Archive for the 'Cookies' Category

European guidance on mobile apps and privacy

The Article 29 Working Party (the “A29WP”), a grouping of representatives from the various European data protection regulators, recently issued an opinion on apps on smart devices.

There are two constants with the A29WP’s opinions:

  • Firstly, although often presented as such, they are not an authorative statement of the law. They simply set out the collective (sometimes aspirational) interpretation of the European data protection directive.
  • Secondly, the opinions set out a far stricter interpretation of the directive than that usually taken by the UK’s Information Commissioner’s Office (ICO). This reflects the fact that the ICO usually takes a more business friendly/pragmatic approach to interpreting the law than some of its European counterparts.

That said, the latest opinion provides some useful guidance for app developers, and builds on previous guidance from California’s attorney general and the GSMA, which I summarised in this blog post last year.

The guidance also follows on from the so-called Cookie Law, which (contrary to popular opinion) also applies to mobile apps.

Why do mobile apps raise privacy concerns?
As I noted in that blogpost, there are a number of reasons for the current privacy deficiencies with mobile apps:

  • The market is immature, with many apps developed by individuals or small companies not familiar with privacy laws, but whose products have become hugely popular.
  • The distribution model is fragmented and apps frequently incorporate third party services (for example, mapping providers) into their functionality. SDKs and OS developer rules impose strict controls on developers, yet they don’t provide the necessary tools to ensure that developers adopt privacy by design.
  • The mobile app market has developed at the same time as a vast expansion in the data created by devices, such as geolocation data.
  • Many app developers are located outside the EU and are therefore unfamiliar with European privacy rules, despite the fact that they are selling their apps to users in the EU.

A29WP’s recommendations
The opinion imposes a number of requirements on app developers. These include:

  • App developers must understand their obligations as data controllers when they process data from and about users.
  • Freely given, specific and informed consent must be sought before an app is stalled.
  • Granular consent must be obtained for each specific category of data that the app will access.
  • The user must be provided with well-defined details of the purposes for which data will be processed before the app is installed. General purposes such as “product innovation” or “market research” are, in the A29WP’s opinion, not sufficient.
  • The purposes for which data is processed must not be changed without obtaining new consent from the user.
  • Users must be provided with a readable, understandable and easily accessibile privacy policy, which includes
  • Allow users to revoke their consent and uninstall the app and delte data where appropriate.
  • Incorporate data minimisation and privacy by design/default.

Part of the problem with these requirements is that some of them are impossible to achieve in practice as they are dependant upon the design of the app store and OS ecosystem. For example, the way in which most smart device operating systems install apps means that there is no opportunity in the app purchase system to notify users about data use and obtain consent. This could be set out in the app licence terms of use, but given the low profile given to such licence terms in the app store purchase process, this wouldn’t meet the A29WP’s own recommmendations on obtaining consent.

This is presumably why the opinion also sets out a number of requirements on app stores and OS and device manufacturers, even though there appears to be little base in law for such requirements (the neither party is a data controller in relation to data primarily processed by the app/the app developer).

These requirements, for example, oblige app stores to check that app developers have incorporated appropriate consent mechanisms, and obligations on OS manufacturers to build additional controls into their OS APIs to facilitate consent to access data on the device.

The practical approach
In my view, given these technical limitations, it is more pragmatic to recommend that app developers design apps so that the privacy policy is displayed, and consent obtained, when the app is first opened, and that no data is captured until this takes place. This way, app developers can be sure that they do not inadvertently collect data without consent.

The opinion also skims over one of the other big issues with mobile apps – the use of third party services. In many cases, I suspect that app developers simply aren’t aware of which party is responsible for data protection compliance. Where third party services are utilised (for example, mapping or geolocation), there will often be multiple data controllers. However, the app developer is the party that controls the primary interface with those third parties and therefore needs to flag the terms on which such third parties will use the data collected.

Given the opacity of the policies provided by many third party service providers (and the lack of clear guidance from regulators when the revised cookie law came into force), working this out is often difficult.

You can read the A29WP’s opinion in full by following this link (PDF). If you are an app developer and would like to discuss how your app collects data, and what you can do to ensure that it complies with EU data protection law, please get in touch.

Martin Sloan

ICO revisits approach to cookie law consent – what does this mean for other organisations?

Last month, the Information Commissioner’s Office (ICO) announced that it was going to change the way that it sought to obtain consent from users to the use of cookies on its website, as required under laws that came into force in May 2011 (known as the cookies law). Those changes were implemented on Friday.

What’s changed?
Firstly, the ICO’s website now sets certain non-essential cookies automatically upon arrival. This is a big change from the old approach and marks a shift from prior, explicit, consent to implied consent.

After moving to prior, explicit, consent, recorded traffic to the ICO’s website dropped by 90% as a consequence of users failing to accept cookies (including a Google Analytics cookie used to analyse traffic). Reinstating implied consent will mean that those figures will go shooting back up, giving the ICO a much better idea about how people use itse website. According to the ICO’s news release, this was one of the main drivers behind the change to its cookie consent policy.

Secondly, the ICO has updated its banner notification. The old one looked like this:
Screenshot of ICO website in 2012

The new one looks like this. The banner has now moved to the bottom of the screen (but not the bottom of the page) and is a bit more subtle (no contrasting text colour or box shading to make it stand out):
Screenshot of the ICO website. 4 February 2013

The banner message has been amended to maked it clear that the website has “placed” cookies (as opposed to “will place”), and provides a pointer to allow users to change settings. Notably, the banner will remain until the user clicks “don’t show this message again” or moves to another page.

Surprisingly, the banner message still says that cookies are used to “make this website better”. Given the ICO’s otherwise very strict adherance with the cookie law rules, I’ve always thought that this was a very ambiguous basis upon which to obtain user consent – better for whom? The user? The ICO?

Thirdly, the ICO has shifted information on the use of cookies to a new standalone cookies page.

Finally, on that page (but not on the banner itself) is an option for users to delete non-essential cookies and not set them again:
Screenshot of cookies opt out button on ICO website
This allows users who do not wish cookies to reject them, notwithstanding that they were automatically placed upon arrival at the website. Unsurprisingly, this cookie control tool relies upon a cookie to remember the user’s setting.

What does this mean for other organisations?
Whilst the ICO argues that its revised approach is consistent with its own guidance, other organisations will take some comfort from the ICO’s new approach to cookie consent:

  • The ICO is of the view that knowledge about cookies amongst internet users is much greater than it was 8 months ago.
  • Explicit consent is therefore no longer considered necessary by the ICO for low risk, but non-essential, cookies.
  • Setting cookies on arrival, based upon implied consent, can be appropriate depending on the potential intrusiveness of the cookie. Pre-setting an analytics cookie is one thing; doing the same with a behavioural advertising cookie is quite another.
  • Banners or other methods used to notify users about the use of cookies may not need to be as prominent (design intrusive) as perhaps previously thought.
  • Using a cookie to identify a user that has opted out of other cookies is considered by the ICO to be an appropriate approach, provided users are notified about this.
  • Pointing users to third party websites for further information on third party cookies (such as those used for embedded YouTube clips on the ICO’s website) remains the ICO’s method of dealing with third party cookies.

If you would like to discuss how your website or mobile app deals with cookie law, or would like to understand the implications of the ICO’s revised approach for how you currently handle cookies, please visit our cookies page or get in touch.

Martin Sloan

Could adhoc solutions to the cookie law be harming website usability?

Last week I was invited to speak to members of the Scottish Usability Professionals Association (SUPA) about the new cookie law.

SUPA “brings together UK professionals based in Scotland from the design, technology and research communities who share a vision of creating compelling technology that meets users’ needs and abilities”, and the topic of my presentation was the interaction of the cookie law with disability discrimination laws and website usability.

One consequence of the cookie law is that a number of the consent mechanisms being adopted by organisations to deal with cookie consent have an adverse impact upon the accessibility of the website to users with disabilities, and the usability of the website to users as a whole. This not only makes the website harder for users to use, but might also put the organisation in breach of its obligations under the Equality Act.

Potential usability and accessibility issues
We had a great discussion. Here are a number of the usability and accessibility issues we identified:

  • The use of a pop-up upon arriving at a website can clearly impact on the user experience – users can’t get to the information that they want to access without first reading/dealing with the pop-up. Does that inhibit users from finding the information that they are looking for?
  • On the other hand, the use of implied consent and a link to a cookies policy at the foot of the page is also poor from a usability perspective. Users are unlikely to see it (particularly on a mobile device), and therefore it’s difficult to say that consent has been given.
  • Mobile devices such as smartphones and tablets raise particular issues. Pop-up boxes at the bottom of the page are difficult to read and may be overlooked. If the default setting of these mechanisms is opt-in, then it may be difficult to argue that consent can be implied.
  • Pop-ups or cookie control devices that use Javascript may not be compatible with screen readers or devices that do not use Javascript. This may cause problems for users of those devices.
  • Pop-ups are often set to disappear after a certain period of time (for example 10 seconds), which may not be sufficient time for the user to read and understand the message
  • Again, on pop-ups, some pop-ups have a link to a cookies policy, but the cookies policy page appears on screen *behind* the pop-up, making it impossible to read without accepting all the cookies!
  • Many websites offer an all or nothing approach to cookies – users either have to accept all cookies or none, limiting user choice and user control.
  • Websites that only offer an “I agree” option – users may click “agree” simply to get rid of the box, menu bar etc.
  • Granular, interactive, control panels (such as those used by BT and BBC) can help improve usability and user control, but are often set to accept all cookies (including targeted advertising cookies) by default, or lump together targeted advertising with social sharing tools.
  • There is no consistent approach across websites (even in the implementation of third party products, such as Cookie Control) meaning that each website is different.

What is the solution?
This last point is perhaps one of the most telling.

From a user experience perspective, a multitude of different systems and approaches is confusing, and does little to increase user understanding of cookies (one of the aims of the new law). In order to be effective, a common approach is needed. If not, and websites continue to deal with cookies in different ways, usability will suffer.

This can be achieved in two ways: by clear guidance from the regulator and, perhaps more importantly in the long term, the implementation of suitably sophisticated privacy dashboards in web browsers. Ultimately, the reason for website operators having to introduce adhoc consent mechanisms is a failure to have in place an appropriate browser based solution at the time the law came into force. If privacy features can be built into the UI can be done with the iOS developer platform, then there is no reason it can’t be done across browsers generally.

In both cases, this needs joint action from the various national privacy regulators in Europe.

In the case of the former, to agree consistent, more detailed guidance of what is expected, and in the case of the latter to work with browser manufacturers and the W3C to develop a common browser based solution. When the new cookie law was published last summer we were told that the latter was happening, but to date there has been little sign of progress.

The Do Not Track initiative may give the building blocks for doing that, if it can be widened to cover all cookies and adopt the principles of privacy by default. Things are moving in the right direction, but as recent coverage reports, Do Not Track isn’t yet the panacea that some people would like it to be.

What do you think?

PS for a more detailed, technical assessment of some of the usability and accessibility problems with various cookie law solutions, read SUPA member James Coltham’s excellent blog on the subject.

New guidance on cookies that are exempt from consent requirements

The Article 29 Working Party, a grouping of representatives from the various national privacy regulators in Europe, today published an opinion on the “essential cookies” exemption under the cookie law.

Opinions of the Article 29 Working Party have no legal effect, but do represent the joint thinking of the national regulators and in turn can often influence the future direction of European data protection law, and may assist organisations currently grappling with the cookie law.

The law
Under the revised law, the requirements in relation to consent do not apply to cookies that:

  • are used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • are strictly necessary in order for the provider of an information society service [essentially a website] explicitly requested by the subscriber or user to provide the service.
  • As readers will know from previous Techblog posts, neither the UK implementing regulations or the original directive give much further guidance on what falls within the “strictly necessary” category.

    Accordingly, the Working Party has published its opinion on what it thinks the law is. In addition to listing examples of cookies that are or are not essential (and therefore exempt from the consent requirement), the guidance also analyses factors such as whether the cookie is first and third party, and whether it is as session cookie or persistent. The opinion notes that fact a cookie is third party or persistent is not necessarily fatal to it being “essential” – for example, it may be appropriate for a cookie to persist for a reasonable period of time following the user leaving the website.

    Cookies that are essential
    The opinion lists the following types of cookies as potentially being exempt:

    • user input cookies – cookies used to keep track of a user’s input. For example, the completion of a multi-page form, or a shopping basket on an e-commerce website.
    • authentication cookies – cookies used to identify a use once he has logged in to a website. But cookies used to “remember me” to avoid the need to log in for future visits are not considered “essential.”
    • user-centric security cookies – for example cookies used to detect the number of failed log-ins to a service specifically requested by a user.
    • multimedia player session cookies – cookies used to store technical information (for example network speed, quality and buffering) needed to play video or audio content requested by the user. This might include Flash cookies.
    • load balancing session cookies used to manage server load balancing. This would fall within the first bullet above (the transmission of a communication).
    • UI customisation cookies – cookies used to remember preferences specifically set by a user (for example, language or display preferences set using a button or tick box) and not linked to other data such as the user’s username. The guidance is slightly contradictory here, but it appears to suggest that if the customisation applies longer than the session then he opinion states that consent is required, but this could be done by including a “uses cookies” message next to the button or tick box.
    • social media content sharing cookies – cookies used by social media plug-ins to identify users that are logged in to social media networks and which are used to enable them to share content using that social media network. These cookies should only persist for so long as the user is logged in or “close his browser” (it’s not clear how this equates with a user that asks the social media network to “remember me”), and the exemption will not apply where that cookie is dropped onto the device of a user who is not logged in.

    In each of these cases, the exemption is dependant upon cookie not persisting for longer than necessary and the cookie not also being used for other purposes.

    Cookies that are not essential
    The opinion also lists a number of cookies that, in the eyes of the Article 29 Working Party, are not essential:

    • social plug-in tracking cookies – cookies used to track the activity of logged in users of social networks (for example, for the purposes of targeted advertising, or analytics etc).
    • third party advertising – unsurprisingly, cookies used for third party advertising (that is, advertising served by a domain outside the website in question) are not considered essential. The Working Party is lobbying to ensure that all such cookies are included in the W3C.
    • first party analytics – the opinion confirms the Working Party’s view that first party Analytics cookies (for example, those used for Google Analytics) are not essential and therefore require consent.

    As I noted at the outset of this blog, the Working Party’s opinions have no legal standing, but some of the types of cookies listed as falling within the exemption, and the comments on assessing whether or not a cookie is likely to fall within the exemption should give web site operators some assistance when determining how to implement the changes necessary for their websites. As with the ICO’s recent updated guidance, it’s just a shame that this guidance wasn’t available in the run up to 26 May.

    Implied Consent – Last minute change of tack for cookies law

    If you have been keeping an eye on the TechBlog cookies law page, you will no doubt be aware that the ‘grace period’ for compliance with the new cookies law ended on 26 May. The one year grace period was introduced to allow website operators time to make the necessary technical changes to their websites (or perhaps, more accurately, try to work out exactly what the regulator expected them to do).

    Implied consent vs explicit consent
    One of the big questions was around consent.

    The new law requires users to give informed consent to allow the use of cookies and similar technologies to run and collect data during your visit to a particular website. But is it possible to give implied informed consent or must users go through a ‘tick box’ exercise? It is pretty easy to ignore a banner at the top of your screen, oblivious to the measures that the website is taking to monitor and track your use of the site.

    The Information Commissioner’s Office (ICO) – the regulator of data protection law in the UK – issued cookies guidance in November 2011, addressing the issue of implied consent. The overarching message from the ICO was that the public simply did not have the requisite ‘general understanding’ of cookies to be able to implicitly give informed consent.

    Notwithstanding this message from the regulator, the International Chamber of Commerce’s subsequent guidance on the new law (endorsed by the ICO in a press release) advocated the use of implied consent, and several major retailers adopted implied consent as their chosen mechanism for dealing with the new law, leaving other organisations unsure of what was expected.

    Formally, the ICO was saying the implied consent was not ok, yet informally (in media interviews and events) the message from the ICO appeared to be that implied consent was ok.

    A revised approach
    However, 48 hours before the 26 May implementation deadline, the ICO’s Group Manager for Business and Industry, Dave Evans, published a blog issuing new guidance. While the ICO did not make a complete U-turn on its position regarding implied consent, it is certainly less hard-line than its previous stance.

    The ICO is still sitting on the fence as to exactly when implied consent will be appropriate, but the new guidance does give some possible scenarios where a tick-box (or other explicit consent mechanism) may not be required:

    • Where users of a site have a certain technical awareness and so have the requisite understanding of the how cookies are used to be able to give their implied consent
    • Where the cookie notice is displayed in such a way that users can’t avoid reading it, so users can be deemed to have given their consent by clicking past the cookie notice
    • Where consent can be implied from a series of actions that the user may take, such as, that, when taken together, are a ‘strong enough indication’ of the acceptance the use of cookies.

    Needless to say this more business friendly approach to implied consent will come rather late in the day for those who have already implemented their cookies policy (unless they adopted implied consent in a manner consistent with the guidance, in which case it will provide comfort for the actions taken), but it may be of help to those who have missed the deadline and are still struggling to work out how best to comply with the new law.

    Before adopting an implied consent approach, organisations whose websites are directed at non-UK EU users (as well as UK users) may wish to remember that the ICO’s revised guidance on implied consent is at odds with the views of the Article 29 Working Party, and guidance issued by a number of the ICO’s fellow privacy regulators. Accordingly, such an approach may not be acceptable to privacy regulators in those other member states.

    Leigh Kirktpatrick

    Techblogger seminar on cookies law and usability

    So, in advance of the expiry tomorrow of the ICO’s one year grace period for complying with the new cookies law, you’ve carried out your website audit and privacy impact assessment, identified the most appropriate way to obtain consent from users, and have implemented (or in the process of implementing) the necessary changes to your website.*

    But did you think about usability and accessibility when developing your solution? Will it work on a mobile device? What about different browsers? How does it impact upon the customer journey? Might it put people off using your website? Will a visually impaired user be able to use it? Might your solution have unwittingly have put you in breach of your obligations under the Equality Act?

    To help answer some of these questions, or at least set the background to facilitate a discussion amongst those that might have the answers, I’ve been invited by the Scottish chapter of the Usability Professionals Association to host a seminar on the new cookies law. For those of you that attended the User Vision seminars earlier this month, this seminar will provide a similar overview of the law, but will also look at the obligations of service providers under the Equality Act, and then go on to look at some of the solutions being adopted from a usability perspective, and question whether there is a better way of doing things.

    Event details
    The event takes place on Tuesday 12 June.

    To find out more information and to register, follow this link to the SUPA website. The event is open to non-members as well as members, so if you are interested in learning about the usability issues, or want to share a cookies solution that you think ticks the usability boxes do come along.

    Hope to see you there!

    *If you’ve yet to start then I’d recommend reading our quick guide (PDF) to compliance with the new cookies law and our cookies law resources page.

    Techblogger quoted in article on new cookies law

    I am quoted in an article on the new cookies regulations in this month’s edition of B2B Marketing magazine.

    B2B Marketing is a magazine for business marketers, and the article looks at some of the practical issues around implementating the necessary changes required to comply with the new regulations.

    As I note in my comments, even at this late stage there is a lack of clarity on exactly what the Information Commissioner’s Office (ICO) is expecting organisations to do to achieve compliance. Interestingly, the ICO now appears to be briefing against its official guidance in media interviews, commenting that enforcement is not a priority and that things frowned upon under the guidance are unlikely to lead to enforcement action. It’s a shame that this informal briefing hasn’t been reflected in clarifications to the formal guidance.

    Email campaign tracking
    One last point.

    I see that one of the other interviewees in the B2B Marketing article states that the new rules don’t apply to web beacons used for tracking the success of email campaigns. Whilst the ICO may not have focussed on this issue in its guidance, I don’t think that you can definitively conclude this from either the original directive or the UK regulations.

    As I have noted previously, whilst the law is often referred to as the “cookies law”, the law makes no specific reference to cookies – Instead, the regulations simply talk about “information stored [on the user’s] terminal equipment.”

    In practice, this means any software or code on a user’s device that can be used to track or identify that user, regardless of whether that it through a web browser or an email client. This will include mobile apps and could include open tracking in emails, depending on how the tracking is carried out.

    The DMA is, understandably, lobbying the ICO to issue guidance that the new regulations do not apply to email tracking. However, the DMA is at the same time also advocating that, as a matter of good practice, marketers are up front with their users about the use of email tracking.

    This is consistent with data protection principles generally, and the reasons that the European Commission introduced changes to the previous cookie law. Organisations may therefore wish to think carefully before deciding not to review how they inform users about their use of email tracking.

    Techblogger seminar on the new cookies law

    I’m taking part in a breakfast seminar next week, hosted by Edinburgh based usability consultants User Vision, on the new cookies law.

    I’m sharing a platform with Andrew Hood, managing director of web analytics company, Lynchpin Analyytics, and our host, Chris Rourke, managing director of User Vision.

    The seminar is proving so popular that we’ve decided to run it again the following week on Tuesday 15 May. If you’d like to come along then follow this link to book. The seminar is free, and will look at the legal, technical and usability issues arising out of the new laws.

    The first seminar sold out in less than three hours (so quickly that I didn’t even get a chance to plug it on this blog), so if you are interested then you’d better sign up quickly!

    Six weeks to go – is your organisation prepared for the cookies law?

    With six weeks remaining until the end of the one year grace period given by the Information Commissioner’s Office (ICO) for compliance with the new cookies laws, it’s vital that organisations can demonstrate to the ICO that they are well on the way to compliance.

    Whilst the ICO was reported last week as having said that enforcement in relation to first party cookies is unlikely to be a priority, this doesn’t mean (contrary to some reporting that is going around) that organisations can now ignore the new laws.

    Until an organisation has audited its cookie usage, identified the types of cookies it uses, and the intrusiveness of those cookies, it won’t be in a position to show that it has determined that certain cookies are low risk and therefore it has taken appropriate steps. Doing nothing is unlikely to go down well with the ICO.

    If you have not started assessing the changes that you might need to make to your website then now is the time to start.

    Guide on complying with the new regulations
    To help organisations understand what they need to do, we have prepared a short guide (PDF) setting out the key steps to compliance.

    Cookies law resources page
    We have also created a dedicated page on TechBlog which brings together various blog posts on the new laws and links to external guidance from organisations such as the ICO and the International Chamber of Commerce.

    You can access the page by following this link: http://techblog.brodies.com/cookies.

    We will continue to update the page as more guidance is issued.

    In the meantime, if you have any questions on the new law and the steps that your organisation should be taking, contact me or your usual TIO Group contact.

    Behavioural advertising cookies – why the new industry consent mechanisms don’t work

    With around six weeks to go until the end of the Information Commissioner’s one year grace period for compliance with the new cookies regulations, it’s time for another blog post on one of the more problematic issues.

    I’ve blogged before about my experiences with online behavioural advertising, in particular the Criteo network used by, amongst others, the Guardian and Expedia/hotels.com.

    Once again, I noticed adverts on the Guardian website that were for hotels that I’d recently looked at on the website of the advertiser. But now there is a little “i” icon in the corner of the advert. (I’d include a screen shot but I didn’t think to do this before I opted out of the system. Oops.)

    Opt-out, not opt-in
    Clicking on this icon tells you that, in the case of this advert, it isan advert provided by the Criteo Network, and invites you to click on the link to find out more about the system.

    You are taken to a page on the Criteo website which explains why, in this case, I am receiving targeted adverts from Expedia, showing both the source information (the pages I have visited on Expedia) and the output information (other hotels that people have viewed in that location).

    Below this, you are told that a cookie has been deployed which indicates that you have opted in to the Criteo system. If you do not wish to receive targeted advertising from Criteo then you can click to opt out.

    The system that Criteo uses is the self regulatory approach adopted by the Internet Advertising Bureau (IAB), and was the subject of an opinion from the Article 29 Working Party (a grouping of representatives of the various EU data protection regulators) last December. In addition to individual control panels on each member’s website, the IAB also offers a website which allows users to set preferences for all its members through a central control panel.

    Why the opt-out system doesn’t work
    Whilst this system gives users a way to opt out of targeted advertising, there are a number of problems which means, in the view of the Article 29 Working Party, that the system doesn’t comply with the requirements of the new cookies regulations:

    • The default position is opt-in. The cookie is deployed without the user being aware or being provided with clear information on how its data is being used. The onus is then on the user to opt out if it does not wish to participate. As the Article 29 Working Party points out, this doesn’t meet the requirements of the new regulations, which require users to give their informed (and prior) consent to the use of cookies. Indeed, this approach is exactly what the new regulations were intended to outlaw.
    • The industry may argue that consent can be implied from the fact that users have not opted out, but I don’t think this works as users simply don’t have enough information and knowledge about how these settings can be controlled – informed consent cannot be implied. Blogs like this may help in that education process, but it will take time.
    • The icon link to the control panel on the advert is not obvious to users. Unless you click on it you don’t know what it is. Similarly, most users do not know about the central control panel that the IAB offers as its solution to the requirements of the cookies regulations.
    • If you do wish to opt out of being tracked then you have to agree to a cookie being deployed so that the relevant system knows that you have opted out. Again, this goes against the requirements of the new regulations. Essentially, with these systems you need to accept a cookie or set your browser so that all cookies (or third party cookies) are disabled. It’s difficult to see how informed consent can be given in such a situation. And if you ever clean out your browser cache and cookies you are back to square one, with every OBA provider assuming that you have opted in.
    • When a user opts out, you might assume that he or she is no longer tracked. But this is not the case. The original opt-in cookie does not appear to be deleted, and therefore still allows tracking, albeit that no targeted adverts are shown. As the Article 29 Working Party points out, this is misleading and does not help to build confidence and understanding amongst consumers.

    I am a website that uses adverts provided by third parties – what should I be doing?
    The UK Information Commissioner’s Office (ICO) has made it clear that responsibility for obtaining consent to third party cookies is the joint responsibility of the primary website and the provider of that third party cookie. In practice, responsibility rests with the former (as it “controls” the website), but it had no control over how that cookie is used once it has been set.

    The latest guidance from the ICO fails to provide detailed advice on this, given the Article 29 Working Party’s opinion on the IAB’s self-regulatory mechanism.

    Whilst the Article 29 Working Party’s opinion offers up some options for obtaining consent (for example banners and splash screens), website operators are dependant upon the advertising industry for providing easy to deploy solutions for their websites. In the meantime, website operators are left in a difficult position.

    I am a consumer – what can I do in the meantime?
    If you are happy with receiving behavioural/targeted advertising then you need do nothing.

    If you would like to opt out from targeted advertising then the best thing to do is to visit the IAB’s website to centrally control your preferences for targeted advertising offered by its members. Of course, this is exactly how the IAB would like the system to work, but in the absence of any alternative system this is the only way to control your preferences.


    Twitter: @BrodiesTechBlog feed

    August 2017
    M T W T F S S
    « May    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  

    %d bloggers like this: