Cookies, Tracking & Online Behavioral Advertising

The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that

On 4 May 2020, the European Data Protection Board (EDPB) adopted an updated set of guidelines on consent (Guidelines) under the General Data Protection Regulation (GDPR). These updates were made to the original guidelines published by the Article 29 Working Party on 10 April 2018, which the EDPB endorsed at its first plenary meeting on 25 May 2018.

As a reminder, when a controller relies on consent as its lawful basis for processing personal data, or is required to obtain consent prior to the use of cookies, such consent must be freely given, specific, informed and an unambiguous indication of an individual’s wishes, in order to be valid. Although the original guidelines provided an in-depth analysis of each of these concepts, the EDPB felt that two specific areas required further clarification:

  • The validity of an individual’s consent to the use of cookies when access to a website’s service or functionality is conditioned on that individual giving such consent (i.e., the use of a ‘cookie wall’)
  • The validity of an individual’s consent to the use of cookies when such consent is given by the individual by scrolling through a website

Consequently, the Guidelines now include updates to the sections entitled “Conditionality” and “Unambiguous indication of wishes”, which clarify these areas.

Continue Reading EDPB updates consent guidance to clarify its position on consent to the use of cookies

The Data & Marketing Association and the Incorporated Society of British Advertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising.

RTB is an automated auction process that allows advertising space to be bought and sold on a per-impression basis. When a user visits a publisher’s property (usually a website or app), this triggers a bid request that usually contains personal data (such as the user’s demographic information, browsing history, location and the page being loaded). The bid request goes from the publisher’s property to an ad exchange. It is then submitted to multiple advertisers who can automatically submit bids to place their adverts on the publisher’s property so that it can be viewed by the user in real time, and the ad impression goes to the highest bidder.

As the provision of targeted, personalised advertising through RTB relies on the use of personal data (particularly as more detailed bid requests are deemed to be more attractive to advertisers), various data protection issues and challenges arise in relation to RTB, which have concerned the UK’s Information Commissioner’s Office (ICO).

The Guide was produced in consultation with the ICO and seeks to address concerns that the ICO identified in its investigation into RTB and the ad-tech industry. The ICO announced in early May that this investigation is currently on hold during the COVID-19 pandemic, but it plans to restart work in the coming months as its concerns about ad-tech remain.
Continue Reading The 7-Step Ad Tech Guide – New guidance issued by industry bodies on programmatic advertising

On February 13, 2020, the German Federal Ministry of Justice and Consumer Protection (BMJV) published a proposal to soften the regulatory requirements for influencers for labeling their posts as advertising (Proposal). Under the Proposal, statements posted on social media about products for which no consideration was given – either in the form of monetary compensation

Companies have been challenged with respect to their cookie policies and their implementation due to the entry into force of the GDPR earlier than the proposed ePrivacy Regulation

 Given the delay in the adoption of an EU-wide regulation on e-privacy, national data protection authorities have taken the initiative in publishing guidelines on cookies requirements. The

With the California Consumer Privacy Act (CCPA) coming into effect on January 1 and the announcement on 14 January from Google that it will be phasing out third party cookies within the next two years, it seems that 2020 will be a significant year for the adtech industry as industry players react with solutions and

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:

Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)).

The ECJ set clear requirements on what cookie consent must look like. However, the requirements for when websites must ask for cookie consent may vary from one EU member state to another as some member states, such as Germany, have not implemented the Cookie Directive and the Judgment, therefore, does not apply directly.

As a rule of thumb, it can be said that, at minimum, websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent.

Background

The case involved a promotional lottery, which was presented with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (Marketing Checkbox)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (Cookie Checkbox)


Continue Reading Compliant use of cookies in the EU is still a secret recipe: ECJ decides on Planet49, but does not provide clarity

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

On July 3, 2019 the Information Commissioner’s Office (ICO) published an updated guidance on the use of cookies. Although the guidance confirms requirements of which most data practitioners already comply, it outlines steps for non-compliant companies. Now that the ICO has confirmed its regulatory expectations and detailed immediate enforcement, companies need to take action