EU Privacy Law Demands Clear Consent for Online Tracking

Online behavioral advertising, the practice of tracking users across websites to serve personalized ads, has long operated in a gray area of privacy law. But a detailed legal analysis argues that European data protection rules impose a stricter requirement than many companies acknowledge: unambiguous consent from users before their personal data can be processed for such targeting. This finding s the widespread use of opt-out systems and cookie banners that assume passive acceptance, potentially forcing a major shift in how digital advertising works in the EU.

The paper's central conclusion is that, in most cases, the only valid legal basis for processing personal data for behavioral targeting under EU law is the data subject's unambiguous consent. This means companies cannot rely on alternative justifications like the necessity for performing a contract or their own legitimate interests. For instance, the analysis notes that social media platforms or ad networks cannot claim tracking is necessary for a contract with users, as personalized ads are not essential to providing core services. Similarly, the legitimate interests provision, which allows some data processing if balanced against user rights, is generally unsuitable for cross-website tracking due to its invasive nature and the availability of less intrusive alternatives like contextual advertising.

Ologically, the paper examines the interplay between two key EU directives: the Data Protection Directive and the e-Privacy Directive. It argues that article 5(3) of the e-Privacy Directive, often called the cookie provision, requires consent for storing or accessing information on a user's device but does not provide a legal basis for processing personal data. Instead, that legal basis must come from article 7 of the Data Protection Directive, which lists options like consent, contract necessity, or legitimate interests. The analysis systematically evaluates each potential legal basis, drawing on case law from the European Court of Justice and guidance from the Article 29 Working Party, an advisory body of data protection authorities.

Show that companies face a high bar for justifying behavioral targeting without consent. For example, the paper references the Working Party's 2014 opinion stating that necessity for performance of a contract is not an appropriate legal basis for such advertising. It also cites the European Court of Human Rights, which has affirmed that people have a reasonable expectation of privacy regarding their internet use, making it difficult for companies to argue their interests override user rights under the legitimate interests provision. The analysis further notes that even if companies could use an opt-out system for cookies under the e-Privacy Directive, they would still need unambiguous consent for personal data processing, as mere inactivity or default browser settings do not constitute valid consent under data protection law.

This has significant for both users and the digital economy. For users, it means clearer rights to control how their data is used for advertising, moving beyond vague cookie notices to more transparent consent mechanisms. For companies, it could require overhauling current practices, such as replacing opt-out systems with explicit opt-in requests and ensuring consent is specific, informed, and freely given. The paper also touches on future scenarios, like the Internet of Things, where devices like smart fridges or billboards with facial recognition might collect data for targeting, emphasizing that the same consent requirements would apply.

However, the analysis acknowledges limitations and ongoing debates. Enforcement of these rules is still in its infancy, with varying approaches across EU member states—for instance, the UK has been more accepting of opt-out systems, while the Netherlands requires active indications of wishes. The paper also notes that the proposed Data Protection Regulation could introduce nuances, such as allowing legitimate interests for behavioral targeting with pseudonymous data under certain conditions, though this remains contentious. Ultimately, the conclusion underscores that even if the e-Privacy Directive's cookie provision were abolished, companies would generally still need unambiguous consent for personal data processing in behavioral targeting, reshaping privacy norms in the digital age.