GDPR Cookies

Would you like some cookies – Why websites ask this?

This is the question that many computer users are receiving daily. What does it mean and why is it being asked?

It is a part of behavioral advertising[1] (OBA – online behavioral advertising) legal regulation. OBA is a quickly growing advertising tool which participates several counter parties – computer users, website owners, advertisement network suppliers (Google, Amazon etc.), distributors and browser makers (Firefox, Explorer, Chrome, Safary etc.).

Individual browsing behavior (which websites an individual visits and which keywords he/she uses) allows to specify its economical and cultural identity. Information about a person, which expresses a person’s physical, intellectual, physiological, economical, cultural or social characteristics, relations and affiliations – is personal data. Thereby, individual browsing behavior is applied with the protection of personal data. The main rule of protecting personal data is that processing may only be effected when informed consent has been obtained. This is also the main reason, why website owners and ad network providers ask for an acceptance to install cookies.

In Europe the creation of behavioral advertising self-regulation has increased, for instance rules have been developed in Finland, Germany, Great Britain, Italy and Switzerland and in the near future the new directions are being accepted in Greece, Ireland, Austria and Netherlands. This is a self-regulation, which means that a legislator doesn’t lay down the new standards but the industry of advertisement agrees on their own game-rules. Web-marketing operator’s organisation IAB (The interactive Advertising Bureau) has devised a good practice standard[2] for behavioral advertising. Likewise, they have behavioral advertising recommendations for users[3]. For instance, IAB has a principle that behavioral advertising is not applied to children under 13 years old. It is also prohibited to collect data about persons’ financial situation and health by means of behavioral advertising.

In comparison with other European Union states, Estonia is in an exceptional situation. Estonian legislator has not imposed legal standards on behavioral advertising and it is being guided on general personal data protection principles. Also, Estonia has not validated self-regulation of behavioral advertising.

In case Estonia should lay down the standards of behavioral advertising, whether by legislator or self-regulation, it is necessary to take into account the following European Union data protection recommendations:

1)      Website owners need to inform people, that installation of website cookies is being used to profile the behavioral advertising. So far, in Estonian legal practice it has been resolved in a way, where compatible rules are in website conditions of use. The European Union recommends to display the warning directly on the screen of the browser.

2)      Ad network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of sending him tailored advertising.

3)      Ad network providers should ensure that individuals are told that they are collecting information about their browsing behavior and inform them who is processing the data. This kind of informing should be periodical and continuous. Also, individual has to have an opportunity to easily refuse processing his/her information by data controller.

4)      In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure. In addition, they should be informed in simple ways that a) the cookie will be used to create profiles; b) what type of information will be collected to build such profiles; c) the fact that the profiles will be used to deliver targeted advertising and d) the fact that the cookie will enable the user’s identification across multiple web sites.

5)      Advertising network providers need to effectuate a symbol which should be visible in all the web sites where the monitoring takes place. This symbol would be very helpful not only to remind individuals of the monitoring but also to control whether they want to continue or revoke their consent.

Evidently, it is matter of time when Estonian entrepreneurs need to accept the rules of behavioral advertising. In consequence, for Estonian advertisement industry it is a problem, whether to create its own rules of behavioral advertising or wait for a national intervention. Taking into consideration that other state’s advertising industries have chosen self-regulation course, it is clearly reasonable for Estonian advertising organisations to effectuate rules of behavioral advertising.


[1] Behavioral advertising is advertising that is based on the observation of the behavior of individuals over time. Behavioral advertising seeks to study the characteristics of this behavior through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their interests.

[2] http://www.iab.net/public_policy/self-reg

[3] http://www.youronlinechoices.com/ee/

[4] http://www.aboutads.info/

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
How to Avoid ICO Fines: Lessons from Recent GDPR Spam Text Penalties

How to Avoid ICO Fines: Lessons from Recent GDPR Spam Text Penalties

Lessons for Legal Teams: Avoiding Costly Mistakes in Data Privacy Compliance Data privacy is no longer a secondary concern for...
Privacy Rights and it’s Challenges – 6 Years of GDPR

Privacy Rights and it’s Challenges – 6 Years of GDPR

Six years since GDPR came into force, the promise of stronger data protection is being undermined by the rise of...
Staying Ahead of GDPR Compliance: Lessons from LinkedIn’s €310 Million Fine

Staying Ahead of GDPR Compliance: Lessons from LinkedIn’s €310 Million Fine

LinkedIn Ireland was recently fined a record-breaking €310 million by the Irish Data Protection Commission for GDPR violations, underscoring the...
Preparing Your Small Business for GDPR Compliance

Preparing Your Small Business for GDPR Compliance

The General Data Protection Regulation (GDPR) is a European Union law that protects the privacy and personal data of individuals...
The GDPR Data Map – Your Complete Guide

The GDPR Data Map – Your Complete Guide

The General Data Protection Regulation (GDPR) is a European regulation establishing the framework for personal data protection of individuals in...
GDPR in Healthcare: Compliance Guide

GDPR in Healthcare: Compliance Guide

Since General Data Protection Regulation (GDPR) entered into force, the personal data protection has become more challenging to the Healthcare...
GDPR software: 10 Great Tools For Compliance in 2024

GDPR software: 10 Great Tools For Compliance in 2024

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
The lawful basis for Data Processing under the GDPR

The lawful basis for Data Processing under the GDPR

A lawful (or legal) basis for processing data must be satisfied before a business can process any personal data. Article 6...
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...