Online Behavioral Advertising in the EU – The Need for User ‘Consent’

BY CCIA Staff
September 30, 2011
The advertising industry has drafted a self-regulatory framework this year to meet legal requirements regarding the placement of cookies on Internet users’ machines for the purpose of online behavioral advertising. This framework, drafted in response to legal requirements, is based on an opt-out approach. The approach would enable Internet users to obtain relevant information about the purpose of data collection, and then have the possibility to opt out of behavioral advertising schemes, if requested.

This approach, however, does not satisfy the EU’s Article 29 Working Party, which is composed of national data protection officers and oversees the implementation of data protection laws in the EU. According to the Art. 29 WP, the self-regulatory framework does not meet the requirements of EU law since ‘consent’ to OBA can only be given in an opt-in framework with the Internet user actively agreeing to it. This interpretation of existing law was recently confirmed in a meeting between representatives of the Art. 29 WP and the advertising industry.  Even though the opinions of the Art. 29 WP are not legally binding, they provide guidance in implementing data protection laws across the EU.

It is noteworthy that the restrictive viewpoint of the Art. 29 WP comes at a time in which the EU (as well as the U.S.) is in the midst of rewriting its data protection laws. The EU Commission is expected to publish a new data protection framework, including provisions specifically addressing the online world. The Commissioner responsible, Viviane Reding, initially wanted to publish it in November but it is very likely that it will take the Commission longer to finalize the proposal. Furthermore, the Art. 29 WP is expected to adopt an official opinion on the advertising industry’s self-regulatory scheme by the end of this year.

In the current situation, the legal implications remain uncertain. The implementation and enforcement of the ‘Cookie Directive’ is the responsibility of individual Member States, which increases the risk of regulatory variations across the EU. The difficulties and uncertainties with the implementation of key provisions of the Directive can clearly be seen in the mixed implementation records of Member States. Even though all of them should have implemented the provisions by end of May this year, most of them have not met this deadline.

Against this background, any future rules should pursue three basic goals. First, increase legal certainty by laying down less ambiguous provisions. Second, continue to work with international partners to develop common approaches in order to minimize costs resulting from discrepancies in legal regimes. Third, account should be taken of the importance of a more flexible regulatory approach. It should be remembered that OBA has greatly benefited consumers by enabling applications providers to offer their services at minimal or even no costs. In lowering barriers to entry, OBA greatly contributed to a competitive online environment that not only encourages companies to innovate in various types of products and services, but it also drives them to compete over privacy practices that are closest to customers’ preferences. Rigid, regulatory approaches entail the risk of chocking off these healthy competitive forces.

Related Articles

German Legislature Preempts EU Reforms with National Competition Law Amendments Targeting the Digital Economy

Jan 14, 2021

Berlin, GERMANY — Members of the German parliament voted to approve far-reaching regulations for large digital platforms today. Once signed into law, the proposal would make Germany the first jurisdiction in the EU specifically regulating market power in the digital economy. The reform introduces article 19a in the German “Act against Restraints of Competition,” setting…

New EU Cybersecurity Rules Should Promote Security Mitigation, Avoid Compliance Red Tape

Dec 16, 2020

Brussels, BELGIUM — The European Commission published today a legislative proposal to update the 2016 Network and Information Security Directive.  The proposal aims to reduce regulatory inconsistencies across the EU’s internal market and it encourages security information sharing to help companies effectively address future cybersecurity risks. But the proposal also suggests that cloud computing providers,…

CCIA Responses To EU Digital Markets Act and Digital Services Act Proposals

Dec 15, 2020

Brussels, BELGIUM — The European Commission presented its Digital Markets Act (DMA) and its Digital Services Act (DSA) proposals earlier today. The Digital Markets Act seeks to target the core services of so-called digital “gatekeepers” by restructuring their relationships with business users and imposing new terms and obligations. These obligations can be updated, new services…