IP, Technology & Data

With around six weeks to go until the end of the Information Commissioner’s one year grace period for compliance with the new cookies regulations, it’s time for another blog post on one of the more problematic issues.

I’ve blogged before about my experiences with online behavioural advertising, in particular the Criteo network used by, amongst others, the Guardian and Expedia/hotels.com.

Once again, I noticed adverts on the Guardian website that were for hotels that I’d recently looked at on the website of the advertiser. But now there is a little “i” icon in the corner of the advert. (I’d include a screen shot but I didn’t think to do this before I opted out of the system. Oops.)

Opt-out, not opt-in
Clicking on this icon tells you that, in the case of this advert, it’s an advert provided by the Criteo Network, and invites you to click on the link to find out more about the system.

You are taken to a page on the Criteo website which explains why, in this case, I am receiving targeted adverts from Expedia, showing both the source information (the pages I have visited on Expedia) and the output information (other hotels that people have viewed in that location).

Below this, you are told that a cookie has been deployed which indicates that you have opted in to the Criteo system. If you do not wish to receive targeted advertising from Criteo then you can click to opt out.

The system that Criteo uses is the self regulatory approach adopted by the Internet Advertising Bureau (IAB), and was the subject of an opinion from the Article 29 Working Party (a grouping of representatives of the various EU data protection regulators) last December. In addition to individual control panels on each member’s website, the IAB also offers a website which allows users to set preferences for all its members through a central control panel.

Why the opt-out system doesn’t work
Whilst this system gives users a way to opt out of targeted advertising, there are a number of problems which means, in the view of the Article 29 Working Party, that the system doesn’t comply with the requirements of the new cookies regulations:

  • The default position is opt-in. The cookie is deployed without the user being aware or being provided with clear information on how its data is being used. The onus is then on the user to opt out if it does not wish to participate. As the Article 29 Working Party points out, this doesn’t meet the requirements of the new regulations, which require users to give their informed (and prior) consent to the use of cookies. Indeed, this approach is exactly what the new regulations were intended to outlaw.
  • The industry may argue that consent can be implied from the fact that users have not opted out, but I don’t think this works as users simply don’t have enough information and knowledge about how these settings can be controlled – informed consent cannot be implied. Blogs like this may help in that education process, but it will take time.
  • The icon link to the control panel on the advert is not obvious to users. Unless you click on it you don’t know what it is. Similarly, most users do not know about the central control panel that the IAB offers as its solution to the requirements of the cookies regulations.
  • If you do wish to opt out of being tracked then you have to agree to a cookie being deployed so that the relevant system knows that you have opted out. Again, this goes against the requirements of the new regulations. Essentially, with these systems you need to accept a cookie or set your browser so that all cookies (or third party cookies) are disabled. It’s difficult to see how informed consent can be given in such a situation. And if you ever clean out your browser cache and cookies you are back to square one, with every OBA provider assuming that you have opted in.
  • When a user opts out, you might assume that he or she is no longer tracked. But this is not the case. The original opt-in cookie does not appear to be deleted, and therefore still allows tracking, albeit that no targeted adverts are shown. As the Article 29 Working Party points out, this is misleading and does not help to build confidence and understanding amongst consumers.

I am a website that uses adverts provided by third parties – what should I be doing?
The UK Information Commissioner’s Office (ICO) has made it clear that responsibility for obtaining consent to third party cookies is the joint responsibility of the primary website and the provider of that third party cookie. In practice, responsibility rests with the former (as it “controls” the website), but it had no control over how that cookie is used once it has been set.

The latest guidance from the ICO fails to provide detailed advice on this, given the Article 29 Working Party’s opinion on the IAB’s self-regulatory mechanism.

Whilst the Article 29 Working Party’s opinion offers up some options for obtaining consent (for example banners and splash screens), website operators are dependant upon the advertising industry for providing easy to deploy solutions for their websites. In the meantime, website operators are left in a difficult position.

I am a consumer – what can I do in the meantime?
If you are happy with receiving behavioural/targeted advertising then you need do nothing.

If you would like to opt out from targeted advertising then the best thing to do is to visit the IAB’s website to centrally control your preferences for targeted advertising offered by its members. Of course, this is exactly how the IAB would like the system to work, but in the absence of any alternative system this is the only way to control your preferences.

Follow me