IAB Europe has issued guidance to EU-based publishers on ad blocking detection following reports that such detection without the consent of users is illegal under the ePrivacy Directive (better known as the “Cookie Directive”).
We believe that publishers should be allowed to ask for compensation for their work and choose the form of their business model, e.g. advertising funded, subscription based, or both. We also believe that publishers are entitled to take reasonable measures to ensure that their audiences understand the implicit deal that takes place when they view advertising funded content online. The deal being that users don’t have to pay for access to content in exchange for seeing advertising. We are convinced that EU privacy rules should not be interpreted as meaning that publishers are required to ask for permission from users before ascertaining whether the latter are indeed holding up their end of the bargain in this value exchange.
Nevertheless, to attenuate the risk that a publisher could be liable for breaching even an exceedingly strict interpretation of the directive, our guidance describes how user consent for ad blocking detection can be obtained. The guidance is intended to support publishers as long as the legal situation remains unclear. Our hope is that the forthcoming ePrivacy Directive review will lead to deletion of the relevant article in light of the recent adoption of the General Data Protection Regulation (Regulation (EU) 2016/679), thereby addressing the problem definitively.
Universal scope. Huge implications.
The ePrivacy Directive requires that storage or access of information on a user’s device only take place with the informed consent of the user concerned, irrespective of whether there is an impact on user privacy or not.
Likewise, consent would be required when information stored on the device is accessed. This, according to some, includes information actively shared by the device itself, or even where a mere inference is made about the device.
IAB Europe questions such a strict interpretation, which would essentially regulate every single activity taking place over the Internet with huge implications for Europe’s digital economy.
Ad blocking detection should benefit from an exemption. Maybe.
The ePrivacy Directive provides for two narrow exceptions to this consent requirement:
Where one of these exemptions applies, storage and access do not require the informed consent of the user. The Article 29 Working Party, the group of all EU data protection authorities, has issued an opinion on the application of the ePrivacy Directive to device fingerprinting, and in it considers the applicability of the two exemptions to certain cases.
The group argues that ascertaining the technical capabilities of a browser, such as detecting which video formats are supported, does not require the consent of the user, considering it strictly necessary. Notably, the opinion states that “the media types supported by a browser are often the same amongst many other users utilizing the same browser version. Therefore, when processed in isolation, these non-unique information elements do not generally present a data protection risk.”
IAB Europe believes that the expansion of the notion of strict necessity to the above scenario is arbitrary but applies the law in a more practical way. The same practicality must be applied to ascertaining the technical capability of a browser to display ads, which form part of the content, to adapt the content displayed based on that knowledge. Failing to do so would mean that the regulator deliberately and arbitrarily discriminates in how the notion of strict necessity is defined to benefit users but not the services they visit -- even though inferring non-unique information such as the presence of an ad blocker would not present a data protection risk by the regulator’s own admission.
Clean up this mess. Please.
The ePrivacy Directive is under formal review at the moment. IAB Europe urges the European Commission to critically assess this provision and consider its repeal or alignment with the lawfulness of processing under general data protection law. Particularly in light of its potential universal scope and the arbitrary interpretation and enforcement it lends itself to, even where there is an objective lack of risk for user privacy.