***
ARTICLE 29 Data Protection Working Party ,
* *
***
Brussels
D(2010)
On behalf of the 27 national Data Protection Authorities, united in the Article 29 Working Party, please find attached a copy of the Article 29 Working Party Opinion on online behavioural advertising adopted on 22 June 2010. The Opinion provides guidance on the recently revised EU legal framework applicable to behavioural advertising based on the use of third party cookies�. It clarifies the obligations applicable to those organizations engaged in behavioural advertising and the rights of data subjects as granted by EU data protection legislation.
The Annex summarizes the main elements of the Opinion, in particular those relating to the obligations following from the new Article 5(3) of the ePrivacy Directive 2002/58/EC and from the existing Directive 95/46/EC.
Given that the Opinion does not prescribe how, from a technical point of view, the requirements should be met, the Article 29 Working Party invites you to explain the solutions that you are considering to implement the Article 29 Working Party recommendations, especially with respect to compliance with Article 5(3) of the revised ePrivacy Directive. Please also indicate the envisaged timeframe.
Please send your answer to the address provided below before (approximately 6 weeks from the sending of the letter) 2:
Article 29 Working Party - Secretariat - European Commission, Directorate-General Justice
Unit C.3 - Data Protection
Office: LX 46 01/190
B-1049 Brussels
E-mail: JUST-ARTICLE29WP-SEC@ec.europa.eu
Fax: +32-2-299 80 94
Yours sincerely,
Jacob Kohnstamm
Chairman
Note that Article 5(3) applies to all cookies that are not �strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service�.
2 Please note that pursuant to Article 29 Working Party practice all received contributions, together with the identity of the contributor, may be published, unless the contributor objects to publication on justified grounds of business interest or that publication of any personal data contained in the response would harm his or her legitimate interests.
This Working Party was set up under Article 29 of Directive 95/461EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice, 8-1049 Brussels, Belgium, Office No LX-46 01 /1 90.
Website: http://ec.europa.eu/justice/policies/privacy/index_en.htm
ANNEX
1) Mechanisms to obtain prior informed consent from users
Effective mechanisms to obtain informed consent should be available offering users, before the cookie� is installed on their computer terminal: (i) the required information pursuant to Directive 95/46/EC, and (ii) the possibility of affirmatively indicating their acceptance of:
� receiving the cookie and
� the cookie being accessed (i.e. reading the cookies) and
� being tracked by subsequent monitoring of their surfing behavior for the purposes of behavioral advertising.
In order to ensure the maximum level of awareness among users of the tracking over time so that they can decide whether to continue or revoke their consent, ad network providers should:
� provide sufficient and clear information to the users so that they have an easily available possibility of revoking their informed consent to being tracked for the purposes of serving behavioral advertising;
provide sufficient and conspicuous visual notice, possibly by creating a symbol or other tools and related messages which should be visible and understandable on all websites where the tracking takes place and which sufficiently alert users to the tracking for advertising purposes.
Furthermore, ad network providers should only place cookies with a limited lifespan in the user�s terminal equipment and they should not prolong the expiry date, so that the scope of the user�s consent is limited in terms of time.
2) Special categories of data
Any possible targeting of data subjects with advertising based on sensitive personal data (for instance sexual preferences or political activity), or the gathering of such information itself, entails increased risks for the data subject. For instance, if ad network providers process personal data collected from individual online behavior in order to place the user in an interest category indicating a particular political or sexual preference, they are processing sensitive data under Article 8 of Directive 95/46/EC. It would be preferable if such information was not collected. The same applies for information related to children.
3) Retention principle
Ad network providers should implement retention policies which ensure that information collected each time a cookie is read, i.e. profile information, is automatically deleted after a justified period of time (they should provide reasons why they consider such period of time necessary in the light of the purposes of the processing).
The term �cookie� includes HTTP and flash cookies as well as any other method of storing or gaining access to information already stored on the terminal equipment of a user or subscriber, see Article 5(3).
For example, when a data subject requests deletion of his/her profile or if he/she exercises his/her right to withdraw the consent, these actions require the ad network provider to promptly delete the data subject�s information, as the ad network provider ceases to have the necessary legal grounds (i.e. the consent) allowing the processing.
4) Users� (data subjects) rights
Ad network providers shall enable individuals to exercise their rights of access, rectification and erasure. The Article 29 Working Party welcomes the practice of some ad network providers enabling data subjects to access and modify the interest categories in which they have been classified. If ad network providers have additional, underlying information, this should also be provided.
The Article 29 Working Party urges ad network providers to put in place procedures to inform individuals about these tools and to make them as visible as possible to data subjects so that average users are de facto empowered to use them.