All rights reserved. 2011, EuroPriSe/ULD

January 2011 Position paper on certifiability of online behavioural advertising systems according to EuroPriSe Follow-up

EuroPriSe - European Privacy Seal at the Unabhängiges Landeszentrum für Datenschutz (ULD) Holstenstr. 98 24103 Kiel, Germany E-mail: EuroPriSe@datenschutzzentrum.de Website: www.european-privacy-seal.eu All rights reserved. 2011, EuroPriSe/ULD

Content Introduction... 4 Current Situation... 4 Recent Industry Approaches... 5 (Draft) EASA Best Practice Recommendation... 5 Further Approaches... 7 EuroPriSe Requirements... 8 Requirements for transparency of behavioural advertising systems (No. 1)... 8 First steps towards implementation of opt-in mechanisms (No. 2)... 10 Requirements that were developed under the former legal situation (No. 3)... 11 Compliance of Industry Approaches with EuroPriSe Requirements... 11 Duration of Transition Period / Validity of (Re)Certifications... 14 Summary... 15 EuroPriSe / ULD 3

Introduction The European Privacy Seal (EuroPriSe) certifies compliance of IT products and ITbased services with EU data protection regulations. With the reform of Directive 2002/58/EC on privacy and electronic communications (hereafter, the "eprivacy Directive") EuroPriSe criteria for certification had to be adapted to reflect the new requirements. The consequences deriving from the reform package are subject to general discussion and a transition period. The European Commission as well as the Article 29 Data Protection Working Party (WP 29) called on the industry to make concrete suggestions especially concerning the transparent and consensual use of cookies deployed by online behavioural advertising (OBA) systems. OBA systems, among others, are subject to evaluation under the EuroPriSe certification scheme. EuroPriSe consequently engages in providing guidance for the transition period on the certifiability of online behavioural advertising systems. In July 2010 a Position paper on the impact of the new Cookie Law on certifiability of behavioural advertising systems according to EuroPriSe was released. 1 The present paper serves as a follow-up to the earlier paper. It specifies EuroPriSe requirements for (re)certification of online behavioural advertising systems during the transition period 2 and considers several industry approaches to provide notice and choice to users against these requirements. Finally, it specifies the conditions under which the transition period continues or (rather) ends and the impact of this on the validity of a Euro- PriSe (re)certification. Current Situation In December 2009, the so-called Telecoms Reform Package was published in the Official Journal of the European Union. This package provides for a comprehensive reform of the regulatory framework of the EU Telecommunication Market. Inter alia, it comprises some amendments of the eprivacy Directive. Member States shall adopt and publish the laws, regulations and administrative provisions necessary to comply with these amendments by May 25, 2011. 3 Today s online behavioural advertising systems track users surfing behaviour on a website or across several websites by means of (browser) cookies. The use of cookies is regulated by Article 5(3) of the eprivacy Directive. This provision was amended by the Telecom Reforms Package to the effect that storing of cookies and gaining access to cookies necessitates users prior informed consent (so-called informed opt-in ). 1 This paper is available at https://www.european-privacy-seal.eu/results/position-papers. 2 Information about the transition period is provided on p. 5 of the earlier EuroPriSe Position Paper (see footnote 1). 3 Details about the Telecoms Reform Package and the amendments of the eprivacy Directive are provided on p. 6 ff. of the earlier EuroPriSe Position Paper (see footnote 1). 4 EuroPriSe / ULD

The Article 29 Working Party expressed its view on the interpretation of the amended legal situation: In June 2010, it adopted Opinion 2/2010 on online behavioural advertising. 4 In its opinion the Working Party called upon industry to put forward technical and other means to comply with the new legal framework and to exchange views with the Working Party regarding such means during a so-called discussion period. Considering the findings of the Article 29 Working Party, EuroPriSe specified requirements for (re)certification of online behavioural advertising systems during a transition period. 5 (Re-)certification during this period is not made conditional on implementation of opt-in mechanisms that are fully in line with the new legal situation. Rather, the requirements concerning transparency of online behavioural advertising systems have been enhanced. However, applicants for a European Privacy Seal must nevertheless take first steps towards an implementation of opt-in mechanisms as required by the new legal situation. Specific information on the most relevant requirements is provided below. 6 Recent Industry Approaches In response to the imminent revision of applicable law in Europe and the US 7 industry stakeholders took several new approaches and designed new tools providing users with enhanced notice and choice in respect of the use of their online surfing behaviour data for advertising purposes. (Draft) EASA Best Practice Recommendation In September 2010, European Commission Vice-President Kroes called for a selfregulatory approach to the implementation of the amended eprivacy Directive on the storing and accessing of cookies and similar devices. 8 Responding to this call, stakeholders of the European OBA industry presented their plans for coordinated voluntary action at an EC roundtable on online behavioural advertising in Brussels in December 2010. These plans for a self-regulatory approach to OBA come in the form of a (Draft) EASA 9 Best Practice Recommendation (BPR) addressed to EASA Self- Regulatory Organisations (SROs) and industry members. 4 Opinion 2/2010 is available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp171_en.pdf. 5 See footnote 2. 6 Cf. p. 8 ff. of this paper. 7 The US Federal Trade Commission (FTC) proposes a framework for business and policymakers similar to the EU approach but calls for self-regulation: Protecting Consumer Privacy in an Era of Rapid Change, Preliminary FTC Staff Report, US Federal Trade Commission, December 2010. 8 According to Vice-President Kroes, the industry framework should include at least four elements: effective transparency; appropriate ways for users to consent; user friendliness; and effective enforcement. See http://europa.eu/rapid/pressreleasesaction.do?reference=speech/10/452. 9 European Advertising Standards Alliance. See http://www.easa-alliance.org. EuroPriSe / ULD 5

The BPR is based on five core principles: notice; user choice; sensitive segmentation; compliance and enforcement; and review. 10 In short, these principles are addressed as follows: Notice: Providers of OBA systems are required to make an enhanced notice available to users whenever they are processing data for OBA purposes on a website that is not operated by them. The enhanced notice shall provide the user with information about the identity of the company that is delivering the ad, about the fact that the ad is targeted based on previous web-viewing behaviour, and about the possibility to exercise a choice. This would introduce a common OBA icon across the EU, linking to comprehensible background information and mechanisms of control. It aims at creating a consistent experience for all users, together with regional and linguistic adaptation. User Choice: Each provider of an OBA system should make available a user friendly mechanism for web users to exercise their choice with respect to the collection and use of data for OBA purposes. This mechanism should be linked to the enhanced notice. Where a web user exercises his/her choice and objects to data processing for OBA purposes, OBA processes should no longer be used by the respective entity to facilitate the delivery of behavioural advertising to that user s browser. This mechanism would be introduced in the form of a control cockpit 11 that enables users to deactivate and reactivate behavioural advertising. Users would be able to exercise their choices in respect of different providers of OBA systems via this central platform. Sensitive Segmentation: Providers of OBA systems should not create segments that are specifically designed to target children using online behavioural advertising, unless local applicable law permits such activity with consent and the company requires such consent to be obtained in accordance with such applicable law. Furthermore, if a company seeks to create or use OBA segments relying on use of sensitive personal data as defined under Article 8(1) of Directive 95/46/EC, it must obtain a user s explicit consent, in accordance with applicable law, prior to engaging in OBA using that information. Compliance and Enforcement: Effective mechanisms to ensure compliance and complaint handling with the BPR standard are to be put in place. In particular, this would introduce a new procedure to measure compliance with the commitments of signatory companies and establish a system of enforcement and dispute resolution. Compliant companies would receive a periodically renewable B2B seal. Should a company fall behind and not remedy a significant breach of its obligations within a limited timeframe, the seal would be removed. Review: The BPR standard will need to be regularly reviewed in response to changes in the IAB Europe OBA Framework and other related codes, as well as the development of OBA and business practices. It should be modified as appropriate. 10 As part of the BPR, the Interactive Advertising Bureau (IAB) Europe is creating an OBA framework with the support of a wide range of industry stakeholders. 11 www.youronlinechoices.com 6 EuroPriSe / ULD

Further Approaches In October 2010, an industry group comprised of US media and marketing associations launched a self-regulatory program that aims at giving users a better understanding of and greater control over ads that are customised based on their online surfing behaviour. 12 In particular, the group promotes the use of a so-called Advertising Option Icon, to be displayed within or near online advertisements or on Web pages where data is collected and used for online behavioural advertising purposes. 13 By clicking on it, users shall be able to link to relevant information as well as to an opt-out option. The display of an icon and the words Interest Based Ads adjacent to an online advertisement has been suggested and piloted to test usability. 14 By clicking on the icon, users could access a widget providing them with information about online behavioural advertising and enabling them to decide whether they want to allow continuous tracking or opt-out of it. Online behavioural advertising systems use information about users online surfing behaviour to create interest categories supporting them in choosing ads that are tailored to users interests. Some companies developed tools that allow users to access and modify the interest categories that have been assigned to them. 15 More precisely, users are enabled to add and remove specific interest categories to / from their profiles (according to their real interests). Usually, these tools also allow users to opt-out completely from the respective online behavioural advertising system. Besides, all major browser vendors offer mechanisms to exercise control over online tracking (by means of http cookies). In this regard, it is to be highlighted that Microsoft recently announced a feature for the newest version of its browser, Internet Explorer 9 16, which would enable users to limit the ability of third-party companies to track their online surfing behaviour. 17 The new feature, called Tracking Protection, would build on lists generated by individuals or organisations. These lists would indicate websites that are (not) allowed to track users online surfing behaviour. The tracking protection feature would be turned off by default. 12 See the respective press release of the Interactive Advertising Bureau (IAB)), that is available at http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr- 100410. 13 See at http://www.aboutads.info/. 14 The pilot was conducted by TRUSTe, a US based online privacy certification company. See the press release on the results of the pilot program, which is available at http://www.truste.com/about_truste/press-room/news_truste_pch_trustedads_results.html. 15 E.g., Yahoo! Ad Interest Manager, http://info.yahoo.com/privacy/us/yahoo/opt_out/targeting/, and Google Ad Preferences, http://www.google.com/ads/preferences. 16 IE9 will be released in 2011. 17 See the respective entry in the IEBlog that is available at http://blogs.msdn.com/b/ie/archive/2010/12/07/ie9-and-privacy-introducing-tracking-protectionv8.aspx. EuroPriSe / ULD 7

EuroPriSe Requirements Providers of OBA systems have been granted a transition period to put forward technical and other means in order to achieve compliance with the new legal situation. This results from the fact that the Article 29 Working Party announced the start of a discussion period in its Opinion 2/2010 and that Article 5(3) of the eprivacy Directive is not directly applicable, but to be transposed into national law by EU Member States. In this section, relevant requirements for (re)certification according to EuroPriSe during the transition period are explained. Hereby, three basic guidelines are followed: 1. Requirements for transparency of online behavioural advertising systems are enhanced. This concerns both the duty of information to users and the duty of enabling users to exercise their right of access. 2. Providers of online behavioural advertising systems need to take first steps towards an implementation of opt-in mechanisms as required by the new legal situation. 3. The requirements that were developed under the former legal situation (e.g., waiver of sensitive categories) retain their validity and must be met. Requirements for transparency of behavioural advertising systems (No. 1) Providers of online behavioural advertising systems are required to cooperate with publishers in order to ensure that users are provided with easily accessible and highly visible information if they visit a website on which they are tracked for behavioural advertising reasons. They must inform users about all relevant aspects of the respective system (as is required by Article 5(3) of the eprivacy Directive in connection with Article 10 of Directive 95/46/EC) 18. In particular, users must be provided with information about the identity of the entity that is responsible for serving the tracking cookie; the fact that the cookie will be used to create profiles; the type of information that will be collected to build such profiles; the fact that the profiles will be used to deliver behavioural advertising; the fact that the cookie will enable users identification across websites. 18 Cf. EuroPriSe requirements 2.1.4.1 and 4.1.1.1 as well as requirement 1.2.2. The current version of the EuroPriSe Criteria (v 2010/11) is available at https://www.european-privacy-seal.eu/criteria/. 8 EuroPriSe / ULD

For the purpose of making their services transparent to users, OBA companies must provide for the measures listed below: An icon must be attached to or displayed within online ads that have been tailored according to the user s online surfing behaviour. This icon must be easy to recognize and it is to be linked to information about online behavioural advertising (as specified below) as well as to a tool enabling users to opt-out from being tracked. o By clicking on the icon, users must be enabled to access detailed information about the functionality of online behavioural advertising. Hereby, the basic concept of this advertising method must be explained to users in a readily comprehensible manner. Users must also be enabled to access detailed information about all relevant aspects of the respective online behavioural advertising service (e.g., identity of the entity that is responsible for serving the tracking cookies). o Comprehensibility should be enhanced by means of concrete examples such as: A visits website B [ ] as well as by providing not only textual information, but also information by means of images and / or videos. Furthermore, the information must not be buried in lengthy privacy policies, but is to be presented separately. In addition, users are to be informed by means of privacy policies in close click-proximity. Efficient measures must be taken that aim at ensuring information of users on websites of publishers who make use of the respective online behavioural advertising system: As a minimum, meaningful privacy hints containing information on publishers obligations resulting from the EU Data Protection Directives should be handed over to customers who qualify as publishers. Preferably, these customers should be obliged to provide relevant information on their websites by means of contractual clauses (including the stipulation of contractual penalties). Users must be enabled to exercise their right of access (Article 12(a) of Directive 95/46/EC 19 ): They must be given the possibility to access the interest categories in which they have been classified. Preferably, users should also be enabled to modify these interest categories (i.e. to (de)select specific categories). Some behavioural advertising companies might strive for outstanding transparency in order to prove particular excellence of their services. These providers should contemplate about implementing additional transparency measures. An example would be regular notification of users about the fact that they are tracked by means of third party cookies: Such notifications should contain information on how to opt-out from being tracked and they should be provided by means of a pop-up window or a similar tool. 19 Cf. EuroPriSe requirement 4.1.2. EuroPriSe / ULD 9

First steps towards implementation of opt-in mechanisms (No. 2) The icon to be attached to or displayed within online ads must be linked to a tool enabling users to opt-out easily from being tracked. In this regard, behavioural advertising companies applying for a European Privacy Seal should strive at implementing tools that respect users choices even when cookies including opt-out cookies are deleted. However, as the long-term objective is the implementation of opt-in mechanisms as required by Article 5(3) of the eprivacy Directive 20, (merely) increasing transparency of behavioural advertising systems and enabling users to opt-out from being tracked is not sufficient to successfully pass (re)certification during the transition period. Rather, online behavioural advertising companies applying for a European Privacy Seal must prove that they have already taken some (first) steps towards implementation of opt-in mechanisms. In practical terms, this means that a mechanism to obtain users consent must have been implemented. However, applicants are only required to prove that they offer opt-in mechanisms and have already made or for pioneering companies are in the process of making some experiences with obtaining users (opt-in) consent in order to identify suitable means for compliance with the new legal situation. Thus, for the purpose of this interim solution, it is not necessary that users consent is actually obtained on each initial setting of a cookie as required by Article 5(3) of the eprivacy Directive. Rather, it would be sufficient if users were informed about the possibility to opt-in in a visible manner and if they were enabled to easily express their consent. Online behavioural advertising companies may choose between different measures to ensure compliance with this requirement. One suitable measure is to enhance already existing tools enabling users to opt-out from being tracked. These tools may be extended by an additional functionality allowing users to explicitly opt-in to being tracked. Providers of online behavioural advertising systems making use of a suitable tool to collect users opt-in must be able to distinguish users who have explicitly opted in from those who are tracked but have not made any choice yet. This may be achieved, e.g., by utilising specific opt-in cookies. 21 Preferably, users should not only be enabled to explicitly opt-in to being tracked, but they should also be given the possibility to opt-in on a fine-granular basis by modifying the interest categories that have been assigned to them. 22 Providers of online behavioural advertising systems may choose to implement measures providing for regular notification of users. These notifications should not only contain information on how to opt-out from being tracked, but also on how to explicitly opt-in to it. 20 Cf. EuroPriSe requirement 2.1.4.1. 21 It may be justifiable to provide these cookies with a longer life time than ordinary tracking cookies that are stored on the terminals of users who are tracked but have not made any choice yet. 22 See footnote 15. This is not a mandatory requirement, but optional only. 10 EuroPriSe / ULD

Requirements that were developed under the former legal situation (No. 3) The requirements that have been developed under the former legal situation retain their validity. In particular, the following requirements must be met: The life time of both user profiles and cookies must be limited and proportional (Article 6(1)(c)+(e) of Directive 95/46/EC 23 ) especially in respect to the categories deployed. It is guaranteed that the provider of the online behavioural advertising system cannot gain knowledge of users IP addresses. This is to be ensured by means of an anonymisation service, operated by an independent third party (Articles 6 and 7 of Directive 95/46/EC 24 ). No use of sensitive categories for the creation of user profiles (Article 8 of Directive 95/46/EC 25 ). Sensitive categories are, for instance, such that allow for the drawing of conclusions on political opinions or the health status of a person. In addition, providers of OBA systems must not create categories that are specifically designed to target children using online behavioural advertising. Users must be enabled to exercise their right of access (Article 12(a) of Directive 95/46/EC 26 ). Preferably, users should be able to access all standard categories of the respective OBA system or (even) modify the categories that have been assigned to them. 27 Implementation of appropriate technical and organisational measures to protect personal data of users against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and against all other unlawful forms of processing (Article 17(1) of Directive 95/46/EC 28 ). Existence of a legally compliant processing security agreement in respect of each processing of personal data by a processor on behalf of the controller that is related to the operation of the online behavioural advertising system (Article 17(2)-(4) of Directive 95/46/EC 29 ). Compliance of Industry Approaches with EuroPriSe Requirements Current approaches of the OBA industry address some of the relevant EuroPriSe requirements. This is illustrated by the tables below: 23 Cf. EuroPriSe requirements 2.2.4 and 2.3.2. 24 Cf. EuroPriSe requirement 1.2.1. 25 Cf. EuroPriSe requirements 1.1.2.2 and 2.1.2. 26 Cf. EuroPriSe requirement 4.2.1 and the information above on page 9 of this paper. 27 See footnote 15. This is not a mandatory requirement, but optional only. 28 Cf. the requirements of Set 3 of the EuroPriSe Criteria (Technical-Organisational Measures). 29 Cf. EuroPriSe requirement 2.4.1. EuroPriSe / ULD 11

Online Behavioural Advertisement (I) Relevant Legal Provisions EuroPriSe Requirements (former legal situation) EuroPriSe Requirements (new legal situation) EuroPriSe Requirements (transitional period) Self Regulatory Approaches by OBA Industry Stakeholders (examples) Article 5(3) 2002/58/EC Notice: Clear & comprehensive information must be provided to the user (Former and new legal situation) Clear and comprehensive Information about all relevant aspects in website privacy policy Close click-proximity of website privacy policy. Clear and comprehensive information about all relevant aspects ex ante (ex ante = prior to the storage / reading of the cookie or similar device) Enhanced Notice: Icons attached to or displayed within ads Icons must link to - General information about OBA (text, images, videos) - Specific information about the respective OBA system Information in website privacy policies EASA BPR DAA: Advertising Option Icon TRUSTe: Interest Based Ads-Icon ebay: AdChoice EASA: www.youronlinechoices.com DAA: www.aboutads.info ( * refers to current seal holders) Measures ensuring information of users on publisher websites Optional: Regular notification of users --- Article 5(3) 2002/58/EC First steps towards Opt-In To be designed and implemented!!! Choice: User is offered the right to refuse (opt-out) (Former legal situation) User has given his or her consent (opt-in) (New legal situation) Users are given the opportunity to opt-out (e.g., users may opt-out by means of opt-out cookies) Prior opt-in consent: specific, informed, freely given (EuroPriSe adheres to the interpretation of the Article 29 Working Party WP 171) Opt-Out by means of opt-out cookies by other means EASA: www.youronlinechoices.com DAA: www.aboutads.info NAI: www.networkadvertising.org TRUSTe: Trusted Ads Preferences Microsoft IE9 ( Tracking protection ) Mozilla Firefox ( Do not track ) Google Chrome ( Keep my opt-outs ) 12 EuroPriSe / ULD

Online Behavioural Advertisement (II) Relevant Legal Provisions EuroPriSe Requirements (former legal situation) EuroPriSe Requirements (new legal situation) EuroPriSe Requirements (transitional period) Self Regulatory Approaches by OBA industry stakeholders (examples) Art. 6 (1)(c)+(e) 95/46/EG Life time of cookies and user profiles must be proportional Life time of cookies and user profiles must be proportional Life time of cookies and user profiles must be proportional Art. 6 + 7 95/46/EG Anonymisation of users IP addresses by means of an anonymisation service Anonymisation of users IP addresses by means of an anonymisation service Anonymisation of users IP addresses by means of an anonymisation service Art. 8 95/46/EG No use of categories relying on the use of sensitive personal data No use of categories relying on the use of sensitive personal data No use of categories relying on the use of sensitive personal data EASA BPR No use of categories that are specifically designed to target children No use of categories that are specifically designed to target children No use of categories that are specifically designed to target children EASA BPR Art. 12(1) 95/46/EG Users must be enabled to exercise right of access Users must be enabled to exercise right of access Users must be enabled to exercise right of access via a user-friendly interface www.google.com/ads/preferences http://info.yahoo.com/privacy/us/yahoo/opt_ out/tracking Optional: Users are enabled to access all standard categories of the respective OBA system or (even) modify the categories that have been assigned to them www.google.com/ads/preferences http://info.yahoo.com/privacy/us/yahoo/opt_ out/tracking Art. 17 (2)-(4) 95/46/EG Legally compliant processing security agreement(s) Legally compliant processing security agreement(s) Legally compliant processing security agreement(s) EuroPriSe / ULD 13

The tables visualise that the main challenge for providers of online behavioural advertising systems consists in developing suitable opt-in mechanisms. Building on current industry implementations and approaches, all remaining mandatory Euro- PriSe requirements are addressed. EuroPriSe is aware that it may be a particular challenge for OBA companies to provide for user-friendly access mechanisms as specified above. If requirements that are marked as optional are met, this fact indicates particular excellence of the OBA system in this respect and in developing towards a fully compliant system. 30 Duration of Transition Period / Validity of (Re-)Certifications In its opinion 2/2010, the Article 29 Working Party has not specified an end date for the discussion period. According to the stipulation in Article 4(1) of Directive 2009/136/EC, Article 5(3) of the eprivacy Directive is to be transposed into national law until May 25, 2011. It is expected that national regulators will introduce further specific transitional regulations and deadlines. In respect of (re)certification projects that are initiated and conducted during and after the transition period, the following will apply: The interim EuroPriSe requirements that have been specified for the transition period apply to all (re)certifications of OBA systems. However, since OBA systems qualify as IT-based services that have been implemented by their providers, the applicable national law is to be considered within the framework of a EuroPriSe (re)certification. The applicable law is determined by Article 4 of Directive 95/46/EC. 31 Consequently, if a Member State has transposed Article 5(3) of the eprivacy Directive into national law before or after the end of the transition period and if this national law applies to a particular OBA system that is target of a EuroPriSe evaluation, the relevant provision(s) of the national law is (are) to be complied with. 32 In case the Article 29 Working Party communicates a different ending date for the transition period, it will be prolonged or ended accordingly. If the Article 29 Working Party ends the transition period or issues a follow-up on Opinion 2/2010, EuroPriSe will apply Article 5(3) of the eprivacy Directive as it is interpreted by the Working Party from this date on, unless the provision is interpreted in another way by the European Court of Justice (ECJ) or modifications of Article 5(3) are initiated on EU level. 30 Note that a EuroPriSe certificate is granted only on condition that an IT product or IT-based service is rated as excellent in view of at least one applicable EuroPriSe requirement. 31 Detailed guidance on the applicable national law is provided by the Article 29 Working Party in its Opinion 8/2010 on applicable law, adopted on 16 December 2010. The opinion is available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf. 32 An overview of the national execution measures is available at http://eur-lex.europa.eu/lexuriserv/lexuriserv.do?uri=celex:72009l0136:en:not.

Summary OBA systems, among others, are subject to evaluation under the EuroPriSe certification scheme. Today s online behavioural advertising systems track users surfing behaviour on a website or across several websites by means of (browser) cookies. The use of cookies is regulated by Article 5(3) of the eprivacy Directive. In December 2009, this provision was amended by the EU Telecom Reforms Package to the effect that storing of cookies and gaining access to cookies necessitates users prior informed consent (so-called informed opt-in ). In response to the imminent revision of applicable law in Europe and the US industry stakeholders developed several new tools providing users with enhanced notice and choice in respect of the use of their online surfing behaviour data for advertising purposes. In particular, stakeholders of the European OBA industry presented their plans for coordinated voluntary action. These plans for a self-regulatory approach to OBA come in the form of a (Draft) EASA Best Practice Recommendation (BPR) addressed to EASA Self-Regulatory Organisations (SROs) and industry members. According to the Article 29 Working Party, the new legal situation requires OBA companies to switch from opt-out to opt-in solutions. Thus, the Working Party called upon industry to put forward technical and other means to comply with the amended legal requirements and to exchange views with the Working Party during a discussion period. Whilst this transition period, EuroPriSe applies interim requirements to (re)certifications of OBA systems. They are based on the following guidelines: 1. Requirements for transparency of online behavioural advertising systems are enhanced. This concerns both the duty of information to users and the duty of enabling users to exercise their right of access. 2. Providers of online behavioural advertising systems need to take first steps towards an implementation of opt-in mechanisms as required by the new legal situation. 3. The requirements that were developed under the former legal situation (e.g., waiver of sensitive categories) retain their validity and must be met. Current approaches of the OBA industry already address some of the relevant Euro- PriSe requirements. The main challenge for providers of online behavioural advertising systems consists in - making first steps towards - developing and implementing suitable opt-in mechanisms. Building on current industry implementations and approaches, the remaining EuroPriSe interim requirements can be met. EuroPriSe will apply the interim EuroPriSe requirements before and after the end of the transition period to all (re)certifications for OBA systems unless National law specifies further requirements (if applicable), The Article 29 Working Party issues a follow-up on Opinion 2/2010, Article 5(3) is interpreted in another way by the European Court of Justice, or Modifications of Article 5(3) are initiated on EU level. EuroPriSe / ULD 15

EuroPriSe/ULD EuroPriSe - European Privacy Seal at the Unabhängiges Landeszentrum für Datenschutz (ULD) Holstenstr. 98 24103 Kiel Germany EuroPriSe@datenschutzzentrum.de www.european-privacy-seal.eu