NEWS7 July 2010

ICO urges easy opt-out of online tracking, but EU demands opt-in

Europe Government UK

UK— The Information Commissioner’s Office (ICO) has advised web publishers and advertisers to allow site visitors to easily opt-out of having their behaviour tracked amid concerns about how such data is being used to target advertising.

In the code of practice published today, the ICO – the UK’s data protection enforcer – also outlines its view that any information used to distinguish one online individual from another should be treated as personal data “even if no obvious identifiers, such as names or addresses, are held”.

However, the consumer’s right to access data held on them in the form of non-obvious identifiers is not as clear cut as it is for obvious identifiers, particularly as it relates to data like IP addresses or cookies which may not be tied directly to an individual but to a group of individuals using the same device.

“A record of our online activity can reveal our most personal interests,” said Information Commissioner Christopher Graham (pictured). “Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

While the ICO advocates the need for clear and straightforward ways of allowing consumers to opt out of online data collection, it says organisation are under no obligation to provide services to individuals who reject tracking in instances where the use of things like cookies are “strictly necessary for the provision of goods and services”.

Acknowledgement that a certain amount of online tracking is “strictly necessary” is also reflected in the European Union’s incoming ePrivacy Directive, meaning certain actions involving cookies can be completed without the consent of the web user. Elsewhere though, the EU rules require explicit opt-in – rather than opt-out – consent for the use of cookies, at least according to an opinion from EU privacy watchdogs the Article 29 Working Party.

There had been some confusion in the advertising industry over the wording of the directive and whether the requirement for consumers to give prior consent to the use of cookies could be taken from a simple reading of a web browser’s privacy settings.

Certainly, this was the view of advertising trade body IAB Europe which pointed to the legislation’s preamble as saying that “the control settings in a web browser such as Firefox, Internet Explorer, Chrome, Opera or Safari are sufficient to comply with the consent requirement”.

However, the Working Party opinion adopted last month stresses that websites and online advertising networks can only use cookies or similar tracking devices where users have given their informed consent – though advertising networks need only gain consent once to cover all sites where they are active.

Angela Mills Wade, executive director of the European Publishers Council, believes this to be “an overly strict interpretation of the ePrivacy directive”. The opinion is not legally binding but is likely to be relied on by European Union member states as they set about converting the requirements of the directive into national law before the May 2011 deadline.