The influential Article 29 Data Protection Working Party has expressed serious concerns that the IAB Europe/EASA’s self-regulatory Code of practice on online behavioural advertising 1 is a few biscuits short of a barrel in terms of compliance with EU law on cookies.
Cookie Code crumbles?
The Working Party is not ginger nuts about the Code because it fails to accord with the requirements of the Privacy and Electronic Communications Directive – implemented into UK law in May 2011. The Directive provides that storing and accessing information on a user’s computer is only lawful where the user has given his or her “freely given, specific and informed” consent, “having been provided with clear and comprehensive information... about the purposes of the processing”.
In most cases, the Working Party says that prior informed consent on an opt-in basis is required, regardless of whether this disrupts the user experience. From this standpoint, the Code’s presumption of deemed consent in the absence of user-objection has more holes than a stick of shortbread. The Working Party is also concerned that the Code’s advertising icon is not yet sufficiently recognisable to enable users to make informed choices about cookie-tracking.
Use-by date looms
As previously reported in Newsnotes, the UK’s Information Commissioner has granted a 12 month “grace” period (ending in May 2012) during which it will refrain from enforcement activity. However, over six months into this grace period it is still unclear what website operators should do to get their bourbons in a row.
It is hoped that the Commissioner may still provide some additional iced gems of guidance for website providers, although the chances of opt-out consent being a viable option appear wafer thin.
1 European Advertising Standards Alliance’s Best Practice Recommendation of 14 April 2011, incorporating the Internet Advertising Bureau Europe’s “EU Framework for Online Behavioural Advertising”.