Locations
The Court of Justice of the European Union (CJEU) has delivered three rulings of high importance to the advertising industry by interpreting certain provisions of the (now repealed) Data Protection Directive of 1995, the GDPR and/or the ePrivacy Directive. What practical lessons can we learn from these cases?
A joint analysis of the three decisions on the cases Wirtschaftakademie, Fashion ID and Planet49 is necessary to assess how today’s online advertising is impacted.
Wirtschaftakademie: joint controllership under the GDPR
Organisations running Fan Pages hosted on Facebook can obtain anonymous statistical data on their visitors. Such tools enable these organisations to define the criteria (e.g. demographics, centres of interests, occupation) according to which Facebook draws up these statistics, despite them not having access to the personal data itself or control over how Facebook uses it.
What the Court did clarify: An organisation that operates a Facebook Fan Page acts as a joint data controller with Facebook for the processing of its visitors’ personal data.
Practical implications:
- Joint controller arrangement: Companies running a Facebook Fan Page need to have an "arrangement" with Facebook to determine each of their respective obligations as joint controllers, in accordance with article 26 of the GDPR.
- Updates to Facebook terms of service: This means that Facebook will need to update its standard terms of service to provide for these joint controller obligations with Fan Page administrators – e.g. identifying who is responsible for providing transparency notices to data subjects and identifying a contact point that data subjects can contact to exercise their data protection rights. In fact, Facebook has already indicated it will do this – see here (note: this page is in German).
- Fan Page privacy policies: Facebook Fan Page administrators should also amend their own privacy policy to inform data subjects about the processing of their personal data when they visit the Fan Page, whether they are Facebook members or not. The administrator should make this privacy policy should easily accessible through the Fan Page.
- Wider impacts: More generally, website publishers may need to rethink their existing relationships with similar service providers who operate sites and collect analytics data for them. In light of the CJEU’s wide interpretation of the term, these providers might also be considered as "joint controllers".
What the Court did not clarify: Responding to the questions framed by the national court, the CJEU only applied the 1995 Directive. However, the underlying processing of personal data relating to Fan Page visitors involved Facebook cookies placed on their device. The CJEU did not consider how the ePrivacy Directive (which regulates the use of cookies) would apply in this context.
Furthermore, the CJEU was not asked whether to determine if the appropriate legal basis for this type of processing is the visitor's consent or the legitimate interest of the administrator and Facebook.
Fashion ID: Joint controllership under the GDPR
When a website embeds a social plugin, such as the Facebook "Like" button, personal data relating to its visitors is automatically transmitted to the social plugin provider, without the website publisher directly exercising control over the data collected. This can happen regardless of whether the user clicked on the plugin or if they hold an account with the social provider.
What the Court did clarify: A website publisher that embeds a social plugin acts as a joint data controller with the social plugin provider with respect to the collection and transmission of the personal data relating to its visitors (see our previous blog article). In addition, it falls on these website publishers to collect the visitor's consent – if consent is relied on as a legal basis for processing – as well as to inform visitors about the processing.
Practical implications:
- Joint controller arrangement: Website publishers embedding a social plugin will be joint controllers with the social provider. As above, this means they need a joint controllership "arrangement" with the social provider (similar to that already described above) and, in turn, this may mean the social plugin providers will need to update their terms of service to accommodate joint controller requirements.
- Privacy policy updates: Further, website publishers should amend their own privacy policy to inform data subjects about data collection and processing through social widgets. In particular, the purpose and legal basis of the processing as well as the personal data collected need to be provided.
What the Court did not clarify: Once again, the CJEU only interpreted the 1995 Directive, as it decided that the available facts were not sufficient to trigger the application of the ePrivacy Directive governing the use of cookies. It will therefore be up to the national court to determine whether the ePrivacy Directive is applicable to social plugins as well.
In addition, the Court limited itself to examining the legitimate interest pursued by each joint controller as well as visitor's consent as possible legal bases for the processing, without determining which one is more appropriate to rely on for the embedded social plugins.
Planet49: when ePrivacy (finally) kicks in
Before an Internet user was able to participate in a lottery by hitting the "participation" button, he or she had the option of ticking or unticking two checkboxes. The website publisher pre-ticked one of them, allowing advertising cookies to be placed on users' devices.
What the Court did clarify: "Active" consent is required for advertising cookies. Declining to deselect a pre-ticked box to refuse cookies does not amount to "active" consent. Website visitors need to be informed of the cookies lifespan and of the fact that third parties may have access to such cookies.
Practical implications:
- Affirmative opt-in for cookies: Opt-outs, soft opt-ins and more generally any type of "passive" behaviour, such as browsing a webpage or relying on the browser's confidentiality settings, are not acceptable in light of this ruling. Instead, affirmative, opt-in consent should be implemented, for example by using Consent Management Platforms (CMP) rather than simple cookie banners.
- Updates to cookie notices: Furthermore, website publishers should review all the cookies used on their website (whether first-party or third-party) to precisely determine their respective lifespan and identify the third parties that may have access to them. This information will need to be disclosed in the publishers' privacy notices.
What the Court did not clarify: The Court did not explicitly specify which entity was responsible to collect user consent (in the present case, the website publisher). In addition, the Court did not analyse the relationship between the website publisher and the provider of third-party cookies. As such, the Court only focused on the placement of cookies while not mentioning the subsequent data processing relying on cookies, such as disclosure of cookie information to third parties, data processing induced by real-time bidding operations. What is more, the Court did not explicitly hold that consent is the most appropriate legal ground within the meaning of article 6 of the GDPR to process the personal data collected through cookies: it applied the ePrivacy Directive which requires user consent for non-essential cookies without dwelling on the relationship between the GDPR and the ePrivacy Directive. Last but not least, the Court deliberately did not rule on whether consent to advertising cookies is 'freely given', within the meaning of the GDPR, where this constitutes a prerequisite for access to a service. In fact, the national court unfortunately did not raise any questions about cookie walls.
These rulings come at a time when a few Data Protection Authorities are examining complaints raised in the context of the advertising sector. The online advertising sector is also awaiting further soft-law guidance from the European Data Protection Board, which is planning to draft Guidelines on Targeting of social media users by 2020 and to update its previous guidelines on data controllers and data processors, while the Council is still negotiating the ePrivacy Regulation.