Online-tracking consent will be required from May, EU official says

Agree keyboard

8 November 2017. By Magnus Franklin.

The requirement for online advertisers to get consent from web users to deliver targeted advertising will come into force in May 2018, regardless of whether EU legislators have agreed on a new e-Privacy regulation covering such operations, an EU official said today.

Rosa Barcelo, head of unit for digital privacy at the European Commission, told delegates at a conference* today that the strict consent requirements in the EU’s General Data Protection Regulation (GDPR) will start applying to the old 2009 e-Privacy law when it comes into force on May 25, 2018.

The comments tap into a debate on whether online marketers will need explicit consent to serve targeted advertising, after the European Parliament proposed tight rules for such activities. Advertisers and publishers have warned that such a rule would pull the plug on the bulk of online business models that offer content for free in exchange for the possibility of building a profile of people as they surf the web, and tailoring adverts to match their browsing patterns.

Barcelo said “the rules have not changed, but something important that has changed is that the definition of consent in the GDPR will start applying in May.”

“Even if the new regulation on e-Privacy is not adopted, the consent rule will apply to the old directive,” she added.

In practice, this means that advertisers placing “cookies”, small files on computers that have an identifier that allows them to track users across the websites they visit, will need to get the freely given consent of users to carry out such tracking.

The stricter consent rule will also have a bearing on a parallel discussion about whether it is legal for websites to introduce “cookie walls.” In other words, whether a website can block a visitor that doesn’t agree to being tracked. The European Parliament has proposed to ban such behavior.

Karolina Mojzesowicz, the commission's deputy head of unit for data protection, said it didn’t want to make a clear-cut rule on whether cookie walls should be banned, saying that this analysis should be done on a case-by-case basis.

“If there is still an option, for example you can have access to the page by paying a not-prohibitive price, there is an alternative to accessing the service without giving consent, you could argue,” she said, suggesting that such a scenario would mean a website could block a visitor that neither paid, nor agreed to be tracked.

Ralf Bendrath — a privacy policy expert working for EU Parliament member Jan Philipp Albrecht, who was responsible for the drafting of the GDPR — said advertisers were wrong to say a ban on cookie walls would break the business models of the Internet.

“You could, as a website operator, count your audience, or where they come from, if you do it only for statistical purposes, and not individual targeting,” Bendrath said, suggesting that the Parliament was only cracking down on the most intimate forms of advert-targeting practices.

But Barcelo warned against introducing an explicit cookie-wall ban: “To say what the parliament has said, that cookie walls are prohibited, you risk creating different treatments for different situations that might be similar.” For example, a website that requires a user to log in before accessing a service, using for example an e-mail, would be allowed to block non-registered visitors, whereas a website that delivered adverts via cookies would not be allowed to block them if they declined to consent to tracking.

Barcelo said that the European Parliament has adopted its proposed amendments to the e-Privacy regulation in a vote last month, but there is no sign when governments, which also have the right to propose changes, will agree a version of the law.

She said the commission is working with Estonia and Bulgaria, which chair EU legislative talks in the remainder of 2016 and first half of 2017, respectively, “to help and assist them so they can reach a position as soon as possible and can sit down with the European Parliament” to hammer out a final compromise text.

“At the moment it is not possible to say when they will reach such a position,” Barcelo added.

* IAPP Europe Data Protection Congress, Brussels, Nov. 8-9, 2017

Countdown to the GDPR