ePrivacy, not voted but already appliedNovember 29, 2017byJulie Tamba
The EU is currently discussing the content of the future ePrivacy regulation which is now scheduled for the end of 2018. One of its key measures is contained in article 10 of the proposal which specifies that “Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment”. It should be read as requiring browsers to block cookies (inter alia).
This provision has been tremendously criticized by the industry as basically killing the advertising business on the Internet.
A few points here.
The above quote reflects the content of the proposal made by the European Commission in January 2017. In the meantime, a lot has happened. Some MEPs tried to have this provision simply deleted while others tried to extend its scope to hardware and make more explicit this blocking functionality (“[such hardware and software] shall be able to prevent other parties from using input, output, processing and storage capabilities of terminal equipment […]”) in accordance with the recommendations of the European Data Protection Supervisor.
Eventually the LIBE Commission (in charge of examining the text for the EU Parliament) inserted in its draft report dated 9 June 2017 a wording to encompass in this provision — through a Do-Not-Track signal — fingerprinting and other tracking technologies which do not imply an access to the device (“the settings shall include a signal which is sent to the other parties to inform them about the user’s privacy settings”) in accordance with the opinion of the article 29 Working Party.
Today the final report states that “the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user’s intentions with regard to consent or objection”. Here the wording “shall include” has been replaced by “shall lead to”. Does this mean that prevention settings shall consist of a DNT signal (to the exclusion of technical blocking)? Or that content of the DNT signal must be implicitly deduced from blocking settings? Or is it a simple language clarification that the signal is the result of the settings and not a component of the same?
Irrespective of the answer, advertising professionals are not out of trouble. First of all, because the DNT signal will be enforceable against them and may lead to severe fines in case of non-compliance. Secondly, because Apple and Google have taken the view of preventing invasive practices to a certain extent already: the Intelligent Tracking Prevention of Apple will immediately purge third-party cookies (those which are related to a domain name other than the website you visited) and automatically prevent first-party cookies to function in a third-party context after 24 hours (cookies from a website you visited tracking you when you visit another website); Google is also working on by-default privacy settings for its future version of Chrome which will block “Least preferred ad experiences for desktop web and mobile web” as identified by the Coalition for Better Ads.
It may seem a bit surprising that these actors take steps which appear to defend privacy. It makes sense though if you consider that (i) they will not be impacted themselves as they access extensive user information when providing their services, (ii) as for Google, it will be with that information in a better position to serve targeted advertising than its competitors and (iii) as for Apple, it will benefit from the fact that privacy is quite popular nowadays among consumers to sell its devices. This is what we call in French “joindre l’utile à l’agréable”.