The EU’s consumer protection department presented draft pledging principles for the digital advertising industry as part of its initiative to phase out cookie banners that include the provision of a third, less intrusive alternative to the pay-or-consent model.
In March, Euractiv revealed an initiative of the European Commission’s justice and consumer department to bring the stakeholders of the online advertising industry to undersign voluntary commitments meant to address the growing ‘cookie fatigue’.
The political driver of the initiative was Justice Commissioner Didier Reynders who suggested, in an interview with Euractiv last year, that the voluntary initiative might be a prelude to mandatory measures which might be included in a Digital Fairness Act in the next legislative mandate.
On Thursday (14 December), the Commission circulated revised draft principles together with the recommendations of the European Data Protection Board (EDPB), the body that gathers EU data protection authorities.
The draft principles, seen by Euractiv, will be presented at an assembly of the initiative on Monday, with signature expected early next year.
Consent layers
According to the EU General Data Protection Regulation, the EU data protection law, consent is one of the legal bases for processing personal data. Thus, cookie banners are the most common way websites collect consent for advertising purposes.
Potential signatories are asked to pledge that “the consent request will not contain information about the so-called essential cookies nor the reference to collection of data based on legitimate interest.”
The rationale is to limit the information users must process to what is strictly necessary to provide informed consent.
Another pledge the Commission is asking states that “when content is financed at least partially by advertising it will be explained upfront when users access the website or app for the first time.”
The justification entails that when a business obtains advertising revenues because it exposes consumers to tracking-based advertising by using behavioural data or selling it to third parties, the users should be informed of this business model.
“Asking consumers to read complex cookie banners and only after they did not consent confronting them with a “pay or leave” ultimatum, could be considered manipulative,” reads the explanation.
Business model
Building on the second principle, the third one indicates that “each business model will be presented in a succinct, clear and easy to choose manner. This will include clear explanations of the consequences of accepting or not-accepting trackers .“
Here, the Commission notes that, given the strict relationship between cookies and the business model, the information about both aspects should be presented concomitantly.
The fourth principle is perhaps the most important, as it mandates that “if tracking-based advertising or paying a fee option are proposed, consumers will always have an additional choice of another, less privacy intrusive, form of advertising.”
The reference is to the so-called ‘pay-or-consent’ model that Meta, the parent company of Facebook, has adopted following the invalidation of the ‘contract’ model. Meta’s new model is being challenged under data protection and consumer law.
The Commission argues that, since consumers navigate tens of different websites daily, only a few accept to pay for online content, making it not a credible alternative to tracking online behaviour.
The Board proposes explicitly mentioning contextual advertising as an alternative to tracking-based models.
In addition, the authorities referred to the the Meta vs Bundeskartellamt verdict of the European Court of Justice, indicating that a case-by-case assessment is needed to assess whether offering a paid alternative means that users’ consent was freely given.
Multiple consent requests
“Consent to cookies for advertising purposes should not be necessary for every single tracker,” reads the fifth principle, adding that this information could be provided in a second layer.
Once again, this measure is meant to prevent users from being overwhelmed with a long list for each tracker, discouraging people from reading and giving the illusion of choice. However, this provision must be conciliated with other laws, like the Digital Markets Act.
For the EDPB, this principle should explicitly state that users should be able to ‘reject’ all cookies at the first layer of the cookie banner, along with the ‘accept’ option. Moreover, users should be told who will access the data.
The sixth pledge entails that “no separate consent for cookies used to manage the advertising model selected by the consumer […] will be required as the consumers have already expressed their choice to one of the business models.”
In this case, the Board notes that the users should be informed of the specific purpose of the data processing, but more granular information could be provided in the second layer.
Moreover, “the consumer should not be asked to accept cookies in one year time period since the last request. The cookie to record the consumer’s refusal is necessary to respect his/her choice”.
For the Commission, one of the main reasons behind cookie fatigue is that users are asked for their consent each time they visit the website. Thus, recording this choice is indispensable for respecting consumers’ choices and not asking again before a reasonable amount of time.
The EDPB noted that no unique identifier should be used to record the users’ rejections.
Similarly, applications like web browsers should allow consumers to record their cookie preferences in advance to refuse certain types of advertising models systematically.
In this regard, the Board stressed that users should make an active choice for consent to cookies to be considered valid, and it is not guaranteed that centralised solutions would fulfil this condition.
[Edited by Zoran Radosavljevic]