Op-Ed: Maybe no consent needed for advertising under ePrivacy "cookie" rule?

Reading through the CNIL's new decision against Yahoo on cookies brings back to mind a question that has stuck with me for well over a decade: what is the exact reasoning that has led many EU-based authorities to say that advertising cookies/etc. are not strictly necessary for the provision of a service, and why does it persist?

More to the point, is there any way that these views can evolve - and if so, what might that lead to?

[I know this question may be unpopular in some circles, but it does need to be asked. As always, please feel free to share any thoughts in the comments, but please read the entire article first.]

In short:

? Behavioural advertising requires consent under the "cookie" rule, Art. 5(3) of the ePrivacy Directive, according to views of certain national regulators as well as the European Data Protection Board or EDPB

? However, the alternative regulators like to promote - contextual advertising - also requires consent according to recent positions of the EDPB and of some national regulators - while others disagree

? This legal uncertainty has been present for a while, but it is unhelpful, and the stricter positions raise the question of what is permitted as a business model

? There are ways to make this evolve (e.g. accepting that "attribution" and "frequency capping", two key aspects of digital advertising, do not require consent; taking a clear regulatory position on the "service" exemption), but regulators should in any event avoid dogmatism

With that in mind, let's dive in!

1. Looking back at the rules and initial guidance

By way of a reminder, the "cookie" rule - Article 5(3) of the ePrivacy Directive - says since a modification in 2009 that the "storage" of information or the "gaining of access" to information already stored on terminal equipment of a subscriber or user is subject to consent unless such storage/access is:

1. strictly necessary for the provision of an information society service explicitly requested by the subscriber or user (the "service" consent exemption), or

2. for the sole purpose of carrying out the transmission of a communication over an electronic communications network (the "transmission" consent exemption).

In Opinion 04/2012 on Cookie Consent Exemption , the Article 29 Working Party (WP29; the predecessor of the European Data Protection Board / EDPB) said the following:

"Third party cookies used for behavioural advertising are not exempted from consent as already highlighted in detail [...] in Opinion 2/2010 and Opinion 16/2011".

This was a bit of a stretch. While those other WP29 Opinions do "detail" how valid consent can be obtained in relation to notably advertising, they never explain why consent is the only option under Art. 5(3) ePD - let alone explain "in detail" why the "service" consent exemption might not apply. For instance, Opinion 2/2010 assumes consent is relevant but never excludes the "service" consent exemption. The same applies to Opinion 16/2011 .

In addition, this WP29 guidance presents certain problems today:

? The position on analytics (and first-party analytics in particular) in Opinion 04/2012 is not in line with more recent national guidance - as a result, one could ask what exactly the value is of that WP29 guidance today. By way of additional context, while WP29 said that first-party analytics cookies "are not likely to create a privacy risk" in certain cases, they explicitly said that "these cookies do not fall under the exemption". In the meantime, though, several authorities have taken the view that the exemption does apply [see note 1 below].

? The EDPB never formally endorsed those WP29 opinions, while it endorsed on 25 May 2018 a significant number of other documents adopted by WP29. In other words, the legal status of that old guidance is entirely uncertain.

? [Plus, Opinion 04/2012 document does not work nicely with the EDPB's new ePrivacy guidelines , as explained in two sets of comments to the EDPB to which we contributed in the context of a public consultation on those new ePrivacy guidelines (the IAB Europe comments , and a submission on behalf of clients notably in regulated sectors )]

In addition, today, some authorities accept that cookies can be used to manage the displaying of advertising without the need for consent (Traficom [see note 2 below], AEPD [3]), while others take a stricter view (e.g. CNIL [4]: even frequency capping requires consent).

These inconsistencies create uncertainty as to what position a given regulator or supervisory authority might adopt, both now and in a few years' time.

2. What is then strictly necessary for the provision of a service?

Ultimately, whether the exemption can be deemed to apply boils down to what constitutes the "provision of the service": you can look at it from a technical delivery perspective ("what is strictly needed in order to send the content to you after you have requested it?"), or you can take a broader, more contextual perspective ("what is strictly needed in order for the service provider to be able to make this service available to users such as yourself?").

Under the GDPR, the CJEU seems to have applied a strict approach in relation to the "contract" legal ground , and so did the EDPB in significant "binding decisions" regarding Meta that were reflected in decisions handed down by the Irish Data Protection Commissioner. For instance, in relation to both (a) service improvements fed by user interactions ([note 5 below]) and (b) behavioural advertising ([notes 6 & 7]), the EDPB suggests that there are “realistic, less intrusive” alternatives (e.g. consent-based user surveys, contextual advertising), such that the processing is not “necessary”. Whether the alternatives they mention are indeed realistic is open for discussion, though - and whether they are even relevant as an "alternative" is another matter (see below re contextual advertising).

The EDPB's approach in particular raises questions. Who gets to decide what is "realistic"? What if an approach is theoretically feasible but commercially undesirable, is it recognised as less realistic in practice compared to an approach involving an even slightly more intrusive processing activity? This is not a hypothetical example, as sometimes the slightly less intrusive processing activity may have significantly more limited profit margins. In that context, the EDPB’s reference to alternatives makes it highly unclear whether a regulator would ever allow a controller to choose the more profitable alternative.

In any event, these cases suggest that the EDPB and (some of) its members have a narrow view of the notion of “necessity for performance of a contract” and likely therefore also of the similar notion under Art. 5(3) of the ePrivacy Directive, i.e. “strict necessity for the provision of an information society service”.

In fact, their interpretation of the "service" consent exemption might be even narrower, considering the fact that Art. 5(3) ePD speaks of "strict" necessity. This is unlike the GDPR provision regarding the aforementioned "contract" legal ground (Art. 6(1)(b) of the GDPR), which only talks about what is "necessary" for performance (or conclusion) of a contract with the data subject - not what is "strictly necessary".

Case in point: contextual advertising was mentioned by the EDPB as an alternative to behavioural advertising in some of the aforementioned Meta-related decisions [see note 6 below] in which it examined the "contract" legal ground under the GDPR. Yet during the November 2023 IAPP Congress in Brussels, an EDPB representative publicly stated, in front of hundreds of privacy professionals in attendance, that ad attribution - which is a necessary part of any digital advertising (i.e. this concerns behavioural advertising but also contextual advertising) - would require consent under Art. 5(3) ePD.

This creates a difficult situation for businesses: while the EDPB might say out loud that it does not intend to dictate the use of any particular business models, its approach sends a message that in its view, only the aspects that are related to the actual transmission of content or technical delivery of the service to the user are “strictly necessary", ignoring all aspects that are in practice necessary in order to be in a position to offer such a service (for instance, financing, troubleshooting and service improvement).

As a result, there is legal uncertainty associated with reliance on the “service” justification.

Yet there are practical reasons for saying that "provision of the service" goes beyond pure technical delivery.

This is where anti-spam and anti-fraud come into play.

3. Anti-spam & anti-fraud: the first rung of the ladder towards a broader "service" consent exemption?

Even in WP29 Opinion 02/2012, the following could be exempt from consent:

"cookies set for the specific task of increasing the security of the service that has been explicitly requested by the user [...] for example [...] cookies used to detect repeated failed login attempts on a website, or other similar mechanisms designed to protect the login system from abuses"

Yet this is not technically needed to provide the service to that user - this is to prevent delivery to unauthorised/undesirable users.

Put differently, the members of WP29 appear to have accepted that the "provision of the service" includes "protecting the service provider against abuse of its services" and not just "being technically able to provide the service to a specific user". This clearly benefits the service provider but has no direct impact on the technical ability to deliver the service to that given user.

This therefore does not directly benefit the user itself but indirectly, given that without this protection the service provider would in general not be able to provide the service in the same manner (to protect itself in another way against fraud/bots, it might have to deploy additional measures server-side based on e.g. IP address detection, user agent analysis etc. [but oh wait, that's also covered by the EDPB's new ePrivacy guidelines , just like any cookie-based or cookieless solution - so also consent/service/transmission]).

Could the anti-spam/anti-fraud measures be justified on the basis of use for the sole purpose of transmission of an electronic communication? This is also unclear, given that this is precisely used to (again) prevent the transmission of a request for the service, not to actually transmit it. So legal uncertainty again, unless authorities were to accept a broad interpretation of the "transmission" consent exemption.

4. Consequences for other service components

Even if we were to try to argue that the "service" exemption only covers technical provision of the service and security components of the service, why then should service security (which has no direct impact on that given user's technical ability to receive the service but is in practice necessary to ensure that the service provider is able to provide the service in general and in the future to other users) be exempt from consent while advertising (which has no direct impact on that given user's technical ability to receive the service but is in practice necessary to ensure that the service provider is able to provide the service in general and in the future to other users) is not?

Like I mentioned in my previous Op-Ed on the "pay or consent" model ("Pay or data" has its reasons - even if you disagree ):

"Running a business has a cost, and each business decides how to recover that cost and make a profit. In practice, that can be done by asking customers to pay, or finding money another lawful way (e.g. through advertising)."

So without advertising, a service might not be provided at all.

Interestingly enough, the CNIL - i.e. the authority with the strict position on frequency capping - recognises the necessity of financing, as it exempts from consent cookies that enable pay-for-access websites to offer a limited free access to users for sampling / trials (e.g. X articles in total, or X per month) [see note 8]. If technologies such as cookies can be used without consent to provide access to ensure that compensation is provided in the right form, why not for advertising and e.g. frequency capping or attribution?

The above is clearly a simplification, but the point of this op-ed is not to provide a comprehensive legal argument in support of using the "service" consent exemption for advertising. Rather, I wish to raise the question of why this is so readily set aside.

[Anecdotally, in a couple of data protection cases before the Belgian Data Protection Authority's Litigation Chamber I did present legal arguments on this, but they never led to a decision in favour or against them because the Litigation Chamber adopted settlement decisions in those cases - i.e. no actual decision on the merits.]

5. Behavioural vs contextual ads & "service" consent exemption

"But you're oversimplifying - behavioural advertising is more intrusive than contextual and therefore cannot be strictly necessary", some might say. And the EDPB's position in those Meta-related cases might support such a view [see note 6 below].

However, taking the EDPB's comments at the IAPP Congress of November 2023 into account, this position is legally just as uncertain as the position regarding behavioural advertising.

Why?

Simply because there seems to be a general misunderstanding of how online advertising works - or at least how it can be viable.

Those talking about contextual advertising as the solution do not always make it clear that contextual advertising also involves the use of information that at one point stems from a device, in order to ensure notably that (i) a request for placement of an ad is sent to a server, (ii) the fact that an ad is shown is recorded [= "attribution"] and (iii) measures are taken to prevent the same ad from being shown too often [= "frequency capping"].

Attribution, for instance, is critical to ensure that the ad is viewed and clicked on by an actual user, not a bot; frequency capping helps to ensure that the ad - which is supposed to leave a positive impression or lead to a positive action - does not end up being negative because the ad keeps on appearing to a same user (for instance, multiple times on a same page). Without those features, even contextual advertising doesn't work well.

These are therefore not just convenience measures for the ad industry but also anti-fraud and validation measures. They help for instance to avoid the spamming of ad requests through the use of bot farms.

Yet looking at the regulatory positions mentioned above, frequency capping is explicitly mentioned by the CNIL as being non-necessary, and with the public comments by an EDPB representative during the IAPP Congress of November 2023, attribution would seem to require consent (i.e. is also viewed as non-necessary).

In other words, the argument that behavioural advertising (in practice, profile-based advertising) cannot be necessary because there is an alternative in the form of contextual advertising (= ads based on limited data) does not hold water, as contextual advertising is given the exact same treatment today, without any "realistic, less intrusive" alternative having been highlighted for contextual advertising. And that is before even considering whether contextual advertising is even a commercially realistic alternative in practice for a given website/app/digital property.

6. Real-time bidding vs the rest

Another counterargument that might arise is that the key concern isn't advertising in general but real-time bidding (RTB). RTB, that counterargument goes, is more intrusive and unnecessary, allegedly because it involves the sharing of personal data to hundreds or even thousands of entities.

Yet there are several factors that often seem to be overlooked in discussions regarding Art. 5(3) ePD and RTB.

First, the ePD is not the GDPR. If the key concern is related to personal data, then the ePD is not the most appropriate tool, as Art. 5(3) ePD concerns information in general, not just personal data.

Second, given the above considerations regarding strict necessity, any authority or regulating seeking to block RTB-powered profile-based advertising based on Art. 5(3) ePD because allegedly there are realistic, less intrusive alternatives has to first carry out that assessment of alternatives. As mentioned above, there may be cases where the alternatives are not realistic.

Third, I do not recall seeing any regulator's decision explaining why RTB-based profile-based advertising is in and of itself an activity that requires consent under Art. 5(3) ePD. Certainly, the WP29 consent exemption guidance does not talk about RTB.

In summary, RTB or no RTB, nothing in the ePD prevents a particular ad model, so a case-by-case assessment is needed.

7. DMA etc.

The above is obviously based purely on the ePrivacy Directive and, to a certain extent, the GDPR. However, there are other laws and regulations that need to be taken into account in relation to certain companies, sectors etc.

For instance, the Digital Markets Act (DMA) includes in its Article 5(2)(a) a prohibition for "gatekeepers" to "process, for the purpose of providing online advertising services, personal data of end users using services of third parties that make use of core platform services of the gatekeeper" without GDPR-compliant consent.

If that requirement applies to a specific company (there are only a handful so far), of course they will need consent under the DMA.

However, the DMA specifically limits this provision to the processing of personal data. This shows that even legal obligations to obtain consent for advertising know their limits. After all, if a person is visiting a digital property of a gatekeeper for the very first time and is not yet connected to his or her account, advertising information relating to that "not logged in" session might not (yet) be considered as personal data (unless there is linking of the information to the user account or another way to identify the user who is not yet logged in).

In other words: even if consent is legally required by other laws, it might not be required for everything. Why could the "service" consent exemption under the ePrivacy rules not apply?

8. Where could we go from here?

In my view, it is crucial for national regulators entrusted with enforcement of (national implementations of) Art. 5(3) ePD to ensure that they do not take any dogmatic positions. The ePrivacy Directive was never intended to forbid advertising as a business model, yet this is precisely the outcome to which current approaches of several authorities lead (if no one consents, what happens to an ad-funded service?). Perhaps it is time for regulators to start (re)examining in detail their own legal arguments in favour of their positions - and to clarify what would require consent, and why.

In addition, the EDPB should in my opinion (extensively) rethink its ePrivacy guidelines to take into account feedback from various sectors and organisations - notably (i) the feedback of IAB Europe and sister organisations , (ii) a submission we filed on behalf of clients notably in regulated sectors and (iii) the Centre for Information Policy Leadership (CIPL) 's response .

Furthermore, I would invite supervisory authorities under the GDPR (not always the same as Art. 5(3) ePD regulators!) to also be mindful of the broader consequences of adopting too strict an approach regarding the "contract" legal ground under the GDPR, precisely in order to ensure that where advertising is part of the "bargain" struck with the user ("user pays service provider by being an eyeball for ads"), for instance as part of a "pay or OK" / "pay or data" / "pay or consent" model (however you name it), there is sufficient legal certainty that this is an option that authorities will accept (subject to applicable conditions, such as the CJEU's requirement for an "appropriate fee").

This does not have to mean a Wild West where every form of digital advertising is permitted. There may be instances where necessity can be presumed not to be established. However, requiring consent for everything is not going to help the Internet or digital services (which may suffer financially) or the user (whose privacy is not necessarily helped - as pointed out in the EDPB consultation responses (1; 2) to which we contributed , asking consent for everything just turbocharges consent banners and decreases the interest in privacy-friendly alternatives).

So, back to you, dear reader: what justification would you bring forward, in favour or against the use of the "service" consent exemption for (certain forms of) advertising, and with what limits?

References:

[1] See e.g. CNIL [France], 15 September 2023, Cookies : solutions pour les outils de mesure d'audience ; AEPD [Spain], January 2024, Guía - Uso de cookies para herramientas de medición de audiencia , p. 2; Garante [Italy], 8 May 2014, Simplified Arrangements to Provide Information and Obtain Consent Regarding Cookies .

[2] Traficom, 8 June 2023, Sanoma Media Limited , pp. 39-40.

[3] AEPD, July 2023, Guía sobre el uso de las cookies , p. 12.

[4] CNIL, 17 September 2020, Délibération n° 2020-092 du portant adoption d’une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux ? cookies et autres traceurs ? , p. 4; see also CNIL, 29 December 2022, Délibération de la formation restreinte n°SAN-2022-027 concernant les sociétés TIKTOK INFORMATION TECHNOLOGIES UK LIMITED et TIKTOK TECHNOLOGY LIMITED , para. 55.

[5] Data Protection Commissioner [DPC; Ireland], Decision of 31 December 2022 inquiry IN-18-5-6 against WhatsApp Ireland Limited in respect of the WhatsApp Service. The DPC quotes the EDPB, which suggests the following: “instead of relying on all users' data for the purpose of service improvements, rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose”.

[6] DPC, Decision of 31 December 2022 in inquiry IN-18-5-5 against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Facebook Service. The DPC quotes the EDPB, which refers to the example of “contextual advertising based on geography, language and content, which do not involve intrusive measures such as profiling and tracking of users”, as well as to the circumstance that “in the past, Meta IE allowed Facebook users to choose between a chronological presentation and a personalised presentation of newsfeed content”.

[7] DPC, Decision of 31 December 2022 in inquiry IN-18-5-7 against Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) in respect of the Instagram Service.

[8] CNIL, 1 October 2020, Cookies et traceurs : que dit la loi ? .