GDPR Cookies

Would you like some cookies – Why websites ask this?

This is the question that many computer users are receiving daily. What does it mean and why is it being asked?

It is a part of behavioral advertising[1] (OBA – online behavioral advertising) legal regulation. OBA is a quickly growing advertising tool which participates several counter parties – computer users, website owners, advertisement network suppliers (Google, Amazon etc.), distributors and browser makers (Firefox, Explorer, Chrome, Safary etc.).

Individual browsing behavior (which websites an individual visits and which keywords he/she uses) allows to specify its economical and cultural identity. Information about a person, which expresses a person’s physical, intellectual, physiological, economical, cultural or social characteristics, relations and affiliations – is personal data. Thereby, individual browsing behavior is applied with the protection of personal data. The main rule of protecting personal data is that processing may only be effected when informed consent has been obtained. This is also the main reason, why website owners and ad network providers ask for an acceptance to install cookies.

In Europe the creation of behavioral advertising self-regulation has increased, for instance rules have been developed in Finland, Germany, Great Britain, Italy and Switzerland and in the near future the new directions are being accepted in Greece, Ireland, Austria and Netherlands. This is a self-regulation, which means that a legislator doesn’t lay down the new standards but the industry of advertisement agrees on their own game-rules. Web-marketing operator’s organisation IAB (The interactive Advertising Bureau) has devised a good practice standard[2] for behavioral advertising. Likewise, they have behavioral advertising recommendations for users[3]. For instance, IAB has a principle that behavioral advertising is not applied to children under 13 years old. It is also prohibited to collect data about persons’ financial situation and health by means of behavioral advertising.

In comparison with other European Union states, Estonia is in an exceptional situation. Estonian legislator has not imposed legal standards on behavioral advertising and it is being guided on general personal data protection principles. Also, Estonia has not validated self-regulation of behavioral advertising.

In case Estonia should lay down the standards of behavioral advertising, whether by legislator or self-regulation, it is necessary to take into account the following European Union data protection recommendations:

1)      Website owners need to inform people, that installation of website cookies is being used to profile the behavioral advertising. So far, in Estonian legal practice it has been resolved in a way, where compatible rules are in website conditions of use. The European Union recommends to display the warning directly on the screen of the browser.

2)      Ad network providers should swiftly move away from opt-out mechanisms and create prior opt-in mechanisms. Mechanisms to deliver informed, valid consent should require an affirmative action by the data subject indicating his/her willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of sending him tailored advertising.

3)      Ad network providers should ensure that individuals are told that they are collecting information about their browsing behavior and inform them who is processing the data. This kind of informing should be periodical and continuous. Also, individual has to have an opportunity to easily refuse processing his/her information by data controller.

4)      In addition, the ad network providers should enable individuals to exercise their rights of access and rectification and erasure. In addition, they should be informed in simple ways that a) the cookie will be used to create profiles; b) what type of information will be collected to build such profiles; c) the fact that the profiles will be used to deliver targeted advertising and d) the fact that the cookie will enable the user’s identification across multiple web sites.

5)      Advertising network providers need to effectuate a symbol which should be visible in all the web sites where the monitoring takes place. This symbol would be very helpful not only to remind individuals of the monitoring but also to control whether they want to continue or revoke their consent.

Evidently, it is matter of time when Estonian entrepreneurs need to accept the rules of behavioral advertising. In consequence, for Estonian advertisement industry it is a problem, whether to create its own rules of behavioral advertising or wait for a national intervention. Taking into consideration that other state’s advertising industries have chosen self-regulation course, it is clearly reasonable for Estonian advertising organisations to effectuate rules of behavioral advertising.


[1] Behavioral advertising is advertising that is based on the observation of the behavior of individuals over time. Behavioral advertising seeks to study the characteristics of this behavior through their actions (repeated site visits, interactions, keywords, online content production, etc.) in order to develop a specific profile and thus provide data subjects with advertisements tailored to match their interests.

[2] http://www.iab.net/public_policy/self-reg

[3] http://www.youronlinechoices.com/ee/

[4] http://www.aboutads.info/

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...