Behavioural ads need consent, says Europe privacy group

Behavioural ads need consent, says Europe privacy group

Summary: People need to consent to cookies that track behaviour so adverts can be served to their PC, a group of European privacy authorities has said

TOPICS: Security

Websites need to get explicit consent before tracking user behaviour to serve adverts, an influential European privacy group has said.

The Article 29 Working Party said in a statement on Thursday that users needed to opt in to behavioural advertising under European law. The working party is made up of the national privacy watchdogs from each of the member states of the European Union.

"Online behavioural advertising providers, when they use cookies, are bound by the new EU rules on electronic privacy," said the group. "The revised E-Privacy Directive introduces the obligation for informed consent of users before tracking devices such as cookies are installed on users' computers."

A number of different mechanisms exist to track user behaviour, with the aim of serving adverts on websites tailored to an individual's interests. One of those mechanisms is to drop a cookie on a user's machine that enables advertisers to track the visited sites.

An opinion paper published by the Article 29 Working Party on Thursday said that while the group recognised the economic benefits of behavioural advertising to websites, advertisers and other stakeholders, these benefits could not come at the expense of privacy. While the group's opinion statement is not legally binding, it is meant to act as guidance for interested parties across Europe.

Read this

Neelie Kroes photo

Kroes to uphold net neutrality in Europe

Net neutrality and free online expression will be protected by the European Commission, according to Neelie Kroes

Read more

Even if users configure their browser settings to accept cookies, that is not enough to constitute informed consent, the working party said.

The privacy group's statement met with a strong reaction from the Internet Advertising Bureau (IAB). The UK trade body said in a statement on Friday that the Article 29 Working Group guidance was impractical.

"The [E-Privacy] Directive currently does not require an opt-in for cookies," said the IAB. "In practice, such a requirement would mean that users would have to confirm every single cookie placed on their PCs, leading to a permanent disruption of their internet experience."

IAB argued that browser settings could under law give consent to tracking. "The E-Privacy Directive acknowledged that the controls in modern web browsers give users full and granular control over cookies," it said.

Technology law expert Struan Robertson, who is legal director at Pinsent Masons solicitors, told ZDNet UK that the Article 29 Working Party statement on the E-Privacy Directive was a "compelling" interpretation of an "ambiguous" law.

"The Working Party says you need to ask website visitors to consent to cookies, and you can't imply that consent from browser settings that may never have been changed, because IE, Chrome and Firefox allow third-party cookies by default," said Robertson. "That is no consent at all, they argue, and it's a pretty strong argument in my view."

Robertson added that pressure would be more on ad networks to solicit consent for cookies than on publishers, as multiple publishers use the same ad networks.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • +1


    I wish lawmakers in the USA would bother recognizing PRIVACY-RIGHTS in the US Constitution AND defending them.

    Free exercise of liberty REQUIRES individual privacy