back button

Back

ePrivacy, not voted but already applied

November 29, 2017byJulie Tamba

The EU is currently discussing the content of the future ePrivacy regulation which is now scheduled for the end of 2018. One of its key measures is contained in article 10 of the proposal which specifies that “Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment”. It should be read as requiring browsers to block cookies (inter alia).

This provision has been tremendously criticized by the industry as basically killing the advertising business on the Internet.

A few points here.

The above quote reflects the content of the proposal made by the European Commission in January 2017. In the meantime, a lot has happened. Some MEPs tried to have this provision simply deleted while others tried to extend its scope to hardware and make more explicit this blocking functionality (“[such hardware and software] shall be able to prevent other parties from using input, output, processing and storage capabilities of terminal equipment […]”) in accordance with the recommendations of the European Data Protection Supervisor.

Eventually the LIBE Commission (in charge of examining the text for the EU Parliament) inserted in its draft report dated 9 June 2017 a wording to encompass in this provision — through a Do-Not-Track signal — fingerprinting and other tracking technologies which do not imply an access to the device (“the settings shall include a signal which is sent to the other parties to inform them about the user’s privacy settings”) in accordance with the opinion of the article 29 Working Party.

Firefox privacy settings

Today the final report states that “the settings shall lead to a signal based on technical specifications which is sent to the other parties to inform them about the user’s intentions with regard to consent or objection”. Here the wording “shall include” has been replaced by “shall lead to”. Does this mean that prevention settings shall consist of a DNT signal (to the exclusion of technical blocking)? Or that content of the DNT signal must be implicitly deduced from blocking settings? Or is it a simple language clarification that the signal is the result of the settings and not a component of the same?

Irrespective of the answer, advertising professionals are not out of trouble. First of all, because the DNT signal will be enforceable against them and may lead to severe fines in case of non-compliance. Secondly, because Apple and Google have taken the view of preventing invasive practices to a certain extent already: the Intelligent Tracking Prevention of Apple will immediately purge third-party cookies (those which are related to a domain name other than the website you visited) and automatically prevent first-party cookies to function in a third-party context after 24 hours (cookies from a website you visited tracking you when you visit another website); Google is also working on by-default privacy settings for its future version of Chrome which will block “Least preferred ad experiences for desktop web and mobile web” as identified by the Coalition for Better Ads.

It may seem a bit surprising that these actors take steps which appear to defend privacy. It makes sense though if you consider that (i) they will not be impacted themselves as they access extensive user information when providing their services, (ii) as for Google, it will be with that information in a better position to serve targeted advertising than its competitors and (iii) as for Apple, it will benefit from the fact that privacy is quite popular nowadays among consumers to sell its devices. This is what we call in French “joindre l’utile à l’agréable”.

Related articles

December 5, 2017byJulie Tamba

Does collecting user geolocation require consent?

Collecting geolocation is a tricky topic in data privacy regulations. As of today, consent is not necessarily required by law. The ePrivacy Directive, on the first hand, requires consent for use of location data yet this obligation is only binding upon public electronic communication services and networks (telecom operators). The General Data Protection Regulation, on…

Read more

Consent

ePrivacy

European Union

GDPR

Geolocation

personal data

April 20, 2018byRomain Gauthier

Didomi now supports the IAB Europe consent framework

Didomi is proud to announce that our Consent Management Platform (CMP) is now officially registered with the IAB Europe’s GDPR consent framework. We’re one of the first CMPs to fully support the framework. The IAB Europe Consent Framework The IAB Europe Consent Framework aims at standardizing consent flows between advertising partners. Online advertising involves a…

Read more

Consent

Cookies

ePrivacy

GDPR

Publishers

tailored advertising

targeted advertising

December 29, 2017byJulie Tamba

Which kind of electronic advertising will require consent?

There are some cases where consent of the end-user is mandatory: this is the case for direct marketing, a category of advertising covering various techniques. As of now, the ePrivacy Directive required consent in relation to “the use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for…

Read more

Consent

custom audience

ePrivacy

tailored advertising

targeted advertising

December 13, 2017byJulie Tamba

GDPR consent in practice – Part 2: Methods

After reviewing when it is opportune to obtain consent, it is time to take a closer look at ways to obtain consent. How should consent be obtained? Consent is defined by the GDPR as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement…

Read more

Consent

European Union

GDPR

Methods

personal data

November 30, 2017byJulie Tamba

Privacy Impact Assessment in a nutshell

The French Data Protection Authority — called in short the “CNIL” — has just released on 22 November 2017 a free tool to assist companies in the process of conducting a Privacy Impact Assessment. This initiative happens in the context where the deadline for implementing the GDPR is close (May 2018) and companies are still struggling to make compliance…

Read more

European Union

GDPR

personal data

PIA

Privacy Impact Assessment