The EU's Article 29 Working Party on Data Protection has reaffirmed the European Commission's view that website cookies for tracking online users' surfing behaviour can only be deployed in a fair and transparent way.
In a letter addressed to the Online Behavioural Advertising Industry, the Working Party argued that user must have an 'active and informed choice' over accepting or rejecting cookies. It rejected the industry's current approach to dealing with behavioural advertising set out in its Code of Conduct.
What is behavioural advertising?
Behavioural targeting or advertising is the use of information linked through cookies to create a profile of an online user. The user is matched with a broad profile, and they are sent adverts which are likely to interest them.
However, recent changes in privacy rules now require websites to obtain the user's consent to deploying cookies. Under The Privacy and Electronic Communications (EC Directive)(Amendment) Regulations 2011, consent can only be provided if users of web browsers have made an active and informed choice to allow or disallow the tracking. Such a choice could be offered in a manner similar to the browser selection tool in an operating system.
W3C Do Not Track Protocol
Several different mechanisms exist which will allow users to provide meaningful consent for tracking their web surfing behaviour, including the work done by the W3C on the Do Not Track (DNT) protocol. The WP 29 shares with Commissioner Kroes the opinion that this mechanism “can become a very successful standard…empowering the citizen, by putting control in the hands of the user in a way that is fair and transparent”.
A second essential condition for DNT to meet the requirements of European data protection law is that a DNT-setting in a browser means that users should no longer be tracked, instead of just not being shown targeted advertisements. DNT should imply that no user data are collected, retained, processed and shared anymore, with the exception of information strictly necessary to provide the service explicitly requested by the subscriber or user.
It must be clear that data from a user with an active DNT-setting cannot be used for purposes such as "market research" and "product development".
If the DNT-standard meets these two essential conditions, the combination of initial consent in the browser with the current opt-out website could comply with the revised e-privacy directive, as this website and the icons can serve as an additional measure to remind users that they can withdraw their consent.