Cookies, Tracking & Online Behavioral Advertising

Subscribe to Cookies, Tracking & Online Behavioral Advertising

With the California Consumer Privacy Act (CCPA) coming into effect on January 1 and the announcement on 14 January from Google that it will be phasing out third party cookies within the next two years, it seems that 2020 will be a significant year for the adtech industry as industry players react with solutions and

The Finnish presidency of the Council of the EU (Finnish Presidency) released an updated draft of the Regulation on Privacy and Electronic Communications (ePrivacy Regulation) on October 30, 2019 (available here). The Working Party on Telecommunications and Information Society (WP TELE) will discuss the new draft at its meeting on November 7, 2019.

Amendments put forward by the Finnish Presidency

The amendments that the Finnish Presidency plans to discuss at the November 7, 2019 meeting include:

Continue Reading Updated draft of ePrivacy Regulation – Finnish presidency of the Council of the EU aims for final text by the end of the year

In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)).

The ECJ set clear requirements on what cookie consent must look like. However, the requirements for when websites must ask for cookie consent may vary from one EU member state to another as some member states, such as Germany, have not implemented the Cookie Directive and the Judgment, therefore, does not apply directly.

As a rule of thumb, it can be said that, at minimum, websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent.

Background

The case involved a promotional lottery, which was presented with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (Marketing Checkbox)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (Cookie Checkbox)


Continue Reading Compliant use of cookies in the EU is still a secret recipe: ECJ decides on Planet49, but does not provide clarity

In its response dated 3 July 2019 (Response; file no. 19/11351, available in German here) to an inquiry by members of the German parliament (Inquiry), the German government took stand on the current draft Regulation on Privacy and Electronic Communications (ePrivacy Regulation), and particularly on “tracking”. The German government summarises its assessment of the ePrivacy Regulation:

“Germany has declared its view at a session of the Council of the EU on 7 June 2019 in Luxembourg. The ePrivacy Regulation must guarantee a high level of protection that goes beyond the protection that the GDPR provides. The current draft does not achieve this objective. Germany cannot support the current draft.”

German government’s assessment of the ePrivacy Regulation

The Inquiry sought, among other things, the German government’s responses on (i) whether “tracking” should be regulated more extensively at an EU level and (ii) what specific amendments have to be made to the ePrivacy Regulation.
Continue Reading Update on ePrivacy Regulation: “Current draft does not guarantee high level of protection and cannot be supported”, German government states

On July 3, 2019 the Information Commissioner’s Office (ICO) published an updated guidance on the use of cookies. Although the guidance confirms requirements of which most data practitioners already comply, it outlines steps for non-compliant companies. Now that the ICO has confirmed its regulatory expectations and detailed immediate enforcement, companies need to take action

“The internet’s not written in pencil, it’s written in ink.”

Advocate General (AG) Szpunar commenced his opinion dated 4 June 2019 in Case C-18/18 (Opinion, available here) with the above quote from the movie The Social Network. In the Opinion the AG analysed the substantive scope of injunctions, in particular if social network providers “may be required to delete, with the help of a metaphorical ink eraser, certain content placed online by users of that platform”, as well as its territorial scope.

I. Background
An Austrian politician applied at the Vienna Commercial Court (Austria) for an injunction requiring a social network provider to cease the publication of a – in her view – defamatory comment about her. A user of the social network shared an article from a news website on their personal page on the network, whereupon the social network generated a ‘thumbnail’ of that post, containing the title, a brief summary of the article and a photograph of the politician. The user also published a disparaging comment about the politician alongside the post (Content in Question). Any user of the social network was able to access the Content in Question.

The Vienna Commercial Court issued the requested injunction and ordered the social network provider to delete and to stop disseminating the Content in Question. Subsequently, the social network provider disabled access to the content in Austria, but not for other countries. After the Vienna Higher Regional Court upheld the injunction, the case was brought to the Austrian Supreme Court. The Austrian Supreme Court referred to the Court of Justice of the European Union (CJEU) the questions of whether the injunction can be extended (i) worldwide, and (ii) to statements with identical wording and/or equivalent content. The Austrian Supreme Court ultimately asked the CJEU to interpret the Directive on electronic commerce (eCommerce Directive) in this context.

Continue Reading Advocate General’s opinion on social networks’ obligations on (worldwide) deletion of illegal content

The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements.

The ICO compiled responses from over 2,300 participants in an online survey, and conducted fieldwork with more than a hundred stakeholders (publishers, advertisers, start-ups, adtech firms, lawyers and citizens). The ICO highlighted three key challenges of adtech: (i) transparency, (ii) lawful basis and (iii) security.

Continue Reading ICO investigates adtech awareness through fact finding forum

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (“Marketing Checkbox”)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (“Cookie Checkbox”)

Cookie consent

Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.

Continue Reading Planet49: Advocate General’s opinion on cookies and consent bundling

On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices.

Why ad-tech?

‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses personal data to compile a personal profile, which is then used to decide whether or not to target an individual with a particular advert. Publishers sell advertising spaces by a process of real-time bidding. Ad-tech practices heavily rely on the use of personal data and artificial intelligence.

The ICO is interested in learning more about ad-tech practices for a number of reasons. Firstly, ad-tech falls within the ICO’s priority areas of ‘online tracking’ and ‘artificial intelligence’, identified in the ICO’s Tech Strategy. Secondly, the ICO recognises that while there are benefits arising from ad-tech, there is also a cause for concern, in particular in relation to real-time bidding. Thirdly, the ICO has received complaints about ad-tech firms’ non-compliance with the General Data Protection Regulation (GDPR).

The ICO acknowledges that there are many diverging views on the overlap between ad-tech practices and GDPR-compliant personal data processing.

Continue Reading UK regulator to focus on ad-tech

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used thirdparty tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent.

Continue Reading German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant