IRI: http://ciolaws.com/ontologies/eulr-cookies#CookieConsent
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookieDerogation
What are the exceptions to the obligation to seek prior consent (to the principle of informed consent)? When can cookie be exempt from the principle of informed consent?
There are two exceptions concerning the technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network (Exception A), or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service (Exception B).
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookieInformation
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookieLegalGround
The use of tracking devices should be allowed only for legitimate purposes, with the knowledge of the users concerned (with prior informed consent), unless an exception applies
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookiePublisher
Data controller as per definition in Directive 95/46/EC (syn. Publishers, Provider of Information services)
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookiePurpose
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookiePurposeWithDerogation
IRI: http://ciolaws.com/ontologies/eulr-cookies#CookieUser
any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (syn. Subscriber)
IRI: http://ciolaws.com/ontologies/eulr-cookies#FirstPartyCookie
IRI: http://ciolaws.com/ontologies/eulr-cookies#IllegitimateCookiePurpose
Seriously intrude upon the privacy of the users (non exhaustive list)
IRI: http://ciolaws.com/ontologies/eulr-cookies#LegitimateCookiePurpose
Facilitate the provision of information society (e.g. analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions) (non exhaustive list)
IRI: http://ciolaws.com/ontologies/eulr-cookies#PermanentCookie
IRI: http://ciolaws.com/ontologies/eulr-cookies#SessionCookie
IRI: http://ciolaws.com/ontologies/eulr-cookies#SettingCookie
The operation consisting of introducing a device capable of storing or accessing information in the terminal equipment of a subscriber or user (syn. planting cookie)
IRI: http://ciolaws.com/ontologies/eulr-cookies#ThirdPartyCookie
IRI: http://ciolaws.com/ontologies/eulr-cookies#ThirdPartyPublisher
An entity is a Third Party to the extent that it engages in Online Behavioural Advertising on a web site or web sites other than a web site or web sites it or a an entity under Common Control owns or operates (syn. Ad network provider)
IRI: http://ciolaws.com/ontologies/eulr-cookies#TrackingDevice
To which technologies is Art. 5(3) of the E-Privacy Directive (2002/58/EC) applicable?
Device that can store or access information in a terminal equipment of a subscriber or user (e.g. cookies, Javascripts, device fingerprinting, spyware, virus, web bugs, hidden identifiers and other similar devices) The requirement applies to all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies as understood by the definition in RFC6265.
The technologies falling within this definition include:
The information accessed or stored does not need to be personal data.
IRI: http://ciolaws.com/ontologies/eulr-cookies#WebSiteOperator
A Web Site Operator is the owner, controller or operator of the web site with which the web user interacts
IRI: http://ciolaws.com/ontologies/eulr-cookies#canGiveConsent
Enabling power: legal power of the user to surrender his privilege on the data on his device to the service provider (the user gives “licence” of entrance to the service provider). Withholding of access by others (right) unless some consent is given. Correlative to this legal power is the legal liability (subjection) of the service provider which is subject, nolens volens, to the change in jural relation involved in the exercise of the user´s power to give his consent. Following the representation proposed in (Sartor, 2006), the jural relations above can be formalized as: EnablingPoweru (let use cookies VIA consent) = Subjectionsp (User=u , Service provider=sp)
IRI: http://ciolaws.com/ontologies/eulr-consent#givesConsent
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasJuralRelation
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasLegalDerogation
For what purposes can (or can not) the exemption be applied?
First party session cookies are far more likely to be exempted from consent than third party persistent cookies. However, the purpose of the cookie should always be the basis for evaluating if the exemption can be successfully applied rather than a technical feature of the cookie.
This analysis has shown that the following cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes: 1) User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases. 2) Authentication cookies, used for authenticated services, for the duration of a session. 3) User centric security cookies, used to detect authentication abuses, for a limited persistent duration. 4) Multimedia content player session cookies, such as flash player cookies, for the duration of a session. 5) Load balancing session cookies, for the duration of session. 6) UI customization persistent cookies, for the duration of a session (or slightly more). 7) Third party social plug-in content sharing cookies, for logged in members of a social network.
Having regard to social networks, the working party notes however that the use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites. The working party recalls that third party advertising cookies cannot be exempted from consent, and further clarifies that consent would also be needed for operational purposes related to third party advertising such as frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging. While some operational purposes might certainly distinguish one user from another, in principle these purposes do not justify the use of unique identifiers. This point is of particular relevance in the context of the current discussions regarding the implementation of the Do Not Track standard in Europe. This analysis also shows that first party analytics cookies are not exempt from consent but pose limited privacy risks, provided reasonable safeguards are in place, including adequate information, the ability to opt-out easily and comprehensive anonymisation mechanisms.
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasLegalGround
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasPrivacy
Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms.
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasPublisher
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasPurpose
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasRecipient
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasUserConsent
Can the consent serve for several cookies? Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections.
IRI: http://ciolaws.com/ontologies/eulr-cookies#IntroducesInTerminalEquipment
IRI: http://ciolaws.com/ontologies/eulr-consent#isReceivedBy
IRI: http://ciolaws.com/ontologies/eulr-consent#isSeekedBy
What does the EASA/IAB Code implement to obtain consent?
User choice over Online Behavioural Advertising A. Each Third Party should make available a mechanism for web users to exercise their choice with respect to the collection and use of data for OBA purposes and the transfer of such data to Third Parties for OBA. Such choice should be available from the notice described in I.A.1 and via the OBA User Choice Site.
Under the EASA/IAB Code, an icon will be used as an information notice for behavioural advertising. In the current implementation of the Code, the icon is linked to an information website, www.youronlinechoices.eu.
Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the Code and the website do not meet the requirement set out at the revised e-Privacy Directive.
IRI: http://ciolaws.com/ontologies/eulr-cookies#noAccess
IRI: http://ciolaws.com/ontologies/eulr-consent#provideInformation
IRI: http://ciolaws.com/ontologies/eulr-cookies#providesCookieInformation
Provide clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing
IRI: http://ciolaws.com/ontologies/eulr-cookies#seekPriorInformedConsent
The publisher of the cookie, be it the web site operator or the third party publisher (advertising network provider) has the obligation to seek and obtain the consent from the user.
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasDuration
Cookies are often categorized according to whether they are “session cookies” or “persistent cookie”. A “session cookie” is a cookie that is automatically deleted when the user closes his browser, while a “persistent cookie” is a cookie that remains stored in the user’s terminal device until it reaches a defined expiration date (which can be minutes, days or several years in the future).
has characteristics: functional
IRI: http://ciolaws.com/ontologies/eulr-cookies#hasOrigin
Cookies are often categorized whether they are “third party cookies” or “first party cookies”. “third party cookie” describe cookies that are set by data controllers that do not operate the website currently visited by the user. Conversely, the term “first party cookie” will be used to refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.
has characteristics: functional
IRI: http://ciolaws.com/ontologies/eulr-cookies#Cookie
Pieces of text generated by the web services that the user has visited. Web services store these text files on the devices where the web browsers are installed to enable the exchange of information.
IRI: http://ciolaws.com/ontologies/eulr-cookies#DeviceFingerprinting
Device fingerprinting
IRI: http://ciolaws.com/ontologies/eulr-cookies#directive136rec66
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
IRI: http://ciolaws.com/ontologies/eulr-cookies#directive58art15a
Implementation and enforcement
IRI: http://ciolaws.com/ontologies/eulr-cookies#directive58art2
‘user’ means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; ‘consent’ by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC;
IRI: http://ciolaws.com/ontologies/eulr-cookies#directive58art5-3
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
IRI: http://ciolaws.com/ontologies/eulr-cookies#directive58rec24
Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.
IRI: http://ciolaws.com/ontologies/eulr-cookies#directive58rec25
However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
IRI: http://ciolaws.com/ontologies/eulr-cookies#EASA/IABcode
IRI: http://ciolaws.com/ontologies/eulr-cookies#edps071116
IRI: http://ciolaws.com/ontologies/eulr-cookies#ExceptionA
The technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
EXCEPTION A encompasses cookies that fulfil at least one of the properties defined (below) for Internet communications. 1) The ability to route the information over the network, notably by identifying the communication endpoints. 2) The ability to exchange data items in their intended order, notably by numbering data packets, 3) The ability to detect transmission errors or data loss
IRI: http://ciolaws.com/ontologies/eulr-cookies#ExceptionB
The technical storage or access as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service (e.g. cookies necessary for the functioning of a shopping basket, the security of the system, the storing of language preferences
A cookie matching EXCEPTION B would need to pass the following tests: 1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available. 2) This functionality has been explicitly requested by the user (or subscriber), as part of an information society service. Comment: “sole purpose” and “strictly necessary” indicate that these two exceptions must be interpreted in a restrictive way
Ultimately: 1) When applying EXCEPTION B, it is important to examine what is strictly necessary from the point of view of the user, not the service provider. 2) If a cookie is used for several purposes, it can only benefit from an exemption to informed consent if each distinct purpose individually benefits from such an exemption. 3) The purpose of the cookie should always be the basis for evaluating if the exemption can be successfully applied rather than a technical feature of the cookie.
IRI: http://ciolaws.com/ontologies/eulr-cookies#HTML5LocalStorage
HTML5 local storage.
IRI: http://ciolaws.com/ontologies/eulr-cookies#OnlineBehaviouralAdvertising
Behavioural advertising techniques enable advertisers, mainly ad providers, to track individuals when they surf the internet, to build profiles and to use them to serve tailored advertising. In most cases, individuals are simply unaware that this is happening.
Online Behavioural Advertising means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours. Online Behavioural Advertising does not include the activities of Web Site Operators, Ad Delivery or Ad Reporting, or contextual advertising (e.g. advertising based on the content of the web page being visited, a consumer’s current visit to a web page, or a search query).
IRI: http://ciolaws.com/ontologies/eulr-cookies#Script
Scripts (such e.g. JavaScript code) and components (such as browsers plug-ins) to be executed on the client side.
IRI: http://ciolaws.com/ontologies/eulr-cookies#wp29-04/2012
IRI: http://ciolaws.com/ontologies/eulr-cookies#W3Crec
Tracking Preference Expression (DNT), W3C Candidate Recommendation 20 August 2015 Tracking Compliance and Scope (TCS), W3C Candidate Recommendation 26 April 2016
IRI: http://ciolaws.com/ontologies/eulr-cookies#WebBeacon
Web beacons
IRI: http://ciolaws.com/ontologies/eulr-cookies#WebCachingMechanism
Web caching mechanisms.
IRI: http://ciolaws.com/ontologies/eulr-cookies#wp29-15/2011
IV.1. Clarification of the key aspects of the current framework Article 2 (h) of Directive 95/46/EC defines consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". Article 7 of the Directive, which sets forth the legal basis for processing personal data, sets out unambiguous consent as one of the legal grounds. Article 8 requires explicit consent as a legal ground to process sensitive data. Article 26.1 of Directive 95/46/EC and various provisions of the ePrivacy Directive require consent to carry out specific data processing activities within their scope of application. The points developed in this opinion aim at clarifying the various elements of this legal framework in an effort to make it easier to apply by stakeholders in general.
Elements/observations of general nature
Specific elements of the legal framework related to consent • For consent to be valid, it must be freely given. This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Data processing operations in the employment environment where there is an element of subordination, as well as in the context of government services such as health may require careful assessment of whether individuals are free to consent. • Consent must be specific. Blanket consent without determination of the exact purposes does not meet the threshold. Rather than inserting the information in the general conditions of the contract, this calls for the use of specific consent clauses, separated from the general terms and conditions. • Consent must be informed. Articles 10 and 11 of the Directive lists the type of information that must necessarily be provided to individuals. In any event, the information provided must be sufficient to guarantee that individuals can make well informed decisions about the processing of their personal data. The need for consent to be "informed" translates into two additional requirements. First, the way in which the information is given must ensure the use of appropriate language so that data subjects understand what they are consenting to and for what purposes. This is contextual. The use of overly complicated legal or technical jargon would not meet the requirements of the law. Second, the information provided to users should be clear and sufficiently conspicuous so that users cannot overlook it. The information must be provided directly to individuals. It is not enough for it to be merely available somewhere. • As to how consent must be provided, Article 8.2(a) requires explicit consent to process sensitive data, meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent. • For data other than sensitive data, Article 7(a) requires consent to be unambiguous. "Unambiguous" calls for the use of mechanisms to obtain consent that leave no doubt as to the individual's intention to provide consent. In practical terms, this requirement enables data controllers to use different types of mechanisms to seek consent, ranging from statements to indicate agreement (express consent), to mechanisms that rely on actions that aim at indicating agreement. • Consent based on an individual's inaction or silence would normally not constitute valid consent, especially in an on-line context. This is an issue that arises in particular with regard to the use of default settings which the data subject is required to modify in order to reject the processing. For example, this is the case with the use of pre-ticked boxes or Internet browser settings that are set by default to collect data.
IRI: http://ciolaws.com/ontologies/eulr-cookies#wp29-16/2011
IRI: http://ciolaws.com/ontologies/eulr-cookies#wp29-2/2010
Paragraph 6.1 Applicable laws • Article 5(3) applies whenever "information" such as a cookie is stored or retrieved from the terminal equipment of an internet user. It is not a prerequisite that this information is personal data. • In addition, Directive 95/46/EC applies to matters not specifically covered by the ePrivacy Directive whenever personal data are processed. Behavioural advertising is based on the use of identifiers that enable the creation of very detailed user's profiles which, in most cases, will be deemed personal data.
Paragraph 6.4 Obligations and rights
Regarding ad network providers:
• Article 5(3) of the ePrivacy Directive which sets up an obligation to obtain prior informed consent applies to ad network providers.
• Browser settings may only deliver consent in very limited circumstances. Notably, if browsers are set up by default to reject all cookies (having the browser set to such an option) and the user has changed the settings to affirmatively accept cookies, for which he has been fully informed about the name of the data controller, the processing its goals and the data that is collected. Therefore, the browser must either alone or in combination with other means effectively convey clear, comprehensive and fully visible information about the processing.
• Ad network providers should encourage and work with browser manufacturers/developers to implement privacy by design in browsers.
• Cookie-based opt-out mechanisms in general do not constitute an adequate mechanism to obtain informed user consent. In most cases user's consent is implied if they do not opt out. However, in practice, very few people exercise the opt-out option, not because they have made an informed decision to accept behavioural advertising, but rather because they do not realise that the processing is taking place, much less how to exercise the opt out.
• Ad network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behaviour for the purposes of sending him tailored advertising.
• In accordance with Recital 25 of the ePrivacy Directive, a users' acceptance to receive a cookie could also entail his/her acceptance for the subsequent readings of the cookie, and hence for the monitoring of his/her internet browsing. It would not be necessary to request consent for each reading of the cookie. However, to ensure that data subjects remain aware of the monitoring over time, ad network providers should: i) limit in time the scope of the consent; ii) offer the possibility to easily revoke their consent to being monitored for the purposes of serving behavioural advertising and iii) create a symbol or other tools which should be visible in all the web sites where the monitoring takes place (the website partners of the ad network provider). This symbol would not only remind individuals of the monitoring but also help them to control whether they want to continue being monitored or wish to revoke their consent.
• Network providers should ensure compliance with the obligations that arise from Directive 95/46/EC which do not directly overlap with Article 5(3), namely, the purpose limitation principle, and security obligations.
• In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure. The Article 29 Working Party welcomes the practice of some ad network providers to offer data subjects the possibility to access and modify the interest categories in which they have been classified.
• Ad network providers should implement retention policies which ensure that information collected each time that a cookie is read is automatically deleted after a justified period of time (necessary for the purposes of the processing). This also applies for alternative tracking technologies used for behavioural advertising such as JavaScript installed in the user's browser environment.
Ad network providers and publishers: • Providing highly visible information is a precondition for consent to be valid. Mentioning the practice of behavioural advertising in general terms and conditions and/or privacy policies can never suffice. In this regard and taking into account the average low level of knowledge about the practice of behavioural advertising, efforts should be applied to change this situation. • Ad network providers/ publishers must provide information to users in compliance with Article 10 of Directive 95/46/EC. In practical terms, they should ensure that individuals are told, at a minimum, who (i.e. which entity) is responsible for serving the cookie and collecting the related information. In addition, they should be informed in simple ways that (a) the cookie will be used to create profiles; (b) what type of information will be collected to build such profiles; (c) the fact that the profiles will be used to deliver targeted advertising and (d) the fact that the cookie will enable the user's identification across multiple web sites. • Network providers/ publishers should provide the information directly on the screen, interactively, if needed, through layered notices. In any event it should be easily accessible and highly visible. • Icons placed on the publisher's website, around advertising, with links to additional information, are good examples. The Article 29 Working Party urges the network providers/ publisher industry to be creative in this area.
IRI: http://ciolaws.com/ontologies/eulr-cookies#wp29op9/2014
IRI: http://ciolaws.com/ontologies/eulr-cookies#wp29wd02/2013
IRI: http://www.w3.org/2004/02/skos/core#closeMatch
IRI: http://www.w3.org/2004/02/skos/core#definition
IRI: http://www.w3.org/2004/02/skos/core#exactMatch
IRI: http://purl.org/vocab/vann/preferredNamespacePrefix
IRI: http://www.estrellaproject.org/lkif-core/expression.owl#qualified_by
This HTML document was obtained by processing the OWL ontology source code through LODE, Live OWL Documentation Environment, developed by Silvio Peroni.
Does the EASA/IAB Code provide users with consent options compliant with Article 5(3)?
No. The EASA/IAB Code, instead of seeking users consent, claims to provide for a way of exercising “choice”. In fact it is a choice to opt out, as it offers the user the possibility to object to having his/her data collected and further processed for OBA. This "choice" is not consistent with Article 5(3) of the revised e-Privacy Directive, as the data are in fact processed without user's consent and without providing the user with information before the processing takes place. Therefore, adherence to Principle II does not meet the requirement set out at the revised e-Privacy Directive.