Online Behavioral Advertising in the EU – The Need for User ‘Consent’

BY CCIA Staff
September 30, 2011
The advertising industry has drafted a self-regulatory framework this year to meet legal requirements regarding the placement of cookies on Internet users’ machines for the purpose of online behavioral advertising. This framework, drafted in response to legal requirements, is based on an opt-out approach. The approach would enable Internet users to obtain relevant information about the purpose of data collection, and then have the possibility to opt out of behavioral advertising schemes, if requested.

This approach, however, does not satisfy the EU’s Article 29 Working Party, which is composed of national data protection officers and oversees the implementation of data protection laws in the EU. According to the Art. 29 WP, the self-regulatory framework does not meet the requirements of EU law since ‘consent’ to OBA can only be given in an opt-in framework with the Internet user actively agreeing to it. This interpretation of existing law was recently confirmed in a meeting between representatives of the Art. 29 WP and the advertising industry.  Even though the opinions of the Art. 29 WP are not legally binding, they provide guidance in implementing data protection laws across the EU.

It is noteworthy that the restrictive viewpoint of the Art. 29 WP comes at a time in which the EU (as well as the U.S.) is in the midst of rewriting its data protection laws. The EU Commission is expected to publish a new data protection framework, including provisions specifically addressing the online world. The Commissioner responsible, Viviane Reding, initially wanted to publish it in November but it is very likely that it will take the Commission longer to finalize the proposal. Furthermore, the Art. 29 WP is expected to adopt an official opinion on the advertising industry’s self-regulatory scheme by the end of this year.

In the current situation, the legal implications remain uncertain. The implementation and enforcement of the ‘Cookie Directive’ is the responsibility of individual Member States, which increases the risk of regulatory variations across the EU. The difficulties and uncertainties with the implementation of key provisions of the Directive can clearly be seen in the mixed implementation records of Member States. Even though all of them should have implemented the provisions by end of May this year, most of them have not met this deadline.

Against this background, any future rules should pursue three basic goals. First, increase legal certainty by laying down less ambiguous provisions. Second, continue to work with international partners to develop common approaches in order to minimize costs resulting from discrepancies in legal regimes. Third, account should be taken of the importance of a more flexible regulatory approach. It should be remembered that OBA has greatly benefited consumers by enabling applications providers to offer their services at minimal or even no costs. In lowering barriers to entry, OBA greatly contributed to a competitive online environment that not only encourages companies to innovate in various types of products and services, but it also drives them to compete over privacy practices that are closest to customers’ preferences. Rigid, regulatory approaches entail the risk of chocking off these healthy competitive forces.

Related Articles

EU Top Court Strikes Down Privacy Shield, CCIA Calls for Urgent Legal Certainty and Solutions

Jul 16, 2020

Brussels, BELGIUM — The European Court of Justice (CJEU) issued a landmark ruling today that invalidates Privacy Shield, a key legal mechanism which thousands of companies use to transfer commercial data from the EU to the United States. The CJEU ruled that the Privacy Shield decision does not comply with EU law. Among other things,…

CCIA Provides Input to the EU’s Future Proposals on the Digital Services Act and Competition Tools

Jun 30, 2020

Brussels, BELGIUM — The Computer & Communications Industry Association welcomes the opportunity to respond to the European Commission’s calls for feedback on its future Digital Services Act (internal market rules and ex-ante measures) and proposal for new competition tools. The European Commission is expected to present legislative proposals before the end of the year. CCIA…

CCIA Expresses Concern Over New Senate Bill To Weaken Encryption

Jun 24, 2020

Washington — A bill to give law enforcement more access to personal data with fewer legal protections for citizens has been introduced in the Senate Tuesday. Senators Lindsey Graham, R-SC, and Tom Cotton, R-Ark., and Marsha Blackburn, R-Tenn., have announced the  “Lawful Access to Encrypted Data Act.” The bill would compel device manufacturers and providers…