EU Data Protection Law and Targeted Advertising: Consent and the Cookie Monster - Tracking the crumbs of online user behaviour

Author:Damian Clifford
Position::Researcher ICRI/CIR KU Leuven

This article provides a holistic legal analysis of the use of cookies in Online Behavioural Advertising. The current EU legislative framework is outlined in detail, and the legal obligations are examined. Consent and the debates surrounding its implementation form a large portion of the analysis. The article outlines the current difficulties associated with the reliance on this requirement as a... (see full summary)

Damian Clifford
Abstract: This article provides a holistic legal
analysis of the use of cookies in Online Behavioural
Advertising. The current EU legislative framework
is outlined in detail, and the legal obligations are
examined. Consent and the debates surrounding
its implementation form a large portion of the
analysis. The article outlines the current difficulties
associated with the reliance on this requirement as
a condition for the placing and accessing of cookies.
Alternatives to this approach are explored, and the
implementation of solutions based on the application
of the Privacy by Design and Privacy by Default
concepts are presented. This discussion involves an
analysis of the use of code and, therefore, product
architecture to ensure adequate protections.
EU Data Protection Law and
Targeted Advertising
Consent and the Cookie Monster - Tracking the crumbs of on-
line user behaviour
by Damian Clifford, Researcher ICRI/CIR KU Leuven*
© 2014 Damian Clifford
Everybody may disseminate this ar ticle by electroni c means and make it available for downlo ad under the terms and
conditions of the Digita l Peer Publishing Licence (DPPL). A copy of the license text may be obtaine d at http://nbn-resolving.
de/urn:nbn:de:0009-dppl-v3-en8 .
This article may also b e used under the Creative Commons Attribution-Share A like 3.0 Unported License, available at h t t p : //
Recommended citation: Damia n Clifford, EU Data Protect ion Law and Targeted Advertising: Consent and the Cook ie Monster
- Tracking the crumbs of online user behaviour 5 (2014) JIPITEC 194, pa ra 1.
Keywords: Data Protection, Targeted Advertising, E-Privacy Directive, Consent, EU Data Protection Framework
A. Introduction
The commercialisation of the internet has been
rapid. Ubiquitous technological development and
internet availability have propelled prots and the
value of information. Online Behavioural Advertising
(OBA) through the tracking of users has allowed for
the development of user-targeted campaigns. The
debates surrounding the legitimacy of this behaviour
have been contentious. Traditional legal principles
have struggled to come to terms with the rapid
proliferation of internet technologies. The rigidity of
the legal framework contrasts strongly with the uid
and ever-changing IT sector. In essence, tracking
and the resulting proling have become a key part
of the business model of many Web 2.0 services, but
the legality of this behaviour is still unclear.1
The aim of this analysis is to examine the use of
cookies in the tracking of users for the purposes of
targeted advertising. Certain restrictions regarding
the scope of this article should be acknowledged
from the outset. First, it will be restricted to
an examination of the use of cookies in OBA in
order to track and prole users. Accordingly, an
examination of the emerging use of technologies
and techniques such as Browser Fingerprinting,
Deep Packet Inspection and History Snifng does
not come within the scope of this article. Further, the
article will not explore the legal issues around the
use of analytics systems which correlate various data
sources (including the cookie data) and, hence, the
Big Data elements of this topic. Although, in reality,
user proles in OBA contain data from various
sources in addition to cookies, this does not mitigate
EU Data Protection Law and Targeted Advertising
the fact that the tracking and processing of cookie
data constitutes proling in itself. The text will also
not outline the additional considerations necessary
for a holistic interpretation of the use of tracking
technologies on mobile devices. Finally, during the
assessment of the consent issue, the article will focus
on the general issues and concerns rather than the
particular debates specic to children (or others
who potentially lack capacity to consent). These are
issues which merit further analysis in themselves,
and to examine them here would not do justice to
the complex legal issues present. Nevertheless, at
times references to these matters and the further
obligations will be made.
Having narrowed the scope, it is now worth outlining
the focus of the research. The Article 29 Working
Party has noted that most advertising technologies
use some type of client side processing of users’
browsers or terminal equipment to track their
This processing refers to the accessing and
use of information stored on users’ computers. In
behavioural advertising, companies use software to
track user behaviour and to build personal proles.
They do not refer to users by name but, instead, use
a single alphanumerical code that is placed on the
users’ computers. These codes are utilised to help
select the advertisements people see in addition to
the variety of products that are offered to them.3
These are known as ‘cookies,’ and they can provide
a detailed prole based on user behaviour, which can
be easily exploited for marketing purposes.
4 Cookies placed on users’ machines by the publisher
(website operator) are known as rst-party
cookies and these, ‘are commonly used to store
information, e.g., user preferences, such as a login
name.’4 These ‘functional cookies’ are generally
exempt from the legal obligations under the Data
Protection framework unless they are also used
for tracking or proling purposes.5 However, there
are also what are known as third-party cookies.
These cookies originate from sources that may be
unconnected with the rst-party cookie website
(e.g. an ad network) and are often used as a tracking
mechanism for advertising purposes.6 In the world
of AdExchanges, such as Google’s AdX, this issue
is complicated further given the complex array of
More importantly, reference to the term
‘cookie’ in this text comprises of all variations,
including the more controversial ‘ash’ cookies (also
referred to as Locally Shared Objects). Although this
form of cookie has serious technical advantages over
the standard HTTP cookies (and has raised issues
regarding ‘respawning’), they are both placed
and accessed on the terminal equipment of users
and are fundamentally subject to the same legal
The article will analyse the applicable legal
framework, the legal requirements imposed by
this framework, the difculties surrounding the
denition of consent, and the alternatives and
supplements to the current EU Data Protection
edice. Reference will be made to the current EU
Data Protection framework in the form of the Data
Protection Directive and the E-Privacy Directive
(as amended). Specic attention will also be
given to the Data Protection reform package and,
more specically, the proposed Data Protection
B. The scope of the EU Data
Protection Framework -
Behavioural Advertising
Data Protection is a distinctively European
innovation that has been received outside the
EU with varying degrees of success.9 The current
framework owes its origins to developments, such as
the 1980 OECD Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data, the 1981
Council of Europe Convention on data protection,
and the 1990 UN guidelines.10 The adoption of such
provisions is hardly surprising given the historical
context in which the European supranational
cooperation originated.11 However, there are two
other factors which have proven decisive. First,
the ubiquitous development of technology and the
supranational challenges that this involves.Second,
the need to facilitate the free movement of personal
data within the Community and to resolve conicts
arising from differing national regimes.12 Although
there have been clear technological advances which
have precipitated legal development, the core of
the EU framework has remained constant and the
essence of the data protection edice has remained
This section of the analysis will
introduce the key instruments and examine their
scope in relation to OBA.
I. Data Protection as a
Primary Source
Data protection is a complex issue that has
traditionally been associated with the concept
of privacy within the context of personal data
processing. However, as observed by Borghi et al.:
‘at least under EU law, privacy and data protection are distinct,
yet complementary, fundamental legal rights. They derive their
normative force from values that—although at times coincidental
and interacting in a variety of ways—may be conceptualized
This position has allowed data protection to
automatically trump other interests and gives it
a status that cannot be traded-off for economic
benets.15 The identication of data protection as a
key personal right of the citizens of the Union was
conrmed through the adoption of the Lisbon Treaty.
Article 39 TEU and Article 16 TFEU provide specic
provisions relating to data protection. Article 16, in

To continue reading