GDPR Cookies

Would you like some cookies – Why websites ask this?

This is the question that many computer users are receiving daily. What does it mean and why is it being asked?

It is a part of behavioral advertising[1] (OBA – online behavioral advertising) legal regulation. OBA is a quickly growing advertising tool which participates several counter parties – computer users, website owners, advertisement network suppliers (Google, Amazon etc.), distributors and browser makers (Firefox, Explorer, Chrome, Safary etc.).

Individual browsing behavior (which websites an individual visits and which keywords he/she uses) allows to specify its economical and cultural identity. Information about a person, which expresses a person’s physical, intellectual, physiological, economical, cultural or social characteristics, relations and affiliations – is personal data. Thereby, individual browsing behavior is applied with the protection of personal data. The main rule of protecting personal data is that processing may only be effected when informed consent has been obtained. This is also the main reason, why website owners and ad network providers ask for an acceptance to install cookies.

In Europe the creation of behavioral advertising self-regulation has increased, for instance rules have been developed in Finland, Germany, Great Britain, Italy and Switzerland and in the near future the new directions are being accepted in Greece, Ireland, Austria and Netherlands. This is a self-regulation, which means that a legislator doesn’t lay down the new standards but the industry of advertisement agrees on their own game-rules. Web-marketing operator’s organisation IAB (The interactive Advertising Bureau) has devised a good practice standard[2] for behavioral advertising. Likewise, they have behavioral advertising recommendations for users[3]. For instance, IAB has a principle that behavioral advertising is not applied to children under 13 years old. It is also prohibited to collect data about persons’ financial situation and health by means of behavioral advertising.

In comparison with other European Union states, Estonia is in an exceptional situation. Estonian legislator has not imposed legal standards on behavioral advertising and it is being guided on general personal data protection principles. Also, Estonia has not validated self-regulation of behavioral advertising.

In case Estonia should lay down the standards of behavioral advertising, whether by legislator or self-regulation, it is necessary to take into account the following European Union data protection recommendations:

1)      Website owners need to inform people, that installation of website cookies is being used to profile the behavioral advertising. So far, in Estonian legal practice it has been resolved in a way, where compatible rules are in website conditions of use. The European Union recommends to display the warning directly on the screen of the browser.

2)      Ad network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of sending him tailored advertising.

3)      Ad network providers should ensure that individuals are told that they are collecting information about their browsing behavior and inform them who is processing the data. This kind of informing should be periodical and continuous. Also, individual has to have an opportunity to easily refuse processing his/her information by data controller.

4)      In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure. In addition, they should be informed in simple ways that a) the cookie will be used to create profiles; b) what type of information will be collected to build such profiles; c) the fact that the profiles will be used to deliver targeted advertising and d) the fact that the cookie will enable the user’s identification across multiple web sites.

5)      Advertising network providers need to effectuate a symbol which should be visible in all the web sites where the monitoring takes place. This symbol would be very helpful not only to remind individuals of the monitoring but also to control whether they want to continue or revoke their consent.

Evidently, it is matter of time when Estonian entrepreneurs need to accept the rules of behavioral advertising. In consequence, for Estonian advertisement industry it is a problem, whether to create its own rules of behavioral advertising or wait for a national intervention. Taking into consideration that other state’s advertising industries have chosen self-regulation course, it is clearly reasonable for Estonian advertising organisations to effectuate rules of behavioral advertising.


[1] Behavioral advertising is advertising that is based on the observation of the behavior of individuals over time. Behavioral advertising seeks to study the characteristics of this behavior through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their interests.

[2] http://www.iab.net/public_policy/self-reg

[3] http://www.youronlinechoices.com/ee/

[4] http://www.aboutads.info/

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Get your compliance organized with proper GDPR tools.
Contact us for a demo and get access to 14-day trial.

Save time and be confident

Latest Posts
The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The EU-U.S. Data Privacy Framework: A Transatlantic honeymoon for data flows, but for how long?

The European Commission concluded that the United States ensures adequate protection for personal data transferred from the EU to U.S....
A Comprehensive Guide to Personal Data Mapping

A Comprehensive Guide to Personal Data Mapping

Introduction Data privacy and security are of utmost concern in the digital era of today, especially when it comes to...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a Data Processing Agreement (DPA)? A Data Processing Agreement (DPA) is a legally binding document to be entered...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Transmitting personal data to third countries

Transmitting personal data to third countries

The GDPR has put strict rules in place, when it comes to data transfer to third countries or international organizations. Which...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What are the records of processing activities (ROPA)? Article 30 of the EU General Data Protection Regulation (GDPR) requires organisations...
10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

10 Great GDPR Software Tools for Compliance in 2023 (Review + Pricing)

In this article, we will introduce you to some useful GDPR software tools which may help you reach GDPR compliance...
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? According to General Data Protection Regulation (GDPR), a personal data breach is a security incident that...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for data controllers that you can use to ensure you have considered most important...