Online advertising has become increasingly sophisticated in recent years, progressing from text, to flash animations, to auto-playing videos. In response, increasing numbers of web users have turned to ad-blocking software to de-clutter and speed up their browsing experience.
However, the use of such software is obviously bad news for advertisers and for site owners, who rely on page impressions and click through to generate a return on investment or revenue respectively. Consequently, some sites have implemented their own “ad-blocker detection software”. This detects whether users have ad blockers installed on their devices, and then denies access to the site or to specific content unless the ad-blocker is disabled or the site is added to the user’s ‘white list’ of permitted sites.
In the past week, correspondence has emerged which indicates that the European Commission believes such detectors should be regulated by the EU’s e-Privacy Directive, Directive 2002/58/EC (“Directive“). Following an enquiry from a European privacy advocate, a letter from the Commission was disclosed which expressed the opinion that ad-blocker detectors would fall within the scope of Article 5.3 of the Directive.
Article 5.3 of the Directive permits the storing of information or the gaining of access to information stored in the terminal equipment of a user, where that user has given his or her consent, and has been supplied with clear and comprehensive information. This is sometimes known as the “cookie law”, as it is the same provision which gave rise to the requirement in the EU to provide information about, and obtain at least click through consent to the installing of cookies on a user’s device. As ad-blocker detectors work by storing a script on the user’s device, the Commission clearly believes they fall into the same category.
This interpretation is broadly in line with previous guidance from the EU’s Article 29 Working Party, which has indicated that Article 5.3 should be read as covering tracking technologies more broadly, and not just cookies. Parts of another EU Directive give examples of technologies caught by Article 5.3, including spyware, web bugs and hidden identifiers.
If ad-blocker detectors are treated as equivalent to cookies, it may negate their usefulness. If site owners were required to ask for consent to use such detectors, the majority of users with ad-blockers (who are typically amongst the more savvy web users), are likely to refuse to give that consent. This will leave site owners and advertisers with a need to find more creative solutions, or to re-assess why it is that the use of ad-blockers is on the rise, and address the underlying causes.
In the meantime, companies who make use of online advertising would be advised to ensure their privacy policies and notices cover comprehensively the use of any tracking technologies (including detectors), and to review their contracts with either advertisers or site owners, as appropriate, to ascertain what they say about obligations to obtain consents from site users to data processing activities.
The publication of this letter may well give rise to a legal challenge to test the point, and establish categorically whether detectors are caught by Article 5.3. If they are, we might expect some guidance from national Data Protection Authorities.
 Recitals 24 and 65 of Directive 2009/136/EC