Online Ad Code Not in Compliance with European Data Protection Laws: Working Party

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Self-regulatory standards for online behavioral marketing adopted in April 2011 by two major European industry associations are not adequate to ensure compliance with current European data protection laws, according to the Article 29 Data Protection Working Party.

The Working Party—an independent advisory body consisting of representatives from the data protection authorities of European Union member states—has issued an opinion assessing the Best Practice Recommendation on online behavioral advertising adopted by the European Advertising Standards Alliance (EASA) and the Internet Advertising Bureau Europe (IAB).

Notice of Behavioral Advertising

The EASA/IAB’s proposed framework recommends that websites use a particular icon to provide notice of behavioral advertising practices. The icon would be linked to an informational website at www.youronlinechoices.eu. On this site, users would be able to opt out of behavioral advertising by selecting specific company names from a list of advertising networks.

In the Working Party’s view, this approach does not properly inform website visitors about the use of cookies, as required by the e-Privacy Directive. Average web users would not be able to recognize the icon’s meaning without any additional description, the Working Party said. The icon should be accompanied by other forms of notice, which would include information as to what types of information are being collected and by whom.

Consent to Cookies

In addition, the Working Party noted, the e-Privacy Directive requires that consent be obtained before cookies are placed on users’ computers or information stored on the users’ computers is collected. The EASA/IAB framework, instead of seeking prior consent, was said to provide a way for users to exercise “choice”—which amounted to opting out of further data collection. This “choice” did not meet the requirements of the directive, the Working Party said.

The Working Party also expressed concern that the EASA/IAB self-regulatory code did not contain provisions on the amount of data collected and the period of time the data would be retained.

Tracking Web Surfing

Moreover, the EASA/IAB standards and website created an incorrect impression that it was possible to choose not to be tracked while surfing the web, the Working Party said. This misapprehension could be damaging to users, as well as to the advertising industry, if advertisers are led to believe that by applying the code they meet the requirements of the e-Privacy Directive.

Full text of the Working Party’s Opinion 16/2011 on EASA/IAB Best Practice Recommendation on Online Behavoural Advertising appears at CCH Privacy Law in Marketing ¶60,710 and here on the European Commission’s website.

FTC Testifies on the State of Online Consumer Privacy to Senate Committee

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Industry stakeholders have made important progress in implementing “Do Not Track,” a mechanism proposed by the Federal Trade Commission last December that would allow consumers to choose not to have their Internet browsing tracked by third parties, the FTC said today in testimony before the Senate Committee on Commerce, Science and Transportation.

The FTC’s testimony discussed its efforts to protect consumer privacy through enforcement actions, consumer education, and policy initiatives like the FTC staff’s recent preliminary privacy report.

That report—titled “Protecting Consumer Privacy in an Era of Rapid Change”—proposed a framework to balance consumer privacy with industry innovation by building privacy protections into everyday business practices (“privacy-by-design”); simplifying privacy choices for consumers; and improving transparency with clearer, shorter privacy notices.

Consumer Choice Mechanisms

“Do Not Track is no longer just a concept, it is becoming a reality,” said FTC Chairman Jon Leibowitz,. “It’s encouraging to see companies responding positively to our call for more consumer choice about their online privacy.”

The testimony noted that two of the major Internet browser vendors—Microsoft and Mozilla—have announced that they are developing choice mechanisms for online behavioral advertising.

In addition, the World Wide Web Consortium has accepted a submission by Microsoft to consider a technical standard for a universal choice mechanism and has announced that it is conducting a workshop in April 2011 on how to incorporate Do Not Track preferences into Internet browsing.

In the FTC’s view, an effective Do Not Track regime would:

• Be implemented universally, so consumers do not have to opt out as they go from site to site;

• Have an opt-out mechanism that is easy to find and easy to use;

• Offer choices to consumers that are persistent and that would not be deleted if, for example, consumers cleared their cookies or updated their browsers;

• Be effective and enforceable; and

• Let consumers opt out of being tracked for reasons other than commonly accepted uses, such as fraud prevention.

Universal Opt-Out

“A robust, effective Do Not Track system would ensure that consumers can opt out once, rather than having to exercise choices on a company-by-company or transaction-by-transaction basis,” the testimony stated. “Such a universal mechanism could be accomplished through legislation or potentially through robust, enforceable self-regulation.”

Consumers may want to opt out of more than targeted ads, the FTC said. For example, they might want to prevent prospective employers or insurers from examining their browsing habits. An effective Do Not Track system would go beyond simply opting consumers out of receiving targeted advertisements; it would opt them out of having their behavior tracked online, the testimony states.

“Commission staff will monitor further industry innovation in this area, which may build upon existing industry initiatives and incorporate elements of the different mechanisms being proposed today,” said the FTC.

Privacy Protection Efforts

The Commission stated that protecting consumers’ privacy had been a priority for 40 years.

“During this time, the Commission has employed a variety of strategies to protect consumer privacy, including law enforcement, regulation, outreach to consumers and businesses, and policy initiatives,” the FTC said.

According to the testimony, in the last 15 years, the FTC has brought more than 300 privacy-related actions, including:

• 32 data security cases,

• 64 cases against companies for improperly calling consumers on the Do Not Call registry,

• 86 cases against companies for violating the Fair Credit Reporting Act (FCRA),

• 97 spam cases,

• 15 spyware (or nuisance adware) cases, and

• 15 cases against companies for violating the Children’s Online Privacy Protection Act (COPPA).

The FTC has obtained $60 million in civil penalties in Do Not Call cases; $21 million in civil penalties under the FCRA; $5.7 million under the CAN-SPAM Act; and $3.2 million under COPPA, the testimony noted.

The Commission vote to approve the testimony was 4-1, with Commissioner William E. Kovacic dissenting. Text of the testimony can be found here on the FTC website.

User Consent Needed for Online Ad Tracking: EU Working Party

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

Online behavioral advertising providers are required to obtain the informed consent of users before installing tracking devices, such as cookies, on their computers, under the terms of the European Union’s online privacy rules, according to the Article 29 Data Protection Working Party.

Use of an “opt out” mechanism would not be sufficient to comply with the requirements of the recently revised ePrivacy Directive, the Working Party said in an opinion released June 24.

Behavioral Advertising

Behavioral advertising is defined as the continuous tracking of individuals across multiple websites. Commonly, tracking cookies are used to collect information about individual surfing behavior and to send users targeted advertisements. In most cases, according to the Working Party, individuals are unaware that this is happening.

Although online behavioral advertising may bring advantages to online businesses and users, the Working Party said, its implications for personal data protection and privacy are significant. Monitoring Internet surfing can give third parties a very detailed picture of a person’s online life. Thus, online advertising networks and browser vendors must employ simple and effective mechanisms for users to affirmatively give their consent for online behavioral advertising.

Equally simple and effective mechanisms should be established for users to withdraw consent, the Working Party added.

Consent

Currently, three of the four most widely used browsers are set by default to accept all cookies, the Working Party noted. Not changing a default setting cannot be considered meaningful consent, in most cases. Advertising networks and publishers should provide information about the purposes of tracking in a clear and understandable manner to enable users to make informed choices about whether they want their browsing behavior to be monitored.

Advertising network providers should work with browser manufacturers and developers to implement privacy by design in browsers, the Working Party recommended.

Ad network providers should enable individuals to exercise their rights to access their personal data stored by the networks and to make corrections and request erasure of such information. Ad networks also should implement retention policies that ensure information is automatically deleted after a reasonable period of time. These policies should apply to alternative tracking technologies, such as “Java cookies.”

Application to Children

In addition, in the Working Party’s view, online advertising networks should not serve behavioral advertising to children at all, because of inherent difficulties in obtaining informed consent and because of the vulnerability of children.

The Working Party is an independent advisory body on data protection and privacy, set up under Article 29 of the EU Data Protection Directive. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor, and the European Commission.

Text of the Working Party’s Opinion 2/2010 on online behavioural advertising appears at CCH Privacy Law in Marketing ¶60,494.