This is the question that many computer users are receiving daily. What does it mean and why is it being asked?
It is a part of behavioral advertising[1] (OBA – online behavioral advertising) legal regulation. OBA is a quickly growing advertising tool which participates several counter parties – computer users, website owners, advertisement network suppliers (Google, Amazon etc.), distributors and browser makers (Firefox, Explorer, Chrome, Safary etc.).
Individual browsing behavior (which websites an individual visits and which keywords he/she uses) allows to specify its economical and cultural identity. Information about a person, which expresses a person’s physical, intellectual, physiological, economical, cultural or social characteristics, relations and affiliations – is personal data. Thereby, individual browsing behavior is applied with the protection of personal data. The main rule of protecting personal data is that processing may only be effected when informed consent has been obtained. This is also the main reason, why website owners and ad network providers ask for an acceptance to install cookies.
In Europe the creation of behavioral advertising self-regulation has increased, for instance rules have been developed in Finland, Germany, Great Britain, Italy and Switzerland and in the near future the new directions are being accepted in Greece, Ireland, Austria and Netherlands. This is a self-regulation, which means that a legislator doesn’t lay down the new standards but the industry of advertisement agrees on their own game-rules. Web-marketing operator’s organisation IAB (The interactive Advertising Bureau) has devised a good practice standard[2] for behavioral advertising. Likewise, they have behavioral advertising recommendations for users[3]. For instance, IAB has a principle that behavioral advertising is not applied to children under 13 years old. It is also prohibited to collect data about persons’ financial situation and health by means of behavioral advertising.
In comparison with other European Union states, Estonia is in an exceptional situation. Estonian legislator has not imposed legal standards on behavioral advertising and it is being guided on general personal data protection principles. Also, Estonia has not validated self-regulation of behavioral advertising.
In case Estonia should lay down the standards of behavioral advertising, whether by legislator or self-regulation, it is necessary to take into account the following European Union data protection recommendations:
1) Website owners need to inform people, that installation of website cookies is being used to profile the behavioral advertising. So far, in Estonian legal practice it has been resolved in a way, where compatible rules are in website conditions of use. The European Union recommends to display the warning directly on the screen of the browser.
2) Ad network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of sending him tailored advertising.
3) Ad network providers should ensure that individuals are told that they are collecting information about their browsing behavior and inform them who is processing the data. This kind of informing should be periodical and continuous. Also, individual has to have an opportunity to easily refuse processing his/her information by data controller.
4) In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure. In addition, they should be informed in simple ways that a) the cookie will be used to create profiles; b) what type of information will be collected to build such profiles; c) the fact that the profiles will be used to deliver targeted advertising and d) the fact that the cookie will enable the user’s identification across multiple web sites.
5) Advertising network providers need to effectuate a symbol which should be visible in all the web sites where the monitoring takes place. This symbol would be very helpful not only to remind individuals of the monitoring but also to control whether they want to continue or revoke their consent.
Evidently, it is matter of time when Estonian entrepreneurs need to accept the rules of behavioral advertising. In consequence, for Estonian advertisement industry it is a problem, whether to create its own rules of behavioral advertising or wait for a national intervention. Taking into consideration that other state’s advertising industries have chosen self-regulation course, it is clearly reasonable for Estonian advertising organisations to effectuate rules of behavioral advertising.
[1] Behavioral advertising is advertising that is based on the observation of the behavior of individuals over time. Behavioral advertising seeks to study the characteristics of this behavior through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their interests.
[2] http://www.iab.net/public_policy/self-reg