A revision to EU privacy law could have a crippling effect on the online advertising industry, effectively requiring publishers to gain users’ consent before placing cookies on their machines for common online ad practices such as behavioral targeting, retargeting, and audience segmentation.
A proposed amendment to an EU privacy directive states that national governments should “ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent, having been provided with clear and comprehensive information.”
The EU has repeatedly expressed concerns about the collection of user data for use in online advertising, and often stated that if the industry fails to regulate itself appropriately, it would not be afraid to intervene. Via this revision, it appears to be proposing exactly that.
The wider Telecoms Reform Package — of which the amendment is part — must be approved or rejected by the European Parliament and Council by the end of December, according to Struan Robertson, a technology lawyer and legal director at law firm Pinsent Masons who specializes in areas including data security and online marketing. Robertson said the vote is likely to take place by the end of November, and that he would be “surprised” if the package was not approved.
It’s currently unclear exactly how local governments might choose to implement the directive through local law, but Robertson suggested it will be “extremely difficult to interpret it in a way that allows the delivery of cookies without user consent,” and described the possibility as “a frightening state of affairs” for the advertising industry. “It seems remarkable that we would have a law that will make Web sites so difficult to use, but that’s exactly what the directive states. I wonder if organizations would risk ignoring the law in the hope that it won’t be enforced,” he said.
Some, including Robertson, suggest the IAB should be doing more to stave off formal regulation of this manner. The advertising trade body’s U.K. arm released a set of “good practice principles” earlier this year regarding the collection of user data for ad targeting. Those principles highlight the necessity for companies to allow users to opt-out of being tracked around the Web, but do not enforce the need for user consent.
Robertson said the IAB needs to do more to satisfy regulators, and that the organization is, in effect, under-regulating.
Viviane Reding, EU commissioner for information, society and media, made the EU’s stance very clear while speaking at a lunch debate on the future of the Internet in Brussels last month. “European privacy rules are crystal clear: A person’s information can only be used with their prior consent. Transparency and choice are key words in this debate…. I will not shy away from taking action where an EU country falls short of this duty,” she said. During the talk she also highlighted the Commission’s privacy-related action against the U.K., launched in April as a result of targeting technology trials conducted by Phorm and British Telecom.