Published using Google Docs
2010_10_29_letter_browser_and_annex_en.htm
Updated automatically every 5 minutes

***

ARTICLE 29 Data Protection Working Party

* *

***

Brussels

D(2010)

On behalf of the 27 national Data Protection Authorities, united in the Article 29

Working Party, please find attached a copy of the Article 29 Working Party Opinion on

online behavioural advertising adopted on 22 June 2010, as well as a letter of 29

October sent to ad network providers.

The Opinion provides guidance on the recently revised EU legal framework applicable to behavioural advertising based on the use of third party cookies. It clarifies the obligations applicable to those organisations engaged in behavioural advertising and the rights of data subjects as granted by EU data protection legislation. As summarized in the Annex, the Opinion highlights the importance of default privacy-friendly browser settings.

The Opinion discusses the important role of browser settings as a tool to ensure that individuals stay in control of whether they want cookies stored in their terminal equipment as well as the purposes for which the information retrieved through the use of the cookie will be used. The Article 29 Working Party invites you, as a browser provider, to explain the solutions that you are considering in order to reinforce the effective protection of the privacy and personal data of individuals in the online environment. Please also indicate the envisaged timeframe.

Please, send your answer to the address provided below before (approximately 6 weeks from the sending of the letter) 1:

Article 29 Working Party - Secretariat - European Commission, Directorate-General

Justice

Unit C.3 Data Protection

Office: LX 46 01/190

B 1049 Brussels

E-mail: JUST-ARTICLE29WP-SEC@ec.europa.eu

Fax: +32-2-299 80 94

Yours sincerely,

Jacob Kohnstamm

Chairman

Please note that pursuant to Article 29 Working Party practice all received contributions, together with the identity of the contributor, may be published, unless the contributor objects to publication on justified grounds of business interest or that publication of any personal data contained in the response would harm his or her legitimate interests.

This Working Party was set up under Article 29 of Directive 95146/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive

2002/58/EC.

The secretariat is provided by Directorate C (Fundamental Rights and Union Citizenship) of the European Commission, Directorate General Justice, B-i 049 Brussels, Belgium, Office No LX-46 01/190.

Website: http://ec.europa.eu/justice/policies/privacy/index_en.htm

ANNEX

Obtaining informed consent from Internet users to receive third party cookies

Under EU data protection legislation individuals must consent to receiving third party cookies used for behavioral advertising purposes.�

The role of browser settings in enabling Internet users� informed consent may vary. In particular, browsers could be used (a) as a means of obtaining users� consent, and (b) as a tool that can complement other measures put in place by publishers or ad network providers in order to obtain users� informed consent.

a) Browsers as the tool to obtain internet users� consent

In order for browsers or any other application to be able to obtain the valid and effective consent of the user on behalf of an entity wishing to place a cookie2 they must:

� by default reject 3rd party cookies,

� convey the necessary information to Internet users pursuant to Directive 95/46/EC of the Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data3 (�Data Protection Directive�). To meet the information requirements of the Data Protection Directive browsers should convey, on behalf of the ad network provider, the relevant information about the name of the data controller, the purposes of the cookies, the data that are collected and the further processing that personal data might be subject to. In order to ensure that consent is fully informed browsers should convey this

- information in a clear and comprehensive manner and it should be fully visible to the user, and

8 require the data subject to engage in an affirmative action to accept or reject both the setting of and the continued transmission of information through the cookie. Such consent must be informed and prior to the processing.

2 The term �cookie� includes HTTP and flash cookies as well as any other method of storing or gaining access to information already stored on the terminal equipment of a user or subscriber, see Article 5(3) of the ePrivacy Directive 2002/58.

OJ L281, 23.11.1995.

b) Browsers as a complementary tool to obtain internet users� consent. Default privacy-protective settings

If advertising network providers have set up appropriate measures to obtain informed consent, browser settings may still play a key role in ensuring that such consent is informed and obtained prior to the sending of the cookie. Therefore, the Article 29 Working Party attaches great importance to browsers being provided with default privacy-protective settings. In other words, browsers should by default be set to the �non-acceptance and non-transmission of third party cookies� when they are first installed on data subjects computer terminals. To complement this and to make it more effective, the browsers could require users to go through a �privacy wizard� when they first install or update the browser, in order to provide an easy way of exercising choice during use.