Cookies, Tracking & Online Behavioral Advertising

“The internet’s not written in pencil, it’s written in ink.”

Advocate General (AG) Szpunar commenced his opinion dated 4 June 2019 in Case C-18/18 (Opinion, available here) with the above quote from the movie The Social Network. In the Opinion the AG analysed the substantive scope of injunctions, in particular if social network providers “may be required to delete, with the help of a metaphorical ink eraser, certain content placed online by users of that platform”, as well as its territorial scope.

I. Background
An Austrian politician applied at the Vienna Commercial Court (Austria) for an injunction requiring a social network provider to cease the publication of a – in her view – defamatory comment about her. A user of the social network shared an article from a news website on their personal page on the network, whereupon the social network generated a ‘thumbnail’ of that post, containing the title, a brief summary of the article and a photograph of the politician. The user also published a disparaging comment about the politician alongside the post (Content in Question). Any user of the social network was able to access the Content in Question.

The Vienna Commercial Court issued the requested injunction and ordered the social network provider to delete and to stop disseminating the Content in Question. Subsequently, the social network provider disabled access to the content in Austria, but not for other countries. After the Vienna Higher Regional Court upheld the injunction, the case was brought to the Austrian Supreme Court. The Austrian Supreme Court referred to the Court of Justice of the European Union (CJEU) the questions of whether the injunction can be extended (i) worldwide, and (ii) to statements with identical wording and/or equivalent content. The Austrian Supreme Court ultimately asked the CJEU to interpret the Directive on electronic commerce (eCommerce Directive) in this context.

Continue Reading Advocate General’s opinion on social networks’ obligations on (worldwide) deletion of illegal content

The Information Commissioner’s Office (ICO) recently published a summary report of its fact finding forum on data protection issues arising from advertising technology (adtech). Adtech is a term commonly used to refer to all technologies, software and services used for delivering and targeting online advertisements.

The ICO compiled responses from over 2,300 participants in an online survey, and conducted fieldwork with more than a hundred stakeholders (publishers, advertisers, start-ups, adtech firms, lawyers and citizens). The ICO highlighted three key challenges of adtech: (i) transparency, (ii) lawful basis and (iii) security.

Continue Reading ICO investigates adtech awareness through fact finding forum

On 21 March 2019, Advocate General Maciej Szpunar (“AG”) delivered an opinion on cookie consent, information obligations regarding cookies and consent bundling (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.). In the case at issue, users entering into a promotional lottery were confronted with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (“Marketing Checkbox”)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (“Cookie Checkbox”)

Cookie consent

Article 4(11) of the General Data Protection Regulation (“GDPR”) defines consent as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

The AG stated that there was no active consent in this instance because the Cookie Checkbox was pre-ticked. It is not sufficient to be considered active consent if the user must object (by un-ticking the checkbox) to the use of cookies.

Continue Reading Planet49: Advocate General’s opinion on cookies and consent bundling

On 6 March 2019, the Information Commissioner’s Office (ICO) will host a fact-finding forum in central London. The aim of this forum is to facilitate a dialogue between ad-tech stakeholders. The ICO wants to understand the complexities of ad-tech practices.

Why ad-tech?

‘Ad-tech’ is the product of technology’s transformation of the advertising industry. It uses personal data to compile a personal profile, which is then used to decide whether or not to target an individual with a particular advert. Publishers sell advertising spaces by a process of real-time bidding. Ad-tech practices heavily rely on the use of personal data and artificial intelligence.

The ICO is interested in learning more about ad-tech practices for a number of reasons. Firstly, ad-tech falls within the ICO’s priority areas of ‘online tracking’ and ‘artificial intelligence’, identified in the ICO’s Tech Strategy. Secondly, the ICO recognises that while there are benefits arising from ad-tech, there is also a cause for concern, in particular in relation to real-time bidding. Thirdly, the ICO has received complaints about ad-tech firms’ non-compliance with the General Data Protection Regulation (GDPR).

The ICO acknowledges that there are many diverging views on the overlap between ad-tech practices and GDPR-compliant personal data processing.

Continue Reading UK regulator to focus on ad-tech

The Bavarian Data Protection Authority (‘Bavarian DPA’) audited major Bavarian websites for their use of tracking tools on Safer Internet Day. It calls its findings “desolate”. None of the tracking tools were implemented in a compliant manner.

Audit by the Bavarian DPA

Tracking and the requirements for using cookies have been a highly debated topic by the EU data protection authorities since last spring. The Conference of German Data Protection Authorities released a position paper on 26 April 2018, stating that tracking and profiling cookies require opt-in consent (‘Position Paper’; read more on the Position Paper in our blog here and find more background on cookies under GDPR in the German-language videos here).

The Bavarian DPA audited 40 Bavarian websites. In a summary report (‘Summary Report’, available here), the Bavarian DPA stated that all websites that were reviewed used thirdparty tracking tools, but none was implemented in compliance with data protection law. The websites tested relate to the following industries: online shops, sports, insurances, banks, media, cars and houses.

The Bavarian DPA emphasised its audit on transparency and consent.

Continue Reading German supervisory authority audited 40 websites on the use of tracking tools – and none of them was compliant

In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.

Background: a wave of awareness among users at the EU level shows a new face of data protection

In a notice dated November 2018,[2] the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.

The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.

As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”

Continue Reading First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

It has been reported that the Information Commissioner’s Office (ICO) has issued the US-based Washington Post newspaper with a warning about how it obtains consent for cookies from website visitors.

According to a report in The Register, the ICO stated that the Washington Post’s online subscription options do not allow users to opt out of cookies and other trackers free of charge. Such functionality is only possible as part of the newspaper’s premium paid subscription service. The browsing options offered by the Washington Post are:

(i) free access to a limited number of articles dependent on consent to the use of cookies and tracking for personalised advertisements;

(ii) a basic subscription that provides paid access to an unlimited number of articles but which also requires consent to the use of cookies and other tracking; and

(iii) a more expensive premium subscription option that gives users access to an unlimited number of articles, free of advertising and ad tracking.

The ICO views this as a contravention of the EU’s General Data Protection Regulation (GDPR). Article 7(4) GDPR states that “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract”. In failing to provide a free alternative to accepting cookies, the ICO appears to have determined that consent cannot be freely given by users, and is therefore invalid.

Continue Reading ICO warns that the Washington Post offers invalid cookie consent under the GDPR

Recently, the German media regulators, the State Media Authorities (Landesmedienanstalten), issued a joint guidance paper on marking adverts on social media (Leitfaden der Medienanstalten, Werbekennzeichnung bei Social Media-Angeboten; “Guidance Paper”). The Guidance Paper replaces the State Media Authorities’ earlier FAQs. It is intended to help organisations and individuals to

After another statement by the German Data Protection Authorities (German DPAs) of 5 September 2018 (Statement, available in English here), stating that the operation of a fan page as offered by Facebook was illegal, Facebook reacted “overnight” and released a co-controller agreement, the “Page Insights Controller Addendum” (Insights Addendum, available here). In a press release of 16 November 2018 (Press Release, available in German here), the Berlin Data Protection Authority (Berlin DPA) announced that it has been auditing organisations concerning the use of Facebook fan pages since early November. In this blog, we provide recommendations as to what organisations should do next.

Background

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its judgment (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the fan page. Only a day later, the German DPAs released their first statement on the consequences of the judgment, arguing that organisations do not meet data protection standards when operating a fan page on Facebook, leaving marketers in Germany and Europe with lots of uncertainty (for more background, please review our previous blog How big is the risk to operate Facebook fan pages in Germany?). Three months then passed without Facebook providing any solution to the operators of fan pages.

Continue Reading Update on Facebook fan pages: What should organisations do after the release of Facebook’s co-controller agreement?

On 10 July 2018, the Council of the European Union has published a draft of revisions to the proposed ePrivacy Regulation (ePR). The ePR is likely to come into force in 2019.

The ePR will repeal and replace the Privacy and Electronic Communications Directive 2002/58/EC. The ePR will align Europe’s ePrivacy regime more closely with privacy regime set out in the General Data Protection Regulation (GDPR). The GDPR took effect on 25 May 2018.

Objectives

The ePR focuses on the confidentiality of users’ electronic communications. It will also regulate activities such as:

  • direct marketing,
  • website audience measurement,
  • the transmission of communications across devices and browsers, and
  • cookies set on users’ machines.

According to ePR Recital 2, it intends to “particularise and complement the provisions for personal data laid down by the GDPR by “translating its principles into specific rules”.

Continue Reading Proposed amendments to the ePrivacy Regulation