Cookies (or similar technologies) are usually placed on an individual user’s device by either the website publisher or by an advertising network organisation (“ad network”) that is permitted by the website publisher to place cookie,  to collect data in order to build a profile of that individual user based on their online search history. This profile of the individual can be used to target them with advertising relevant to their preferences and interests. This is known as targeted advertising or online behavioural advertising (“OBA”).

The relevant provisions of the Privacy and Electronic Communications (EC Directive) Regulation 2003 (PECR 2003), which governs the position in the UK as to when and how a website publisher  can place a cookie on an individual user’s device states that a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the subscriber has given their consent, after being provided with “..clear and comprehensive information..” about the purposes of the storage of or access to that information.

Although many websites generally require prior consent from users as to the use of cookies, many website publishers and their ad network partners often seem to forget that much of the web browsing data collected by their cookies, such as the users personal details or IP address, qualifies as personal data under the General Data Protection Regulations (“the Regulation”). As such any personal data or any data capable of identifying an individual, collected by a cookie must be processed in accordance with the Regulation, and in particular in accordance with its principles of transparency, lawfulness, integrity and confidentiality.

From a transparency principle perspective, the Regulation requires that notice of the intended use or disclosure of any personal data by a data controller to any third parties must be provided to the data subject/website user. This is usually set out in website’s Privacy Policies, Cookie Policies and Terms of Use.

The Regulation also introduces the concept of profiling or automated decision making, which is relevant to the functioning of OBA. In essence, individuals now have the right to be informed about the existence of automated decision making and subject to certain exceptions, the right not to be subject to automated decision making or profiling.

However, the fact is many ad networks are active on multiple websites; collecting, using, storing, aggregating and then transferring huge amounts of data to each other and this is often not made clear to users, in violation of the Regulation and its principles. The net effect is that users may have no idea who is collecting, using or storing their personal and non-personal data and in many cases are not even aware that their data is being used to build profiles about them. If they are made aware of collection of personal data, it is presented as a positive, to enable the website publisher to provide the user with a more personalised service. This is potentially risky for users, because profiles are generated by mathematical and statistical modelling of the information collected about users and are not infallible. The results of such modelling can therefore potentially lead to inaccurate and/or misleading results about an individual.

In the new world of online privacy regulation, it is no longer enough to simply have policies in place, without operational compliance. To minimise their risk of non-compliance with the law website operators should as a minimum ensure that:

  • Prior to the processing of their personal data, users are notified about who is processing their personal data, how it is being processed, why and where it is being processed
  • With respect to the detailed profiling of website users and subscribers, website publisher and their ad network partners should be aware of the transparency requirements around automated decision making introduced by the Regulation as outlined above
  • Attention is paid to the rights of data subjects as enshrined in the Regulation so that it is possible, for example, for a website user to revoke permission to track their online behaviour by deleting cookies, including all personal data held on that cookie

​Further, where a joint controller relationship between the website publisher and an ad network could or does exist, the user must be made aware of the conditions of that collaboration. This not only allows the user to understand who is responsible for protecting their data, it is also beneficial for website publishers and their ad network partners to understand in the context of their commercial relationship which party is legally responsible for compliance with the relevant privacy regulations.