I provvedimenti spiegati alle aziende
con guide, checklist, modelli; AI assisted
Osservatorio a cura del dott. V. Spataro 



   demo 2023-12-20 ·  NEW:   Appunta · Stampa · Cita: 'Doc 98160' · pdf

Voluntary simplification of managment consent and cookies edpb

abstract:



Documento annotato il 20.12.2023 Fonte: europa.eu
Link: https://edpb.europa.eu/system/files/2023-12/edpb_l




analisi:

L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni




index:




testo:

Eestimated reading time: 32 min European D ata Protection B oard Rue W i er tz, 6 0 1047 Brussels ...

 


Testo riservato. Per iscriversi:
all'Osservatorio - al Podcast (30 gg gratuito)

ime: 32 min European D ata Protection B oard Rue W i er tz, 6 0 1047 Brussels Anu Talus Chair of the European Data Protection Board Ms Ga l lego Di r ec tor ate -Gener al for Jus tice a nd Consumer s European Commission 1049 Brussels Brussels, 13 December 2023 by e -mail only Ref: OUT2023- 0098 S ubj ect: .... reply to the Commis s ion’ s Initiativ e for a v oluntary bus ines s pledge to s implify the management by cons umers of ....... and pers onalis ed adv ertis ing choices – DRAFT PRI NCI PLES (Ref. Ares(2023)6863760) Dear Ms Gallego, Thank you for your letter of 10 October 2023, reg arding the initiative for the voluntary cookie pledg e launched by Commissioner R eynders , and for requesting the ED PB ’ s views on the draft pledg e principles. The .... welcomes the Commission’ s init iative to g ather stakeholders and promote discussions and exchang es of views on the use of ....... and a ny ot her syst ems used for tracking users’ online navigation . The ED PB supports actions that aim at simplifying the manag ement by users 1 of ....... and personalised advertising choices and empowering users’ control over their personal data and privacy, in compliance with the GD PR 2 and ePrivacy Directive. 3 I n the view of the ED PB , the aim of the initiative should be to help protect the fundamental rig hts a nd freedoms of users, empower them to make effective choices, and provide a platform for stakeholders to exchang e views. While voluntary commitments may be a useful tool, the pledg ing principles should by no means be used to circumvent leg al oblig ations. I n addition, undertaking voluntary commitments does not equate or g uarantee compliance with the applicable data protection and ....... framework. They are without prejudice to the exercise of supervision and enforcement powers of competent national authorit ies, including authorities competent to supervise compliance with the national 1 References i n this l etter and i ts annex to “us ers” and “data subjects” are interchangeable. 2 OJ L 119, 4.5.2016, p. 1 –88. 3 OJ L 201, 31.7.2002, p.37, as amended by OJ L 337, 18.12.2009, p. 11 –36 . European D ata Protection B oard Rue W i er tz, 6 0 1047 Brussels implementation law(s) of the ePrivacy D irective and authorities competent to supervise compliance with the GD PR . 4 The ED PB understands from your letter that more work is needed to propose pledg e principles that would allow a majority of interested parties to adhere to them. For this reason, the ED PB considers it useful to draw your attention to relevant g uidance of the ED PB , and its predecessor the Article 29 Working Party, refe rred to in the Annex to this letter to inform your further work on the draft principles. The ED PB remains available to continue assisting you further in the development of these pledg e principles with a view to simplifying the manag ement by users of ....... and similar technologies and pers onalised advertising choices while empowering users, in full compliance with the GD PR and ePrivacy Directive . Yours sincerely , Anu Talus 4 The .... does not address any s pecificities of national i mplementa tion l aws of Arti cle 5(3) ePrivacy Directive i n thi s l etter . In addition, the .... notes that i t has not c onsulted national c ompetent a uthorities r esponsible for the s upervision of the nati onal i mplementation l aws of the ePri vacy Directive that a r e n o t a s u pervisory a uthor ity pursuant to Ar ti c le 5 1 GDPR. 1 AN NEX - FEEDBACK ON THE COOKIE PLEDGE DRAFT PRINCIPLES I n this Annex, the ED PB provides remarks to inform the further work on the draft principles. Where relevant, the EDPB’s remarks and analysis of certain draft principles is g rouped tog ether. The ED PB’s observations on any of the draft principles, or lack thereof, should not be understood as endorsement. I n addition, the ED PB ’ s feedback on the draft principles should not be understood as endorsement of the use of ....... for purposes of behavioural or personalised advertising , which may be hig hly intrusive and raise additional leg al issues, even if conducted in adherence with the principles. Supervisory authorities maintain the prerog a t ive t o a ssess individua l ca ses a nd exercise t heir powers if necessa ry. The ED PB t a kes t he view t ha t a ca se by ca se a na lysis rema ins necessa ry t o a ssess whet her access or storag e of information in terminal equipment and subsequent .......... of such infor mation is compliant with the ePrivacy D irective, as implemented in national laws, and with the GD PR . 1 GENERAL REMARKS The ED PB understands from the Commission’ s letter that the cookie pledg e voluntary initiative refers t o ....... a nd a ny ot her syst ems t r acking users’ online navig ation. Considering that the monitoring of online (and potentially offline) behaviour may take place via different tools, 1 the .... welcomes that the scope of the initiative is broader than ....... used for online behavioural or perso nalised advertising . 2 The ED PB shall therefore in its analysis refer to access and storag e of information in terminal equipment in accordance with Article 5(3) ePrivacy D irective, irrespective of the technolog y used to store or g ain access to that information. The ED PB shall in its feedback of the draft principles not analyse all requirements to obtain valid consent in accordance with Article 4(11) and 7 GD PR . I t would however like to hig hlig ht certain requirements for ....... for access and storag e of information in terminal equipment to be valid that do not seem to be reflected in the draft principles, namely: 1) data subjects must express their ....... with an affirmative action. For example, the mere continuation of browsing a website or the use of g eneral browser setting s allowing the use of cookies do not constitute consent; 2) where ....... is required, no access or storag e of information in terminal equipment must take place before valid ....... is obtained; and 3) data subjects must be able to withdraw their ....... .. ... ...., ........... ....... must be as easy as g iving consent, and data subjects must be informed of how to withdraw ....... when asked to g ive their consent. 1 See i n thi s r es pec t e.g. EDP B Gui del ines 2/2023 on Technical Scope of Art. 5( 3 ) of eP r i vac y Di rec tive , adopted on 14 November 2023; Article 29 Working Party O p inio n 9 /20 14 o n th e a p p licati on o f Di r ectiv e 2 0 02 /58/EC t o devi ce fi ngerprinting , adopted on 25 November 2014; and Article 29 Working Party Opinion 2/2010 on online behavi oural advertising, adopted o n 22 June 2010. 2 The .... recommends to clearly reflect the s cope i n the draft principles, which as currently drafted appear excl usively focussed on the us e of cooki es as s uch. Thi s i s the more perti nent cons idering technological devel opments and the ongoi ng discussion on the phasing out of thi rd party cookies. 2 Furthermore, the ED PB emphasiz es the information requirement. The information g iven to users on the access and storag e of information in terminal equipment and the .......... of personal data at the time ....... .. .... .., .. .. ......... .......... .. ...... .... . ..... ....... can be obtained. Finally, the .... also recalls the lex generalis – lex specialis relationship between the GD PR and Article 5(3) ePrivacy D irective, which the ED PB has explained in several Opinions and Guidelines. 3 2 DRAFT PRINCIPLE A A. The ....... ....... .... ... ....... ........... ..... ... .. -...... ......... ....... nor the reference to collection of data based on legitimate interest. As essential ....... do not require consent, not showing information about them in the context of the request for ....... will reduce the information that users need to read and understand. I n addition, leg itimate interest is not a g round for data .......... ..... .. ....... .(.) .. ... . ....... Directive so it should not be included in the cookie banner. Where applicable, the issue of subsequent .......... of data based on leg itimate interest should be explained in the ....... notice. 1) Information regarding ‘essential’ ....... The controller must, in accordance with Articles 12 -14 GDPR, inform the user of the .......... of personal data that is accessed or stored in terminal equipment. This requirement applies to access or storag e of information for purposes that do and do not require ....... under Article 5(3) ePrivacy Directive. The .... ......, ......., .... ........ ........... .. ... ... .. .. .... .. ....... .. ....... that are exempt from ....... under Article 5(3) ePrivacy D irective should be presented distinct from a ....... ....... (... ..... .... ........... ........ .. ... ....... request should be provided). The ED PB refers to the Guidelines on transparency under R eg ulation 2016/679 4 for further g uidance. Taking into account the above, the ED PB recommends clarifying in draft principle A that it remains necessary to provide users with information in accordance with Articles 12 -14 .... whenever personal data are processed, even if the access or storag e of information in terminal equipment does not require ....... ..... ....... .(.) ........ . ......... . .......... ..... ... .......... of personal data via the use of strictly necessary ....... could for example be accessible via a link on the first layer of the cookie banner, directing to the relevant section in the ....... policy, or the information could be provided on the second layer of the cookie banner, provided that the requirements of Articles 12 - 14 GD PR are complied with. 5 The ED PB notes that the notion of “essential cookies” used in draft principle A may be misunderstoo d to cover more purposes than the two narrowly defined purposes which are exempt from the oblig ation to obtain ....... pursuant to Article 5(3) ePrivacy D irective. As mentioned in the report of the Cookie 3 See for ex a mpl e EDP B Opi nion 5/2019 on the i nterplay between the ePri vacy Di rective and the GDPR, in parti cular regarding the competence, tasks and powers of data protection authorities , p a ragrap h 4 0 . See a l s o EDPB Gui del ines 01/2020 on .......... personal data in the context of connected vehicles and mobility related a ppl ications , a d o pte d on 9 March 2021, paragraph 14; and .... Report of the work undertaken by the Cookie Banner Taskforce , adopted on 17 January 2023, pa ragr aphs 1 -3 . 4 Ar ti c l e 2 9 W or king Party Guidelines on transparency under Regul ation 2016/679 , adopted on 29 November 2017, last Revised and Adopted on 11 April 2018. See also Ar ti cle 2 9 W o rking P a rty W o rking Do c umen t 2 /2013 provi ding guidance on obtaining ....... for cookies, adopted on 2 October 2013, p. 3. 5 In this regard, see also Article 29 Working Party Gui delines on trans parency under Regul ation 2016/679 , paragraph 27, regarding the ti mi ng for the provision of information. 3 B anner Taskforce, some controllers may incorrectly classify certain ....... ... .......... operations a s “essent ial” or “strictly necessary”, which would not be considered as such within the meaning of Article 5(3) ePrivacy Directive, or under GDPR. 6 The ED PB therefore recommends chang ing the term “essential” to “strictly necessary” within the meaning of Article 5(3 ) ePrivacy Directive. For more information on “strictly necessary” cookies, the ED PB refers to Opinion 04/2012 on Cookie ....... Exemption. 7 2) No reference to ‘to collection of data based on legitimate interest ’ The ED PB ag rees that users should not be presented with information ‘ referring to collection of data based on legitimate interest’ in the cookie banner, as this is not a valid leg al basis under the ePrivacy directive for access or storage of information (including collection of data) in terminal e quipment. 8 I n addition, the ED PB recalls that ....... under Article 6(1)(a) GD PR will g enerally be the most adequate legal basis for the .......... of personal data that takes places after access or storage thereof in terminal equipment based on ....... under Article 5(3) ePrivacy Directive. 9 To avoid misunderstanding , the ED PB recommends stating this in Principle A. 3 DRAFT PRINCIPLES B, C, AND D B. When content is financed at least partially by advertising it will be explained upfront when users access the website/app for the first time. From the moment a business obtains revenues either i) by exposing consumers to tracking -based advertising by collecting and using information about consumers’ online behaviour throug h trackers or ii) by selling to partners the rig ht to put trackers on consumer’ s devices throug h their website, the consumers need to be informed of the business model in question at least at the same time as when cookie ....... is required. Asking consumers to read complex cookie banners and only after they did not ....... confronting them with a “pay or leave” ultimatum, could be considered manipulative. C. Each business model will be presented in a succinct, clear and easy to choose manner. This will include clear explanations of the consequences of accepting or not -accepting trackers. Most ....... are used to implement a business model and therefore this concomitance should be e asily described, understood and implemented in one joint panel reg rouping the ag reements under consumer law and ....... under the e -Privacy/GD PR law. I n this panel, the business model options (i. e. accepting advertising based on tracking , accepting other t ypes of advertising or ag reeing to pay a fee) will be presented tog ether with the consequences in terms of the purpose of trackers, and this in plain and simple lang uag e. D. If tracking based advertising or paying a fee option are proposed, consumers will always have an additional choice of another less ....... intrusive form of advertising. 6 .... Repor t of the work undertaken by the Cookie Banner Taskforce , adopted on 17 January 2023, paragraph 26. 7 Ar ti c l e 2 9 W o rking P a rty O pin ion 0 4/2 012 o n C o o kie ....... .. ..... .. , ....... .. . .... ..... . .... Report of the work undertaken by the Cookie Banner Taskforce , adopted on 17 Ja nuar y 2023, paragraph 24. 9 See e.g. EDP B Gui del ines 0 1/20 20 on .......... per sonal data in the c ontex t of c onnec ted vehicl es and mobility rel a ted a pplications , adopted on 9 March 2021, paragraphs 14-15. See s i milarly a lso .... Rep o rt o f th e work undertak en by the Cookie Ba nner Taskfor ce , adopted on 17 January 2023, para.1 -2 . 4 I n view of the extremely limited number of consumers who accept to pay for online content of various sorts and as consumers may navig ate tens of different websites daily, asking consumers to pay does not appear a credible alternative to tracking their online behaviour for advertising purposes that would leg ally require to obtain consent. The ED PB supports the objective of draft principles to enhance transparency on the business models used by stakeholders and to promote advertising models that are less intrusive than behavioural advertising . However, the ED PB hig hlig hts that beyond the consumer perspective, special attention should be paid to the protection of the terminal equipment as provided for by Article 5 (3) ePrivacy Directive. D raft principles B -D relate to the provision of valid ....... under Article 5(3) ePrivacy Directive in conjunction with Article 4(11) and Article 7 GD PR , more in particular whether ....... is freely g iven and informed, and will therefore be discussed tog ether. With reg ard to valid consent, the ED PB Guidelines 05/2020 clarify that in order to determine whet her consent is freely g iven, it must be taken into account whether: i. there is any imbalance of power between the controller and data subject; 10 ii. ....... .. ..........., .. . . ....... ....... is “bundled” with acceptance of terms or conditions; 11 iii. ....... is g ra nular and is asked for each individual purpose; 12 and iv. it is possible to refuse or withdraw ....... without detriment.13 Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or sig nificant neg ative consequences (e. g . substantial extra costs) if they do not consent. ....... will not be free in cases where there is any element of compulsion, pressure or inability to exercise free will. 14 These elements must among others be ta k e n i n t o a c c o unt when ....... for access or storag e of information in terminal equipment used for tracking based a dvert ising is a sked. The ED PB also explained in Guidelines 05/2020 which elements of information are at a min imum required to obtain valid consent. 15 The ED PB ag rees with the concepts enshrined in principles B and C stating that the user must be provided with clear information at the moment ....... is soug ht. Moreover, the provided information about alternative models/services to the provision of ....... to the access or storag e of information in terminal equipment for advertising purposes may serve as a relevant factor when assessing whether ....... for access or storag e of information in terminal equipment is valid. At the same time, the ED PB notes that ‘ information on the business models’ could be understood in different ways and recalls that it may not substitute information oblig ations 10 .... ... ... .... ../.... .. ....... ..... ....... ... ..../... , ....... .. . ... ...., .......... ..-... .. .... ... ... .... ../.... .. ....... ..... .......... ..../... , . ... ... .. . ... ...., ......... ... .. .... ... ... .... ../.... .. ....... ..... .......... ..../... , ....... .. . ... ...., .. .... .... .. -... .. .... ... ... .... ../.... .. ....... ..... .......... ..../... , ....... .. . ... ...., ......... ... .. .. .. ... ... .... ../.... .. ....... ..... .......... ..../... , .. .... ... ... .. .... ... ....... ../.... .. ....... under Regulation 2016/679 , adopted on 4 May 2020, paragraph 64: i. the control ler’s identity; ii. the purpose of each of the .......... .......... ... ..... ....... is s ought; iii. what (type of) data wi ll be collected and used; iv. the ex i s tence of the r i ght to wi thdraw c onsent; v. i nfor mation about the us e of the data for automated decision -making in accordance wi th Article 22 (2)(c) wh ere r elevant; and vi. i nformation on the possible risks of data transfers due to absence of an adequacy decision and of appropriate s a feguar ds a s desc ribed i n Ar ti cle 4 6 . 5 reg arding access or storag e of information in the terminal equipment and on the .......... of personal dat a. The ED PB notes that a business model using contextual advertising is not mentioned in draft principle B as means for a business to obtain revenue. Such business model may involve the accessing or storing of information in terminal equipment and the pro cessing of personal data, althoug h g enerally much more limited than a business model that relies on the tracking of users and presenting them with behavioural or personalised advertising . The ED PB considers that just as for the business models currently re ferred to in draft principle B , users should be informed of a business model using contextual advertising at least at the same time as when they are requested for ....... for the use of cookies, and therefore recommends that the type of advertising used is explained clearly (e.g. behavioural or contextual advertising ). I n other words, the EPD B recommends to also make reference to contextual advertising in principle B . D raft principle C provides as alternative to advertising based on tracking “ accepting other types of advertising ”. D raft principle D refers to “ another less ....... ......... .... .. ........... ”. ... .... understands in this context that services that use the mentioned types/forms of advertising are not offered for a fee and recommends to exp licitly clarify this in the principles. The .... recommends adding to both draft principles (C and D ) a reference to contextual advertising as an example of another type/form of advertising , where such a business model is being operated. The .... recalls that controllers that are gatekeepers pursuant to the Digital Markets Act 16 must comply with the respective requirements regarding the offering of alternative services. Recital 36 of the D ig ital Markets Act provides that g atekeepers should enable users to f reely choose to ....... to the .......... of their personal data, by offering a less personalised but equivalent alternative. 17 R ecital 37 explains that, in principle, the less personalised alternative should not be different or of deg raded quality. 18 The .... notes that it cannot in abstracto assess whether the offering of a paid alternative to a service that involves tracking , mentioned in draft principles B -D , would ensure that a valid ....... could be obtained for any .......... for tracking of users fo r advertising purposes. When assessing whether consent is valid, the ED PB considers it among others relevant whether in addition to a service using tracking technolog y and a paid service, another type of service is offered , for example a service with a les s ....... intrusive form of advertising , such as contextual advertising , and whether the data subject is able to exercise a real choice . The European Court of Justice ruled in its judg ment of 4 July 2023 that in the specific circumstances it assessed, it must be possible for a user to refuse to g ive ....... without the user being oblig ed to refrain entirely from using the service. I t considered that tho se users are to be offered, if necessa ry for an appropriate fee, an equivalent alternative not accompanied by the data .......... operations in question. 19 This means that if users decide not to g ive any consent, only storag e and accessing 16 OJ L 265, 12.10.2022, p. 1 –66. 17 Rec i ta l 3 6 Digital Mar kets Ac t: “[t]o ensure that gatekeepers do not unfairly undermine the contestability of core platform services, gatekeepers should enable end users to freely choose to opt -in to such data .......... and sign- in practices by offering a less personalised but equivalent alternative, and wi th o ut ma k i ng th e u se of the core platform service or certain functionalities thereof conditional upon the end user’s ....... .” 18 Rec i ta l 37 Digital Mar kets Act: “ [t]he less personalised alternative should not be different or of degraded quality compared to the service provided to the end users who provide consent, unless a degradation of quality is a direct consequence of the gatekeeper not being able to process such personal data or signing in end users to a service. ” 19 Judgment of 4 Jul y 2023, Meta Platforms and others (General terms of us e of a s ocial network), C -252/21, ECLI:EU:C:2023:537, paragraph 150. 6 processes t ha t a r e exempted from ....... under Article 5(3) ePrivacy Directive may be carried out. The ED PB notes that the aforementioned analysis may differ depending on the circumstances of the ca se. Taking into account the above, the ED PB recommends that the draft principles reflect the need for a case by case analysis of whether ....... is freely g iven and valid, taking into account the different options provided to the user. For the sake of completeness, t he .... .... ....... .... ....... may serve multiple functions , beyond the implementation of a business model. The ED PB therefore recommends that the first sentence of draft principle C is amended to indicate that “cookie s may be used to implement a business model”. 4 DRAFT PRINCIPLE E E. ....... .. ....... for advertising purposes should not be necessary for every single tracker. For those interested, in a second layer, more information on the types of ....... used for advertising purposes should be given, with a possibility to make a m ore fine-grained selection. When users agree to receive advertising, it should be made clear to them at the same time how this is carried out and especially if cookies, including if relevant third -party cookies, are placed on their device. I t should not be necessary for them to check every single tracker. Indeed, this may request checking one to two thousand different partners, making the choice totally ineffective and either g iving an illusion of choice or discourag ing people to read further, leading the m t o press “a ccept a ll” or “refuse all” buttons. This principle should be without prejudice to stricter rules in other sectoral leg islation, such as the D MA. Draft principle E also relates to the requirements of valid consent. The .... recalls its Guidelin es 05/2020, as also mentioned in its feedback to draft principles B -D . More in particular, the ED PB points out that for ....... to be valid, it must be freely given , 20 and it must be specific. 21 The ED PB recommends explicitly confirming in the draft principles that individuals should be provided with the opportunity to “reject” all ....... that are not strictly necessary on the first layer of the banner. At a min imum, it should be clarified that if an “accept” (or “accept all”) button is presented on any lay er, then a “reject” (or “reject all”) button should also be presented as this would be an essential element in favour of the validity of consent. 22 Further, as discussed above, for ....... to be valid, the user must be informed among others about the ident ity of the controller that asks for ....... to access or store information in terminal equipment, which information it concerns, and for what purpose. 23 The ED PB ag rees that it is possible to ....... .. ....... for a specific advertising purpose without ne cessarily requiring users to separately ....... to every single tracker or partner on the first layer of a cookie banner, combined with the possibility for the user to make a more g ranular choice per 20 See a l s o .... Gu id elines 0 5/2 020 o n c o nsen t u n der Regu lation 2 01 6/679 , adopted on 4 May 2020, s ection 3 .1 . 21 See a l s o .... Gu id elines 0 5/2 020 o n c o nsen t u n der Regu lation 2 01 6/679 , adopted on 4 May 2020, s ection 3 .2 . 22 See a l so EDP B R eport of the work undertaken by the Cooki e Banner Taskforce , adopted on 17 January 2023, Type A P r a c ti ce – “No Rej ec t Button O n The Fi r st La yer ”. 23 .... ... ... .... ../.... .. ....... under Regulation 2016/679 , adopted on 4 May 2020, paragraph 64. 7 controller per specific purpose on the second layer. Com pliance with the GD PR requirements for valid consent of such set -up must be assessed taking into account among others Guidelines 05/2020, 24 t he Guidelines on transparency under R eg ulation 2016/679 25 and the Guidelines 03/2022. 26 Further, the specific circumst ances of the implementation are relevant. For example, the ED PB considers it unlikely that the use of a very larg e number of partners for a sing le purpose would meet the requirements of necessity and proportionality and ....... would therefore unlikely be valid. The ED PB , therefore, sug g ests to clarify that, in any case, ....... must be, in particular, informed and unambig uous, and that this may be more difficult to achieve if the number of partners is increasing . Further, the ED PB sug g ests specifying that the user, when asked for consent, should be provided with the identity of the actors that actually access/store information in the terminal equipment and/or with whom data is subsequently shared, if applicable, and should not be provided with a list of po tential a ct ors. 5 DRAFT PRINCIPLE F F. No separate ....... ... ....... used to manage the advertising model selected by the consumer (e.g. ....... to measure performance of a specific ad or to perform contextual advertising) will be required as the consumers have already expressed their choice to one of the business models. One reason of the cookie fatig ue is that all types of ....... are very often described in a leng thy and rather technical fashion that render an informed choice complex and cumbersome and de facto ineffective. Furthermore, from the moment the business model is made clear and ag reed by the consumer, the need of businesses to measure the performance of their advertising services can be deemed inextricably linked to the business model of advertising , to which the consumer has consented. Other ....... not strictly necessary for the delivery of the specific advertising service should still require a separate consent. As mentioned, according to data protection rules, ....... must be requested for a specific purpose of the .......... . .... ....... .... .. .... ....... ... ......., .. ..... .. ......... ..... .......... activities take place for the purpose. 27 Further, for ....... to be valid, purposes should not be combined. 28 I f a user consents to access or storag e of information in their terminal equipment for a well described advertising purpose, such purpose may concern technical .......... operations intrinsically linked to the advertising purpose, such as the use of ....... for frequency capping or measuring the effectiveness of ad campaig ns. Such technical .......... operations may involve access or storag e of information in terminal equipment. The users should be informed of such technical 24 .... ... ... .... ../.... .. ....... under Regulation 2016/679 , adopted on 4 May 2020. 25 Arti cle 29 Working Party Guidelines on transparency under Regulation 2016/679 , a do pted o n 2 9 No v ember 2017, l ast Revised and Adopted on 11 April 2018. 26 .... Gui del ines 0 3/2 022 on Dec eptive design patter ns i n s ocial medi a platform i nter faces: how to r ec ognise and avoid them , adopted on 14 February 2023. 27 Article 29 Working Party Opinion 03/2013 on purpose l i mitation , adopted on 2 Apri l 2013, p. 15 -1 6: “ The purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of .......... is and is not included within the specified purpose, and to allow that compliance with the law can be assessed and data protection safeguards applied. For these reasons, a purpose that is vague or general, such as for instance 'improving users' experience', 'marketing purposes', 'IT -secu rity p urp oses' o r 'futu re resea rch' will - without more detail - usually not meet the criteria of being ‘specific’ .” See a l s o Arti cle 29 Working Party Gui del ines on transparency under Regulation 2016/679 , adopted on 29 November 2017, l ast Revi sed and Adopted on 11 Apri l 2018, paragraph 12. 28 Reci ta l 32 GDPR: “ When the .......... ... ........ ........, ....... should be given for all of them .” 8 .......... .........., ... ....... .. ... ...... ..... .. ... ...... ....... .........., ... ....... to use of ....... ... ........ ........... ........ ..... ... ...... .. ..... .......... operations that are not strictly necessary for that purpose, such as the collection and use of email addresses of a website to send marketing emails. Th e ED PB also notes that draft principle F refers to a business model “ag reed” by the consumer and a model of advertising to which the consumer has “consented”. Under Article 5(3) ePrivacy D irective, consent is g iven to access or storag e of information (e. g . cookies) in the user’ s terminal equipment. The ED PB recog niz es that for an advertising business model, ....... may be used, and recommends for the sake of clarity clarifying the explanation to draft principle F, by referring to ....... for the use of ....... ... . ........ ..... .. ........... , .. ....... .. ....... to a model of advertising . 6 DRAFT PRINCIPLE G G. The consumer should not be asked to accept ....... in one year period of time since the last request. The cookie to record the consumer’s refus al is necessary to respect his/her choice. One major reason of the cookie fatig ue especially felt by the persons most interested in their ....... is that negative choices are not recorded and need to be repeated each time they visit a website or even every pag e of a website. R ecording such choice is indispensable for an efficient manag ement of a website and for respecting consumers’ choices. Furthermore, to reduce the cookie fatig ue, a reasonable period e. g . a year should be adopted before asking ag ain for consumers’ consent. The ED PB understands that the scope of draft principle G relates only to the recording of a user’ s refusal to, or withdrawal of, consent. The ED PB recommends clarifying the first sentence of the draft principle in this respect. The .... ...... .... .. .... ... ....... .., .. .......... .., ....... effective, it may be necessary to record the decision of the user for a certain period, in order to reduce the frequency of ....... request a user receives. The .... believes the propos ed period of one year to be adequate for this purpose. I n addition, draft principle G on the recording of “neg ative consent” requires further details to effectively implement it. I n particular, the ED PB recommend clarifying that the record of the “neg ativ e consent” relying on ....... should not contain a unique identifier, but should rather contain g eneric information, a flag or code, which is common to all users who have refused consent. The ED PB recalls that ....... ......... ... ....... .. ....... may be deleted by the user, or deleted due to a change of technical setting s, within the one -year period. I n such event, when the controller does not have access to the record of the ....... refusal anymore, the ED PB considers it reasonable to prompt the user w ith a new ....... request. The .... further recalls that gatekeepers subject to the Digital Markets Act are already subject to rules on the frequency of prompting users to g ive consent, who initially did not ....... or who withdrew their consent. 29 29 Rec i ta l 3 7 Di gital Markets Ac t: “ Gatekeepers should not design, organise or operate their online interfaces in a way that deceives, manipulates or otherwise materially distorts or impairs the ability of end users to freely give consent. In particular, gatekeepers should not be allowed to prompt end users more than once a year to give consent for the same .......... ....... .. ....... .. ..... .... ......... ... ... .... ....... or withdrew the ir consent.” 9 7 DRAFT PRINCIPLE H H. Signals from applications providing consumers with the possibility to record their cookie preferences in advance with at least the same principles as described above will be accepted. Consumers should have their say if they decide that they want to systematically refuse certain types of advertising models. They should be empowered to do this and ....... and data protection leg islation should not be used as an arg ument ag ainst such a choice provided the automated choice has been made consciously. The ED PB recog nises the abilities of software applications to empower users to protect their terminal equipment. The ED PB encourag es the employment of data protection by default or desig n in suc h applications. The ED PB believes that software setting s are a useful tool for users and supports the objective of draft principle H to enable users to express their choice to refuse any access or storag e of information in terminal equipment via such setti ngs. The .... believes that a pledge to respect the sig nals/setting s expressing a user’ s refusal, and to not still ask users for consent, could help to reduce cookie fatig ue. Conversely, the ED PB considers that caution is necessary when aiming to use soft ware settings to express affirmative consent. For ....... to be valid, users must make an active choice (i. e. a default “yes” would not constitute a valid consent), and it must among others be specific and informed, with reg ards to the specific context in which this ....... is g iven. The ED PB notes that it has not assessed yet any current use of sig nals from applications or software setting s reg arding the use of ....... that offer the g ranularity, specificity and information to ensure that ....... can be va lidly g iven in advance. Finally, the ED PB ag rees that ....... and data protection leg islation should not be used as an arg ument to not g ive effect to an individual’ s preference to systematically refuse certain types of advertising models.


Link: https://edpb.europa.eu/system/files/2023-12/edpb_l

Testo del 2023-12-20 Fonte: europa.eu




Commenta



i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.


Ricevi gli aggiornamenti su Voluntary simplification of managment consent and cookies edpb e gli altri post del sito:

Email: (gratis Info privacy)






Nota: il dizionario è aggiornato frequentemente con correzioni e giurisprudenza