EU’s ePrivacy regulation is being subverted by publishers who want their “right” to use tracking cookies enshrined in law

Last year, Privacy News Online wrote about the important EU ePrivacy legislation. As that noted, it was moving through the EU’s legislative process slowly because of massive lobbying against the new law, which aims to regulate how metadata is gathered and used, and to limit how people are tracked online, for example using cookies. A year ago, there were already warning signs that one of the most important provisions was under threat. Article 10 of the original text reads as follows:

Software placed on the market permitting electronic communications, including the retrieval and presentation of information on the internet, shall offer the option to prevent third parties from storing information on the terminal equipment of an end-user or processing information already stored on that equipment.

It is a key part of the ePrivacy proposal, and would give people the right to refuse tracking cookies completely. However, back in 2018, the EU Presidency responsible at the time for overseeing the ePrivacy legislation, held by the government of Austria, wrote: “the Presidency would like to discuss with delegations the proposal to delete art. 10 and the respective recitals.” The latest draft of the ePrivacy regulation shows that Article 10 has indeed been deleted from the proposed text. The change represents a radical weakening of the new legislation, the result of massive lobbying by US Internet companies, and EU publishers. The latter have been particularly successful, because as well as that deletion, the draft text includes an important addition, first pointed out by the German digital rights site Netzpolitik.

In Recital 21, the original text laid down the limited situations in which cookies could be used without the consent of the user. These were for things like authorizing the storage of data that was “strictly necessary and proportionate for the legitimate purpose of enabling the use of a specific service requested by the end users.” It also included using cookies for the duration of a single session to keep track of input when filling in forms, or for measuring Web traffic. These are all very limited exceptions for purely technical reasons. However, the latest version of the text now includes another, very different exception:

In some cases the use of processing and storage capabilities of terminal equipment and the collection of information from end-users’ terminal equipment may also be necessary for providing an information society service, requested by the end-user, such as services provided to safeguard freedom of expression and information including for journalistic purposes, such as online newspaper or other press publications … that is wholly or mainly financed by advertising provided that, in addition, the end-user has been provided with clear, precise and user-friendly information about the purposes of cookies or similar techniques and has accepted such use”

The news industry has apparently persuaded the Presidency, now held by Finland, that online publications supported by ads should have permission to use cookies for commercial, as well as technical, purposes, enshrined in law. If Article 10 is deleted, then there is no obligation to allow users to refuse to accept those cookies. As a result, the current draft of the ePrivacy regulation would grant the news publishing industry a special legal privilege to try to force users to be tracked using cookies.

The industry has been arguing for this “right” for years. Back in 2017, a blog post on the Interactive Advertising Bureau (IAB) Europe site wrote: “During the roundtable [held at the European Parliament in June 2017], publishers reaffirmed the pivotal importance of advertising to their ability to create content.” They also claimed: “If interest-based advertising becomes either practically impossible or legally forbidden in Europe, global brands will not invest in inferior ad-products. Instead, they will take their advertising euros elsewhere – either to other media or other continents.”

That’s an absurd threat, since “other media” such as TV, radio and print all employ context-based advertising, rather than “interest-based” advertising, and yet they can still generate healthy profits. Context-based advertising has worked for them for a century, proving that micro-targeted ads are not necessary. Equally, companies wishing to reach 500 million EU citizens cannot do so by advertising in America or Australia, and so will not take their marketing euros to “other continents” as the IAB blog post claims.

“Interest-based advertising” is just a euphemism for surveillance-based advertising that tracks a user’s every move online by placing large numbers of cookies on sites around the Internet, and consolidating the information from them to create a detailed user profile. It is what digital publishers and others have been using for some years, largely because it is possible and cheap, and because the public was not aware that it was being carried out. Now that people are waking up to this privacy-hostile business model, resistance to handing over huge quantities of highly-personal data is increasing. As this blog noted last week, major Internet companies recognize this, and are considering banning micro-targeted “interest-based” advertising, at least for political purposes. Google has already done so. That is likely to be just the start as politicians wake up to the growing public discontentment with this approach, and to the benefits of espousing a position against them.

It’s worth noting that the industry granted a special exemption from the ePrivacy regulation – European publishers – is precisely the one that demanded and obtained the ridiculous “link tax” brought in by the awful EU Copyright Directive earlier this year. It’s further evidence that the EU publishing industry is determined to use its considerable lobbying power to help push through bad laws for its own selfish advantage, and regardless of the harm it causes to the online world and to people’s privacy.

Given how bad the draft text has become, perhaps it should come as no surprise that a key EU committee has just rejected it. That means either the entire initiative will be abandoned – which would be bad news – or that a new text must be drawn up. In the latter case, it is vital that there are no special rights for publishers to use tracking cookies, and that the regulation does what is supposed to do: protect people’s privacy online.

Featured image by Birgit Böllinger.