The ‘EU cookie directive’ and Behavioural advertising:

On 25th May 2011 the EU set a deadline to the individual member countries to enforce directive 2009/136/EC amending Directive 2002/58/EC on ‘the processing of personal data and the protection of privacy in the electronic communications sector.’  This is the well known ‘cookie directive,’ that was largely misinterpreted by the media, creating a wave of concern among web sites owners.

Most EU countries including Spain still need time to update their legislation, but eventually this will be done throughout the EU.
Behavioural advertising

One of the objectives of directive 2009/136/EC was to curb the widespread practice of online behavioural advertising and its threat to privacy. This is explained in the EU document ‘Article 29 Data Protection Working Party – 2/2010 on online behavioural advertising.’

Behavioural advertising is based on tracking the online behaviour of individuals over time.  The data tracked could be: different site visits history, time spent on-page, interactions with ads, and text typed onsite. All this in order to profile the user and offer advertisements tailored to match the individual’s behaviour.

Behavioural advertising can be illustrated with an example. Let us suppose that a user is visiting an online store and checks the price of several models of mobile phones.  A few days later the same user realises that most of the ads on the pages that he visits are related to telephone companies.

Behavioural advertising gives publicists a very comprehensive picture of a user’s online life, with many of the websites and specific pages they have viewed, how long they viewed certain articles or items, in which order, and so on.
This is an intrusion into people’s privacy. EU directive 2009/136/EC simply wants to enforce an opt-in system for this type of information collected.  Users have the right not only to know what data is collected about them and how it is used, but also to choose not to have that information collected.

How is behavioural advertising implemented?
In order to implement behavioural advertising there is the need to identify the user’s web browser over the visits to every website affiliated to the advertiser network.  This can be done in many ways, the most common being third party cookies, local shared objects (Flash cookies) and HTML5 local storage. For a more technical explanation please refer to http://www.velascolawyers.com /cookies

After identifying the user, the advertiser can reliably collect usage data on the page that is running ads.  Behavioural data is improved visit after visit and eventually correlated to a specific user when he is giving his credentials by login to a site affiliated to the advertiser network. Even if cookies in a web browser are deleted, advertisers use a technique called ‘respawning’ recreating third party cookies from Flash cookies and HTML5 local storage.
Most disturbingly, advertiser networks join forces in order to share and resell user data.

Directive 2009/136/EC in Spain
Until Directive 2009/136/EC is enforced in Spain we cannot be 100% sure how this will affect websites from individuals in Spain or companies trading in Spain. Nevertheless it is only a matter of time and we can already take few precautionary measures.
What can you do if you own a website

If you want to run behavioural advertising or are collecting identifiable visitor data you will have to warn the website user and specifically ask for consent to store the data.  You should include a privacy statement on your website (please refer to our article on privacy: Data protection laws in Spain http://www.velascolawyers.com /privacy).

If you are running ads on your website from advertiser networks (for example DoubleClick, ValueClick, Google AdSense…) check with the advertiser if the ads are sending third party cookies or flash cookies.  If that is the case you should include an opt-in and opt-out mechanism for your end users, telling them exactly which information is collected and how it is going to be used.

If you are running a web analytics solution on your website, check the kind of information collected with the solution provider.  With most common solutions like Google Analytics there shouldn’t be any necessity to put an opt-in mechanism as you are tracking visitors anonymously and in aggregate.  You should nevertheless include a privacy statement on your site.
You can find an extended version of this article at http://www.velascolawyers.com /cookies

These are general guidelines and not definitive statements of law. All questions about the law’s applications should be directed to a Spanish Lawyer.