16 May 2014

CBP’s first cookie law investigation: YD violates privacy rules and telecommunication rules

CBP’s first cookie law investigation: YD Display Advertising Benelux violates Dutch privacy rules and telecommunication rules

The online advertising agency YD Display Advertising Benelux (YD) violates Dutch privacy and telecommunication rules by using personal data for the behavioural targeting of internet users without their consent. This is the conclusion of the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) after it investigated YD’s processing of personal data. The CBP found that YD places tracking cookies with visitors to their websites to show personalised advertisements. Although the cookie rules came into force in the Netherlands in early June 2012, they had not yet been enforced. This is the first time that the CBP has conducted an investigation into the placement of cookies. Companies (that have not yet done so) are advised to review their use of cookies and, where required, ask for the visitor’s prior consent.

Background

Under the Dutch Telecommunications Act (Telecommunicatiewet), cookies that are placed on, or read from, a website visitor’s computer require informed prior opt-in consent before being placed. The principle of informed prior consent does not apply to functional cookies, e.g. cookies that are used solely for facilitating the technical communication over a network or that are strictly necessary for providing a service requested by the website visitor. Cookies that are not exempt are, for example, social media plug-in cookies, third party advertising cookies and tracking cookies. If the placement of cookies also involves the processing of personal data, the Data Protection Act (Wet bescherming persoonsgegevens) additionally applies. Under the Data Protection Act, a legal basis for the processing of personal data is required, which is often found in the unambiguous consent of the visitor.

The CBP had also announced earlier this year that one of its priorities for 2014 was to focus on the profiling, tracking and tracing of internet users.

Findings

YD is an advertising agency acting as an intermediary between advertisers and websites for the placement of online advertisements. YD has its principal place of business in Amsterdam and is active in the Netherlands, Germany, Spain and France. YD promises advertisers a personalised approach to specific target groups.

The CBP found that YD places tracking cookies through websites of advertisers working together with YD, enabling YD and its network of advertisers to track the behaviour of visitors through multiple websites. With these tracking cookies, YD collects information about products or services that visitors view on these websites. YD retargets the visitors by showing personalised advertisements on other websites within its advertising network.

YD does not give visitors the opportunity to accept or decline the placement of tracking cookies, which violates the statutory consent requirements under the Data Protection Act and Telecommunications Act. Visitors are able to opt out of receiving personalised advertisements, but this is not sufficient to construe unambiguous consent. The CBP also found that the information YD provides to their visitors does not satisfy the notification requirements under the Data Protection Act.

The CBP notes that the violations would still exist even if the proposed amendment of the Telecommunications Act, currently before the Second Chamber of the Dutch parliament, were applied. The proposed amendment is aimed at easing the rules for analytics cookies. According to the CBP, the use of tracking cookies would also under the amendment require the user’s opt-in consent, due to the impact of these cookies on the privacy of the user.

Recommendation

With the increased risk of enforcement, companies are recommended to review the use of cookies on their websites and, where required, ask for the visitor’s prior consent.

The CBP’s press release and report are available here, in Dutch only.