AdTech – Requirements for the admissibility of interest-based advertising and online tracking

Interest based advertising is a key part of many online business models. Users can be addressed more directly, which increases the effectiveness of advertising and thereby the payouts for website and app operators. A necessary prerequisite for personalised advertising is the tracking of the individual surfing behaviour of the users. This is primarily done by placing cookies. Various major European supervisory authorities have provided guidelines on the privacy requirements to achieve compliance with respect to the placing of cookies and the subsequent data processing.

 

What’s the trouble?

Art. 5 (3) of the ePrivacy Directive (and the respective implementation laws by the EU Member States) state that access to or storage of information already stored in a user’s terminal device (for example via the dropping of cookies or by receiving access to other user identifiers) is only permitted if the user concerned has given his or her consent. This applies regardless of whether personal data is affected. Where tracking involves the processing of personal data, such processing also needs to comply with GDPR requirements.

Thus, the placing and reading of cookies and other identification mechanisms generally require consent within the EU. In its recent „cookie ruling“, the European Court of Justice specified how a required consent is to be obtained. On this point, it clarified that the use of an already ticked checkbox (“opt-out”) does not fulfil the requirements for effective consent. An effective consent always requires active behaviour on the part of the user (“opt-in”). In practice, however, the preceding question is in which cases and under which conditions consent is actually required. On this question, various European supervisory authorities have published statements.

 

Approach of the German Data Protection Authorities

The German supervisory authorities issued an “orientation guide for telemedia providers” in March 2019.

The German legal situation is characterized by the fact that Germany – in contrast to most other Member States of the European Union – has not implemented the ePrivacy Directive. In the opinion of the German authorities, this means that the requirements for the setting of cookies resulting from the ePrivacy Directive are not applicable in Germany. Nevertheless, the German supervisory authorities have come to the conclusion that, in any case, data processing related to the use of cookies (as well as other identifiers) will often require consent as, according to the authorities, such data processing for tracking purposes cannot be otherwise justified from a GDPR perspective.

With regard to the requirements for the declaration of consent, the supervisory authorities, in line with the requirements set by the European Court of Justice, consider an „opt-out“ procedure to be insufficient. Equally inadequate are so-called „cookie walls“, which exist when a website can only be accessed if the use of cookies has been previously consented to. Moreover, data subjects have to be informed about the processing activities, the purposes of the processing and about all third parties involved. In addition, it has to be possible to select or deselect individual processing operations separately. It would therefore not be sufficient to give the user the choice of either agreeing to all processing operations or rejecting them all.

Interestingly, the German authorities do accept that some cookie-related processing activities may be justified without user consent, based on the publisher’s legitimate interests, and provides very detailed “three step guidance” on how to assess whether such legitimate interests are an appropriate legal basis for data processing in an online context.

Step 1: existence of a legitimate interest for the processing of the data

The basic prerequisite is that there is a legitimate interest in the processing by the publisher. The requirements for this are very low. It can be any interest of an economic, ideational or legal nature. Illegal or discriminatory motives cannot establish a legitimate interest.

Step 2: necessity in order to uphold the legitimate interest

Further, the data processing must be necessary to safeguard the relevant legitimate interest. Again, the requirements are not too high. However, no milder, equally effective means should be available. The processing must therefore be limited to the extent necessary.

Step 3: balancing in the specific individual case

The legitimate interests of the controller must be weighed against the interests of the data subjects, in particular the fundamental right to the protection of personal data. The German authorities specify detailed criteria for the weighing, such as predictability of data processing, transparency, and the duration of observation.

 

Approach of the French supervisory authority CNIL

The CNIL has updated its statements on online tracking with the statement 2019-093 from 4 July 2019. It states that only so-called „functional cookies“ do not require consent. If consent is required, such consent must be given expressly and voluntarily. A mere possibility to „opt-out“ or „cookie walls“ are insufficient. Like the German authorities, the CNIL also demands that it be possible to consent separately for different purposes. A declaration of consent covering all cookies is accepted, but the user must also be given the opportunity to select and deselect certain cookies.

The declaration of consent must in any case indicate the identity of the controller and the purposes of the data processing or cookie setting as well as the right to revoke the declaration of consent at any time. In addition, all third parties that gained access to data through the tracking mechanisms should be made transparent and covered by the consent. The consent of the user must also be adequately documented.

A particular feature of the French statement lies in the handling of cookies which are used for analytics purposes. Specifically, this concerns cookies used to improve the usability of the website, to segment the website audience in order to assess the effectiveness of editorial decisions or to dynamically adapt the website on a global scale. To a limited extent, the CNIL recognises these as functional cookies, with the consequence that they do not require consent.

 

Approach of the UK ICO

On 3 July 2019, the ICO updated its recommendation for action for the use of cookies and similar technologies. The basic tenor is comparable to the German guideline, but the ICO applies the strictest standards and virtually always requires consent.

According to the ICO, the setting of cookies requires consent pursuant to § 6 (1), (2) PECR (implementation of Art. 5 (3) ePrivacy Directive). Since neither the PECR nor the ePrivacy Directive defines consent in more detail, the requirements for consent under the GDPR should be applied. The ICO argues that, as consent is required anyhow from a PECR perspective, it will be impossible to base the involved data processing under GDPR on any other legal basis than consent, as this could lead to unfair evaluations and confusion among users, for example if a user withdraws his consent and the data processing is subsequently based on legitimate interests.

 

Enforcement of the standards throughout the EU

The supervisory authorities intend to enforce the new self-imposed regulations on online tracking more thoroughly in future. The first enforcement measures, including fine proceedings, have already been initiated, albeit to a moderate extent so far. The Spanish Data Protection Authority (AEPD), which also published its own statement on the use of cookies on 8 November 2019, recently imposed a fine of € 18,000 on an airline for using a „cookie wall“ on its website. The Dutch DPA issued a statement on 10 December 2019, according to which it has recently conducted a review of 175 websites and e-commerce platforms to determine whether they met the requirements for the use of cookies. The majority did not and were prompted to adapt.

 

Outlook

The statements of the various EU regulators differ only in nuances. It is expected that the elaborations from Germany, France and the United Kingdom will be the basis for a concentrated approach in Europe and an opinion of the European Data Protection Board.
More legal certainty can possibly be provided by the upcoming ePrivacy Regulation, which is intended to complement the GDPR, inter alia with respect to online tracking. However, its entry into force is more uncertain than ever. After the Committee of Permanent Representatives of the Governments of the Member States to the European Union (COREPER) rejected the draft text in November 2019, EU Commissioner for Digital Affairs Breton proposed a complete reorientation. The further procedure is still unclear, but at any rate the ePrivacy Regulation is not to be expected in near future.