Advertising Code is not Cookie Legal

The self-regulatory code for online advertising does not comply with the EU Cookie Law, says Article 29 Working Party.

Earlier this year the leading industry bodies for the online advertising industry, the Internet Advertising Bureau (IAB), and European Advertising Standards Alliance (EASA) announced a self-regulatory code of conduct for online behavioural advertising in response to the EU Cookie Directive.

Their solution was to add an icon to behavioural ads that users could click on to go and opt-out of online tracking from the major ad networks.

The problem with this approach was always that the new law was based on an opt-in model, not opt-out.

As we pointed out in an earlier blog post, the accepted definition of consent used by the EU in relation to data protection, requires that visitors be informed about something (in this case the setting of a cookie) and be able to indicate their approval, before it happens.

The IAB/EASA approach does not provide this prior information, nor does it obtain consent before setting tracking cookies.  Cookies are set by default.

Now the Article 29 Working Party, an EU level committee of national data protection regulators, has written a letter to the IAB and EASA to inform them of the fact that their solution is not compliant.

This is ahead of a September meeting with the two bodies representatives.  We will wait to see how the IAB and EASA respond.

However, what is clear to us is that websites carrying adverts that rely on the IAB/EASA system, should think very carefully about the continued reliance on a solution which is so clearly not in line with the regulations.

Afterall, it is the website owners, who choose to include the adverts in their content, who are directly answerable to the enforcement agencies such as the ICO in the UK.