On 25th May 2011 the EU set a deadline to the individual member countries to enforce directive 2009/136/EC amending Directive 2002/58/EC on “the processing of personal data and the protection of privacy in the electronic communications sector”. This is the well known “cookie directive”, that was largely misinterpreted by the media, creating a wave of concern among web sites owners.
Not all countries incorporated the directive in their privacy laws. While countries like Denmark and Estonia and the UK answered within the deadline, most EU countries including Spain still need time to update their legislation, but eventually this will be done throughout the EU. In order to accommodate website owners, the UK gave a one year grace period to implement the required changes for the new directive.
The real target of the new law: Behavioural advertising
One of the objectives of directive 2009/136/EC was to curb the widespread practice of online behavioural advertising without user consent and its threat to privacy. This is explained in the EU document “Article 29 Data Protection Working Party – 2/2010 on online behavioural advertising”.
Behavioural advertising can be illustrated with an example. Let us suppose that a user is visiting an online store and checks the price of several models of mobile phones. A few days later the same user realises that most of the ads on the pages that he visits are related to telephone companies.
Behavioural advertising is marketing that is based on tracking the online behaviour of individuals over time. The data tracked could be: site visits history (of not only one specific site but many different sites), time spent on-page, interactions with ads, keywords typed onsite and online content production. All this in order to profile the user and offer advertisements tailored to match the individual’s inferred interests. Behavioural advertising gives publicists a very comprehensive picture of a user’s online life, with many of the websites and specific pages they have viewed, how long they viewed certain articles or items, in which order, and so on.
This might be an intrusion into people’s privacy. EU directive 2009/136/EC simply wants to enforce an opt-in system for this type of information collected. Users have the right not only to know what data is collected about them and how it is used, but also to choose not to have that information collected.
How is behavioural advertising implemented?
In order to implement behavioural advertising there is the need to identify the user’s web browser. This can be done in many ways, the most common being third party cookies, local shared objects (Flash cookies) and HTML5 local storage.
What is a cookie? Without going into technical details a cookie is a small text file that is dropped into the computer by the web site that we are visiting to store temporary information. There are several types of cookies:
Session cookies, these are used to store session information during a visit to a website. Once the website visit is finished the cookie is deleted.
First party cookies, these are generated by the website that you are visiting and can be only read by the same website. These cookies have generally a very long expiration time.
Session cookie and first party cookies are not a concern for privacy.
Third party cookies, can be used to identify users over their visits to different web sites. These are cookies set with domains different to the website visited (for example www.examplead.com the domain of an ad network). These cookies will be read every time an advertisement appears on the page belonging to the advertisement network, which originally set it, allowing the user to be identified.
Flash cookies, (or local shared objects) are not proper HTTP cookies, but are data stored on the browser by the Adobe Flash player. Starting with Flash 10.3 users can control Flash privacy settings with the Local Settings Manager that can be accessed in the Control Panel on Windows and in System Preferences on Mac.
Even if I delete all cookies in a web browser, advertisers use a technique called “respawning” recreating third party cookies from Flash cookies even if they were deleted or refused.
After identifying the user, the advertiser can reliably collect usage data on the page that is running ads. Behavioural data is improved visit after visit and eventually correlated to a specific user when he is giving his credentials by login to a site affiliated to the advertiser network.
Most disturbingly, advertiser networks join forces in order to share user data.
Directive 2009/136/EC in Spain
Until Directive 2009/136/EC is enforced in Spain we cannot be 100% sure how this will affect websites from individuals in Spain or companies trading in Spain. Nevertheless it is only a matter of time and we can already take few precautionary measures.
What can you do if you own a website
If you own a website and have offices in different EU countries, your website will have to comply with the different national laws.
If you want to run behavioural advertising or are collecting identifiable visitor data you will have to warn the website user and specifically ask for consent to store the data. You should include a privacy statement on your website (please refer to our article on privacy: Data protection laws in Spain).
If you are running ads on your website from advertiser networks (for example DoubleClick, ValueClick, Google AdSense…) check with the advertiser if the ads are sending third party cookies or flash cookies to the visitors browsers. If that is the case you should include an opt-in and opt-out mechanism for your end users, telling them exactly which information is collected and how it is going to be used.
Do not forget that if you are collecting visitor data (for example email addresses for a newsletter) you still have to inform the user about why and how you are going to use the data.
If you are running a web analytics solution on your website, check the kind of information collected with the solution provider. With most common solutions like Google Analytics, WebTrends or Piwik there shouldn’t be any necessity to put an opt-in mechanism as you are tracking visitors anonymously and in aggregate. You should nevertheless include a privacy statement on your site.
These are general guidelines and not definitive statements of law. All questions about the law’s applications should be directed to a Spanish Lawyer.