IAB Europe has issued guidance to EU-based publishers on ad blocking detection following reports that such detection without the consent of users is illegal under the ePrivacy Directive (better known as the “Cookie Directive”).
We believe that publishers should be allowed to ask for compensation for their work and choose the form of their business model, e.g. advertising funded, subscription based, or both. We also believe that publishers are entitled to take reasonable measures to ensure that their audiences understand the implicit deal that takes place when they view advertising funded content online. The deal being that users don’t have to pay for access to content in exchange for seeing advertising. We are convinced that EU privacy rules should not be interpreted as meaning that publishers are required to ask for permission from users before ascertaining whether the latter are indeed holding up their end of the bargain in this value exchange.
Nevertheless, to attenuate the risk that a publisher could be liable for breaching even an exceedingly strict interpretation of the directive, our guidance describes how user consent for ad blocking detection can be obtained. The guidance is intended to support publishers as long as the legal situation remains unclear. Our hope is that the forthcoming ePrivacy Directive review will lead to deletion of the relevant article in light of the recent adoption of the General Data Protection Regulation (Regulation (EU) 2016/679), thereby addressing the problem definitively.
Universal scope. Huge implications.
The ePrivacy Directive requires that storage or access of information on a user’s device only take place with the informed consent of the user concerned, irrespective of whether there is an impact on user privacy or not.
A strict interpretation of the law would mean that, in principle, a user’s consent is required for almost any provision of content or services over the internet. Even where information is not persistently stored on a device, but merely temporarily stored in the Random Access Memory (RAM) of a user’s device for real time processing of that information. It follows that any code, such as HTML or JavaScript, in principle, would require the user's consent before it may be legally executed.
Likewise, consent would be required when information stored on the device is accessed. This, according to some, includes information actively shared by the device itself, or even where a mere inference is made about the device.
As ad blocker detection requires both running JavaScript, and making an educated guess about (inferring) the presence of an ad blocker, some argue that this means that users must give their consent before ad blocker detection may take place.
IAB Europe questions such a strict interpretation, which would essentially regulate every single activity taking place over the Internet with huge implications for Europe’s digital economy.
Ad blocking detection should benefit from an exemption. Maybe.
The ePrivacy Directive provides for two narrow exceptions to this consent requirement:
Where one of these exemptions applies, storage and access do not require the informed consent of the user. The Article 29 Working Party, the group of all EU data protection authorities, has issued an opinion on the application of the ePrivacy Directive to device fingerprinting, and in it considers the applicability of the two exemptions to certain cases.
The group argues that ascertaining the technical capabilities of a browser, such as detecting which video formats are supported, does not require the consent of the user, considering it strictly necessary. Notably, the opinion states that “the media types supported by a browser are often the same amongst many other users utilizing the same browser version. Therefore, when processed in isolation, these non-unique information elements do not generally present a data protection risk.”
IAB Europe believes that the expansion of the notion of strict necessity to the above scenario is arbitrary but applies the law in a more practical way. The same practicality must be applied to ascertaining the technical capability of a browser to display ads, which form part of the content, to adapt the content displayed based on that knowledge. Failing to do so would mean that the regulator deliberately and arbitrarily discriminates in how the notion of strict necessity is defined to benefit users but not the services they visit -- even though inferring non-unique information such as the presence of an ad blocker would not present a data protection risk by the regulator’s own admission.
Clean up this mess. Please.
The ePrivacy Directive is under formal review at the moment. IAB Europe urges the European Commission to critically assess this provision and consider its repeal or alignment with the lawfulness of processing under general data protection law. Particularly in light of its potential universal scope and the arbitrary interpretation and enforcement it lends itself to, even where there is an objective lack of risk for user privacy.
Bonus trivia
The consent banner, which data protection authorities advise publishers to use to request and obtain consent for the use of cookies, is built on JavaScript, the running of which would require consent under the strict interpretation above. As there is no exemption for storage or access for the sole purpose of complying with legal obligations, and compliance with the law is not strictly necessary for technical delivery of a service, the same interpretation of the law would mean that a website is breaking the law by asking for consent without having already obtained consent.