Ontology on the EU legal regime on cookies

Does the EASA/IAB Code provide users with consent options compliant with Article 5(3)?

No. The EASA/IAB Code, instead of seeking users consent, claims to provide for a way of exercising “choice”. In fact it is a choice to opt out, as it offers the user the possibility to object to having his/her data collected and further processed for OBA. This "choice" is not consistent with Article 5(3) of the revised e-Privacy Directive, as the data are in fact processed without user's consent and without providing the user with information before the processing takes place. Therefore, adherence to Principle II does not meet the requirement set out at the revised e-Privacy Directive.

• User choice site: www.youronlinechoices.eu The first practical implementation of the EASA/IAB Code is the www.youronlinechoices.eu website, where the method selected to express “choice” is based on the use of different "opt-out" cookies. With the help of such a cookie an advertising network may record the user’s refusal to further take part in online behavioural advertising. This approach could easily be modified to be compliant with the amended Article 5(3) of the directive by creating an “opt-in” cookie solution, as explained later on. The website contains a list with different names of advertising networks. Users may indicate their preference if they do not wish to receive targeted advertising from one, more or all of the networks. Selecting one or more advertising networks results in the installation of one or more opt-out cookies from these networks. This implementation, apart from the fact that it follows an opt-out approach and thus is not consistent with the requirement for prior informed consent as set out in article 5(3) of the revised e-Privacy Directive, has the following additional problems: a) Although the opt-out cookie prevents the further reception of personalised advertising, it does not stop the advertising network from accessing and storing information in the user's terminal. On the contrary, it has been demonstrated that an ongoing technical exchange of information between the user’s terminal equipment and the advertising network is still in place after the installation of the opt-out cookie. b) The user is not informed on whether or not the tracking cookie remains stored in his/her computer and for what purpose. c) The installation of the opt-out cookie does not offer the possibility to manage and delete previously installed tracking cookies, whereas at the same time it creates the mistaken presumption that opting out disables the tracking of internet behaviour.

What are the exceptions to the obligation to seek prior consent (to the principle of informed consent)? When can cookie be exempt from the principle of informed consent?

There are two exceptions concerning the technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network (Exception A), or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service (Exception B).

The use of tracking devices should be allowed only for legitimate purposes, with the knowledge of the users concerned (with prior informed consent), unless an exception applies

Data controller as per definition in Directive 95/46/EC (syn. Publishers, Provider of Information services)

any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (syn. Subscriber)

Seriously intrude upon the privacy of the users (non exhaustive list)

Facilitate the provision of information society (e.g. analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions) (non exhaustive list)

The operation consisting of introducing a device capable of storing or accessing information in the terminal equipment of a subscriber or user (syn. planting cookie)

An entity is a Third Party to the extent that it engages in Online Behavioural Advertising on a web site or web sites other than a web site or web sites it or a an entity under Common Control owns or operates (syn. Ad network provider)

To which technologies is Art. 5(3) of the E-Privacy Directive (2002/58/EC) applicable?

Device that can store or access information in a terminal equipment of a subscriber or user (e.g. cookies, Javascripts, device fingerprinting, spyware, virus, web bugs, hidden identifiers and other similar devices) The requirement applies to all types of information stored or accessed in the user’s terminal device although the majority of discussion has centred on the usage of cookies as understood by the definition in RFC6265.

The technologies falling within this definition include:

• Cookies.
• Scripts (such e.g. JavaScript code) and components (such as browsers plug-ins) to be executed on the client side.
• Web caching mechanisms.
• HTML5 local storage.
• “Device fingerprinting”.
• “Canvas fingerprinting” and “Evercookies”
• Web beacons
• Any other technologies insofar as they enable reading or storing information from/onto the web service user's client device.

The information accessed or stored does not need to be personal data.

A Web Site Operator is the owner, controller or operator of the web site with which the web user interacts

Enabling power: legal power of the user to surrender his privilege on the data on his device to the service provider (the user gives “licence” of entrance to the service provider). Withholding of access by others (right) unless some consent is given. Correlative to this legal power is the legal liability (subjection) of the service provider which is subject, nolens volens, to the change in jural relation involved in the exercise of the user´s power to give his consent. Following the representation proposed in (Sartor, 2006), the jural relations above can be formalized as: EnablingPoweru (let use cookies VIA consent) = Subjectionsp (User=u , Service provider=sp)

For what purposes can (or can not) the exemption be applied?

First party session cookies are far more likely to be exempted from consent than third party persistent cookies. However, the purpose of the cookie should always be the basis for evaluating if the exemption can be successfully applied rather than a technical feature of the cookie.

This analysis has shown that the following cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes: 1) User input cookies (session-id), for the duration of a session or persistent cookies limited to a few hours in some cases. 2) Authentication cookies, used for authenticated services, for the duration of a session. 3) User centric security cookies, used to detect authentication abuses, for a limited persistent duration. 4) Multimedia content player session cookies, such as flash player cookies, for the duration of a session. 5) Load balancing session cookies, for the duration of session. 6) UI customization persistent cookies, for the duration of a session (or slightly more). 7) Third party social plug-in content sharing cookies, for logged in members of a social network.

Having regard to social networks, the working party notes however that the use of third party social plug-in cookies for other purposes than to provide a functionality explicitly requested by their own members requires consent, notably if these purposes involve tracking users across websites. The working party recalls that third party advertising cookies cannot be exempted from consent, and further clarifies that consent would also be needed for operational purposes related to third party advertising such as frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement and debugging. While some operational purposes might certainly distinguish one user from another, in principle these purposes do not justify the use of unique identifiers. This point is of particular relevance in the context of the current discussions regarding the implementation of the Do Not Track standard in Europe. This analysis also shows that first party analytics cookies are not exempt from consent but pose limited privacy risks, provided reasonable safeguards are in place, including adequate information, the ability to opt-out easily and comprehensive anonymisation mechanisms.

Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Can the consent serve for several cookies? Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections.

What does the EASA/IAB Code implement to obtain consent?

User choice over Online Behavioural Advertising A. Each Third Party should make available a mechanism for web users to exercise their choice with respect to the collection and use of data for OBA purposes and the transfer of such data to Third Parties for OBA. Such choice should be available from the notice described in I.A.1 and via the OBA User Choice Site.

Under the EASA/IAB Code, an icon will be used as an information notice for behavioural advertising. In the current implementation of the Code, the icon is linked to an information website, www.youronlinechoices.eu.

Since the icon in itself and the website www.youronlinechoices.eu do not provide accurate and easily understandable information about the different controllers (advertising networks) and their purposes for the processing, the Code and the website do not meet the requirement set out at the revised e-Privacy Directive.

Provide clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing

The publisher of the cookie, be it the web site operator or the third party publisher (advertising network provider) has the obligation to seek and obtain the consent from the user.

Cookies are often categorized according to whether they are “session cookies” or “persistent cookie”. A “session cookie” is a cookie that is automatically deleted when the user closes his browser, while a “persistent cookie” is a cookie that remains stored in the user’s terminal device until it reaches a defined expiration date (which can be minutes, days or several years in the future).

Cookies are often categorized whether they are “third party cookies” or “first party cookies”. “third party cookie” describe cookies that are set by data controllers that do not operate the website currently visited by the user. Conversely, the term “first party cookie” will be used to refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.

Pieces of text generated by the web services that the user has visited. Web services store these text files on the devices where the web browsers are installed to enable the exchange of information.

Device fingerprinting

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

Implementation and enforcement

1. Member States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified. The Member States shall notify those provisions to the Commission by 25 May 2011, and shall notify it without delay of any subsequent amendment affecting them.

‘user’ means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; ‘consent’ by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC;

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.

However, such devices, for instance so-called ‘cookies’, can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment. Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections. The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

The technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

EXCEPTION A encompasses cookies that fulfil at least one of the properties defined (below) for Internet communications. 1) The ability to route the information over the network, notably by identifying the communication endpoints. 2) The ability to exchange data items in their intended order, notably by numbering data packets, 3) The ability to detect transmission errors or data loss

The technical storage or access as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service (e.g. cookies necessary for the functioning of a shopping basket, the security of the system, the storing of language preferences

A cookie matching EXCEPTION B would need to pass the following tests: 1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available. 2) This functionality has been explicitly requested by the user (or subscriber), as part of an information society service. Comment: “sole purpose” and “strictly necessary” indicate that these two exceptions must be interpreted in a restrictive way

Ultimately: 1) When applying EXCEPTION B, it is important to examine what is strictly necessary from the point of view of the user, not the service provider. 2) If a cookie is used for several purposes, it can only benefit from an exemption to informed consent if each distinct purpose individually benefits from such an exemption. 3) The purpose of the cookie should always be the basis for evaluating if the exemption can be successfully applied rather than a technical feature of the cookie.

HTML5 local storage.

Behavioural advertising techniques enable advertisers, mainly ad providers, to track individuals when they surf the internet, to build profiles and to use them to serve tailored advertising. In most cases, individuals are simply unaware that this is happening.

Online Behavioural Advertising means the collection of data from a particular computer or device regarding web viewing behaviours over time and across multiple web domains not under Common Control for the purpose of using such data to predict web user preferences or interests to deliver online advertising to that particular computer or device based on the preferences or interests inferred from such web viewing behaviours. Online Behavioural Advertising does not include the activities of Web Site Operators, Ad Delivery or Ad Reporting, or contextual advertising (e.g. advertising based on the content of the web page being visited, a consumer’s current visit to a web page, or a search query).

Scripts (such e.g. JavaScript code) and components (such as browsers plug-ins) to be executed on the client side.

Tracking Preference Expression (DNT), W3C Candidate Recommendation 20 August 2015 Tracking Compliance and Scope (TCS), W3C Candidate Recommendation 26 April 2016

Web beacons

Web caching mechanisms.

IV.1. Clarification of the key aspects of the current framework Article 2 (h) of Directive 95/46/EC defines consent as "any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed". Article 7 of the Directive, which sets forth the legal basis for processing personal data, sets out unambiguous consent as one of the legal grounds. Article 8 requires explicit consent as a legal ground to process sensitive data. Article 26.1 of Directive 95/46/EC and various provisions of the ePrivacy Directive require consent to carry out specific data processing activities within their scope of application. The points developed in this opinion aim at clarifying the various elements of this legal framework in an effort to make it easier to apply by stakeholders in general.

Elements/observations of general nature

• Consent is one of the six legal grounds to process personal data (one of five for sensitive data); it is an important ground as it gives some control to the data subject with regard to the processing of his data. The relevance of consent as an enabler of the individual’s autonomy and self-determination relies on its use in the right context and with the necessary elements.
• Generally speaking, the legal framework of Directive 95/46/EC applies whenever consent is sought, independently of whether this happens off-line or on-line. For example, the same rules apply when a bricks and mortar retailer seeks sign up for a loyalty card scheme via a paper form, as would be the case if it did this through its Internet site. In addition, the ePrivacy Directive specifies certain data processing operations which are subject to consent: they mostly relate to the processing of data in connection with the provision of publicly available electronic communication services. The requirements for consent to be valid within Directive 2002/58/EC are the same as under Directive 95/46/EC.
• Situations where data controllers use consent as a legal ground to process personal data should not be confused with situations where the controller bases the processing on other legal grounds which entail an individual right to object. For example, this may be the case when the processing relies on the 'legitimate interests' of the data controller ex Article 7(f) of Directive 95/46/EC, yet the individual has the right to object ex Article 14(a) of Directive 95/46/EC. Another example is when a data controller sends e-mail communications to existing clients in order to promote the data controller's own or similar products or services, however, individuals have a right to object under Article 13.2 of Directive 2002/58/EC. In both cases, the data subject has the right to object to the processing, this is not the same as consent.
• Reliance on consent to process personal data does not relieve the data controller from his obligation to meet the other requirements of the data protection legal framework, for example, to comply with the principle of proportionality under Article 6.1(c), security of the processing ex Article 17, etc.
• Valid consent presupposes individuals' capacity to consent. Rules regarding the capacity to consent are not harmonised and may therefore vary from Member State to Member State.
• Individuals who have consented should be able to withdraw their consent, preventing further processing of their data. This is confirmed also under the ePrivacy Directive for specific data processing operations based on consent, such as the processing of location data other than traffic data.
• Consent must be provided before the processing of personal data starts, but it can also be required in the course of a processing, where there is a new purpose. This is stressed in various provisions of Directive 2002/58/EC, either through the requirement "prior" (e.g. Article 6.3) or through the wording of the provisions (e.g. Article 5.3).

Specific elements of the legal framework related to consent • For consent to be valid, it must be freely given. This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Data processing operations in the employment environment where there is an element of subordination, as well as in the context of government services such as health may require careful assessment of whether individuals are free to consent. • Consent must be specific. Blanket consent without determination of the exact purposes does not meet the threshold. Rather than inserting the information in the general conditions of the contract, this calls for the use of specific consent clauses, separated from the general terms and conditions. • Consent must be informed. Articles 10 and 11 of the Directive lists the type of information that must necessarily be provided to individuals. In any event, the information provided must be sufficient to guarantee that individuals can make well informed decisions about the processing of their personal data. The need for consent to be "informed" translates into two additional requirements. First, the way in which the information is given must ensure the use of appropriate language so that data subjects understand what they are consenting to and for what purposes. This is contextual. The use of overly complicated legal or technical jargon would not meet the requirements of the law. Second, the information provided to users should be clear and sufficiently conspicuous so that users cannot overlook it. The information must be provided directly to individuals. It is not enough for it to be merely available somewhere. • As to how consent must be provided, Article 8.2(a) requires explicit consent to process sensitive data, meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent. • For data other than sensitive data, Article 7(a) requires consent to be unambiguous. "Unambiguous" calls for the use of mechanisms to obtain consent that leave no doubt as to the individual's intention to provide consent. In practical terms, this requirement enables data controllers to use different types of mechanisms to seek consent, ranging from statements to indicate agreement (express consent), to mechanisms that rely on actions that aim at indicating agreement. • Consent based on an individual's inaction or silence would normally not constitute valid consent, especially in an on-line context. This is an issue that arises in particular with regard to the use of default settings which the data subject is required to modify in order to reject the processing. For example, this is the case with the use of pre-ticked boxes or Internet browser settings that are set by default to collect data.

Paragraph 6.1 Applicable laws • Article 5(3) applies whenever "information" such as a cookie is stored or retrieved from the terminal equipment of an internet user. It is not a prerequisite that this information is personal data. • In addition, Directive 95/46/EC applies to matters not specifically covered by the ePrivacy Directive whenever personal data are processed. Behavioural advertising is based on the use of identifiers that enable the creation of very detailed user's profiles which, in most cases, will be deemed personal data.

Paragraph 6.4 Obligations and rights Regarding ad network providers: • Article 5(3) of the ePrivacy Directive which sets up an obligation to obtain prior informed consent applies to ad network providers. • Browser settings may only deliver consent in very limited circumstances. Notably, if browsers are set up by default to reject all cookies (having the browser set to such an option) and the user has changed the settings to affirmatively accept cookies, for which he has been fully informed about the name of the data controller, the processing its goals and the data that is collected. Therefore, the browser must either alone or in combination with other means effectively convey clear, comprehensive and fully visible information about the processing. • Ad network providers should encourage and work with browser manufacturers/developers to implement privacy by design in browsers. • Cookie-based opt-out mechanisms in general do not constitute an adequate mechanism to obtain informed user consent. In most cases user's consent is implied if they do not opt out. However, in practice, very few people exercise the opt-out option, not because they have made an informed decision to accept behavioural advertising, but rather because they do not realise that the processing is taking place, much less how to exercise the opt out. • Ad network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behaviour for the purposes of sending him tailored advertising. • In accordance with Recital 25 of the ePrivacy Directive, a users' acceptance to receive a cookie could also entail his/her acceptance for the subsequent readings of the cookie, and hence for the monitoring of his/her internet browsing. It would not be necessary to request consent for each reading of the cookie. However, to ensure that data subjects remain aware of the monitoring over time, ad network providers should: i) limit in time the scope of the consent; ii) offer the possibility to easily revoke their consent to being monitored for the purposes of serving behavioural advertising and iii) create a symbol or other tools which should be visible in all the web sites where the monitoring takes place (the website partners of the ad network provider). This symbol would not only remind individuals of the monitoring but also help them to control whether they want to continue being monitored or wish to revoke their consent. • Network providers should ensure compliance with the obligations that arise from Directive 95/46/EC which do not directly overlap with Article 5(3), namely, the purpose limitation principle, and security obligations. • In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure. The Article 29 Working Party welcomes the practice of some ad network providers to offer data subjects the possibility to access and modify the interest categories in which they have been classified.
• Ad network providers should implement retention policies which ensure that information collected each time that a cookie is read is automatically deleted after a justified period of time (necessary for the purposes of the processing). This also applies for alternative tracking technologies used for behavioural advertising such as JavaScript installed in the user's browser environment.

Ad network providers and publishers: • Providing highly visible information is a precondition for consent to be valid. Mentioning the practice of behavioural advertising in general terms and conditions and/or privacy policies can never suffice. In this regard and taking into account the average low level of knowledge about the practice of behavioural advertising, efforts should be applied to change this situation. • Ad network providers/ publishers must provide information to users in compliance with Article 10 of Directive 95/46/EC. In practical terms, they should ensure that individuals are told, at a minimum, who (i.e. which entity) is responsible for serving the cookie and collecting the related information. In addition, they should be informed in simple ways that (a) the cookie will be used to create profiles; (b) what type of information will be collected to build such profiles; (c) the fact that the profiles will be used to deliver targeted advertising and (d) the fact that the cookie will enable the user's identification across multiple web sites. • Network providers/ publishers should provide the information directly on the screen, interactively, if needed, through layered notices. In any event it should be easily accessible and highly visible. • Icons placed on the publisher's website, around advertising, with links to additional information, are good examples. The Article 29 Working Party urges the network providers/ publisher industry to be creative in this area.