Online marketing and advertising - Cookies and trackers

Τhis material concerns aspects of E-privacy Directive (2002/58/ΕC) and its Greek transposition, Law 3471/2006. The aspects covered are the direct marketing related provisions, the tracking, targeted advertisement and cookies related requirements. ICT professionals should be aware of these requirements, as they complement and specialize GDPR provisions. They should be taken into account and when designing information society products and services.

At the end of the study, the reader is expected to:

• Understand the scope, goals and evolution of E-privacy legislation.
• Be aware of direct Marketing provisions and how to incorporate them into IT products and services.
• Familiarize with tracking and ad technologies and related provisions.
• Understand the requirements for cookies and relevant technologies consent mechanisms.

Key Messages

• E-Privacy assures the same level of protection of personal data and privacy for all users of communications services available to the public, regardless of the technologies.
• Legislation constantly amended to respond to technology changes.
• E-Privacy Regulation will replace E-Privacy Directive.

See relevant slides

Key Messages

• Phone marketing (non-automatic): Opt-out via telco providers “opt-out” registers.
• Marketing via Electronic messages (email, SMS, and messages in messaging platforms: Opt-in unless data obtained in the context of the sale of a product or service, and not opt-out at the collection.
• Opportunity to unsubscribe in every electronic message.
• Keep register of opt in/opt out user preferences.
• Avoid dark patterns in user preferences collection.

See relevant slides

Key Messages

• Tracking is widespread, behavioral ads ecosystem is quite complicated.
• Article 5(3) of EPrivacy, Article 4(5) of law 3471/2006 applies.
• Device fingerprinting is a tracking technique which also falls under Article 5(3) of EPrivacy, Article 4(5) of law 3471/2006.

See relevant slides

Key Messages

• Study and categorize the kind of cookies used with regards to purpose.
• Cases of cookies not requiring consent are very limited.
• Develop/Use an appropriate consent collection mechanism.
• Avoid “cookie walls”.
• Provide Information for all cookies.
• Collect different consents for different purposes.
• Consent through an active behavior with clear information and ease to withdraw consent.
• Ensure same number of actions foe users to accept/reject cookies.

See relevant slides

1. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications)
2. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
3. Law 3471/2006
4. Johnson, E.J., Bellman, S. & Lohse, G.L. Defaults, Framing and Privacy: Why Opting In-Opting Out Marketing Letters 13, 5–15 (2002)
5. Cover Your Tracks
6. HDPA cookies policy and settings
7. CNIL cookies management
8. WP29 Opinion 04/2012 on Cookie Consent Exemption
9. EDPB Guidelines 05/2020 on consent under Regulation 2016/679
10. Greek DPA issues guidelines on cookies and trackers
11. Press Release: Action of the Hellenic DPA on informational websites’ cookies