing data protection laws across the EU.

It is noteworthy that the restrictive viewpoint of the Art. 29 WP comes at a time in which the EU (as well as the U.S.) is in the midst of rewriting its data protection laws. The EU Commission is expected to publish a new data protection framework, including provisions specifically addressing the online world. The Commissioner responsible, Viviane Reding, initially wanted to publish it in November but it is very likely that it will take the Commission longer to finalize the proposal. Furthermore, the Art. 29 WP is expected to adopt an official opinion on the advertising industry’s self-regulatory scheme by the end of this year.

In the current situation, the legal implications remain uncertain. The implementation and enforcement of the ‘Cookie Directive’ is the responsibility of individual Member States, which increases the risk of regulatory variations across the EU. The difficulties and uncertainties with the implementation of key provisions of the Directive can clearly be seen in the mixed implementation records of Member States. Even though all of them should have implemented the provisions by end of May this year, most of them have not met this deadline.

Against this background, any future rules should pursue three basic goals. First, increase legal certainty by laying down less ambiguous provisions. Second, continue to work with international partners to develop common approaches in order to minimize costs resulting from discrepancies in legal regimes. Third, account should be taken of the importance of a more flexible regulatory approach. It should be remembered that OBA has greatly benefited consumers by enabling applications providers to offer their services at minimal or even no costs. In lowering barriers to entry, OBA greatly contributed to a competitive online environment that not only encourages companies to innovate in various types of products and services, but it also drives them to compete over privacy practices that are closest to customers’ preferences. Rigid, regulatory approaches entail the risk of chocking off these healthy competitive forces.

Related Articles

European Media Freedom Act: Fight Against Disinformation and Illegal Content Requires Balanced Relationship Between Media and Online Platforms

Sep 16, 2022

Brussels, BELGIUM — The European Media Freedom Act presented by the European Commission earlier today seeks to introduce new rules to safeguard the independence and pluralism of Europe’s media. The “must-carry” obligation included in the proposal, however, could be abused to force social media and other online platforms to spread disinformation or illegal content, the…

New EU Cybersecurity Rules Are Well-intended, but Introduce Unnecessary Red Tape

Sep 15, 2022

Brussels, BELGIUM – The European Commission presented today a new Cyber Resilience Act (CRA), seeking to create extensive approval processes that a wide range of digital products and services would have to undergo before they can be sold and used on the EU market. The Computer & Communications Industry Association (CCIA Europe) supports the Commission’s…

EU Rules to Fight Child Sexual Abuse Should Be Future-proof and Respect Fundamental Rights

Sep 12, 2022

Brussels, BELGIUM – Legislation to combat and prevent child sexual abuse (CSA) proposed by the European Commission has an important role to play in protecting children in Europe and beyond. The CSA Regulation puts forward new obligations for online service providers to detect, remove and report child sexual abuse material (CSAM), as well as the…