Cookies and online advertising: an ever-changing scenario | Denton

Cookies are the main technologies that enable effective online targeted advertising (for more information on advertising in the social media and AdTech environment, see our previous stings here and here). These tracking technologies are still governed by the ePrivacy Directive, which will soon be replaced by the ePrivacy Regulation (currently under discussion within the Council of the European Union). The new provisions will have to take into account that some major technology companies are already phasing out third-party cookies from their browsers.

What are cookies and how are they regulated?

Cookies are small pieces of information, normally consisting of letters and numbers, stored on a device such as a PC, mobile device or any other device that can store information, including “Internet of Things” devices ( IoT) that connect to the Internet. . This technology is used for several purposes, for example to remember previous interactions with a website, to identify users when they log in to an online account (e.g. a bank account) and to help web pages to load faster and convey information over a network. It is also used to analyze website traffic and track user browsing behavior. Therefore, based on the function served, cookies may store personal data, such as an IP address, username, unique identifier or email address, but they may also contain other (potentially) non-personal data such as language settings. or information about the type of device a person uses to browse the site. Additionally, cookies may contain tracking identifiers such as advertising IDs and user IDs (with respect to applications, the so-called IDSAs). Finally, it is important to point out that cookies can be installed either by owners or by third parties: first-party cookies are defined by the domain of the website that the user is visiting (i.e. the host domain ), while third-party cookies are set by a domain other than the one the user is visiting (i.e. a domain other than the one they can see in the address bar). First-party cookies are most commonly used by web page owners to save details such as user passwords to facilitate future access to their accounts, while third-party cookies are primarily used for retargeting advertising.

There are many types of cookies: from the well-known browser or http cookies to other lesser-known typologies of tracking technologies such as local storage objects (LSOs) or “flash” cookies, software development kits ( SDKs), pixel trackers (or pixel gifs), like buttons and social sharing tools, and device fingerprinting technologies. All these different tools fall within the scope of the ePrivacy Directive, which was adopted in 2002 with the aim of protecting the privacy of individuals during their electronic communications. Computers and mobile phones are user terminal equipment for electronic communications networks and, as well as any information stored on this equipment, are considered part of the users’ private sphere and are therefore protected. Art. 5(3) of the ePrivacy Directive, which requires users’ consent to store any information on an individual’s terminal equipment or to access stored information, aims to protect Internet users from the risk of having information placed or accessed on their devices without their consent or knowledge, potentially interfering with the privacy of their communications. However, art. 5(3) provides for a waiver of consent in the case of “technical” cookies, i.e. when the storage or access to information is carried out for the sole purpose of carrying out or facilitating the transmission of a communication on an electronic communications network, or if it is strictly necessary to provide an information society service explicitly requested by the user. The provisions of the ePrivacy Directive have been transposed by all EU Member States into national laws. With regard to Italy, Legislative Decree n.196/2003 (“Italian privacy code”) was adopted to implement both Directive 2002/58/EC (ePrivacy Directive) and Directive 95/46/EC (“Privacy Policy”).

Moreover, as the European Court of Justice pointed out in the Planet49 judgment, art. 5(3) of the ePrivacy Directive applies when information is stored on or accessed from the device, whether or not that information constitutes personal data. This aspect becomes relevant in the first case (when the information stored or consulted is for example an identifier which can be used to identify a user and to profile or target him in advertising). Such a processing operation is governed not only by the provisions of the ePrivacy Directive, but also by the rules set out in the new General Data Protection Regulation (“GDPR”). Indeed, online identifiers are explicitly considered as personal data by art. 4(1) GDPR. Therefore, storing or accessing this information must comply with both the ePrivacy Directive, which requires obtaining user consent, and the GDPR, which provides valid consent requirements, c i.e. “freely given, specific, informed and unambiguous”.

Additionally, as recital 17 of the ePrivacy Directive refers to the meaning and definition of “consent” as provided by the Privacy Directive, now replaced by the GDPR, it is clear that the requirements of a valid consent as provided by the GDPR should apply. Therefore, consent must not only be freely given, specific and informed, as required by the Privacy Directive, but also unambiguous, i.e. expressed by a statement or an affirmative action. clear signifying an agreement to the processing of personal data.

What role do cookies play for the online advertising industry?

Cookies may be related to advertising. In particular, through the use of cookie-markers, website users can be monitored according to where they go and what they do: they are “tracked” via the dynamic IP addresses of their device and other related information (such as user ID, user agents, etc.). Therefore, by surfing the Internet, clicking on a banner, selecting an item or opening a page, the user is analyzed, and after his preferences are checked again in the future, the user will be defined as belonging to a specific group of individuals, as defined by the online advertising product chain (including publishers, media agencies/centers, web monitoring service providers, etc.). This makes it possible to address profiled advertising to each user.

This is why cookies are considered the key tool in online advertising. However, while first-party cookies are most commonly used by web page owners to save details such as user passwords to facilitate future access to their accounts, third-party cookies are primarily used for advertising targeted. Therefore, for advertising purposes, the specific consent of website visitors is required.

In order to better clarify the practicalities of obtaining such approval, many European data protection authorities have published specific guidelines on cookies and other tracking technologies, finally the Irish Data Protection Commission and the Belgian Data Protection Authority (you can find the full text of their guidelines here and here). For example, the Italian Data Protection Authority (“Garante per la protezione dei dati personali”,Guarantee”), on its guidance on “Simplified ways to provide information and obtain consent regarding cookies” published in 2014 (see the full text here, also available in French), clarified that the website owner (publisher) , allowing the placement of third-party cookies for marketing and profiling purposes, although it acts as a technical intermediary between third parties and users have a duty to obtain user consent and refer in its cookies policy to third parties.

End of an era for Internet advertisements?

For many years, third-party cookies have been the cornerstone of Internet advertising. However, significant changes may occur. In fact, Google recently announced that it will be phasing them out of the Chrome browser. Following this statement, Apple announcement On March 24, 2020, a major system update for iOS Intelligent Tracking Prevention (ITP). This feature allows Safari to block the installation of all kinds of third-party cookies. Thanks to the new update, Safari now promotes a default setting capable of preventing any advertiser or website from tracking users across the Internet through common tracking technologies. It will be important to study how these new features work and what additional clarifications will be provided.

In light of the above, in order to address any losses the online advertising industry may suffer from the phasing out of third-party cookies, the Interactive Advertising Bureau (IAB) has announced the launch of Project ReArc at the occasion of its Annual Leadership Meeting. The initiative aims to mitigate the negative consequences of the loss of third-party cookies by enabling targeted advertising via an identifier directly manageable by users. However, the IAB has clarified that it will not pursue the creation of a universal identifier, but is committed to (i) collecting information on existing practices between first parties for the use of address identifiers provided , with their consent, by consumers, (ii) encourage the industry to work together to ensure responsible use of identifiers provided by consumers, while fully respecting their privacy, and (iii) develop technical standards and strict guidelines for companies collecting and using these identifiers.