Ad blocker detection under the new proposed e-Privacy Regulation

The position regarding whether ad blocker detection is caught by the consent requirements under the currently in force e-Privacy Directive has always been contentious.

The IAB wrote a helpful summary last summer 2016 available here. Broadly speaking, depending on how the ePrivacy Directive consent requirements and the exceptions are interpreted, and depending on the technical implementation used to implement ad blocker detection, it’s arguable (at least as far as the European Commission and the Art 29 Working Party are concerned) that ad blocker detection would require a user’s prior consent. This is because, in most cases, it constitutes the accessing of information from a user’s device (i.e. the information being whether the user has implemented an ad blocker).

However, when reading through the European Commission’s proposal for the new e-Privacy Regulation published recently on 10 January 2017 and due to come into force in May 2018 along with the GDPR, you’d be forgiven for being a bit confused (as I am) about the intended position under the new Regulation regarding ad blocker detection.

Following publication of the proposed Regulation, EMMA, the European Magazine Media Association, and ENPA, the European Newspaper Publishers Association issued a press release which stated (amongst other things) that they:

…deeply regret that the proposed Regulation does not foresee more exceptions than for the purpose of first-party analytics. Exceptions to the proposed prohibiting rule on accessing and storing data on a user’s device would however be necessary for such purposes as ad-block detection…

However, on the same day the FT published an article which stated, amongst other things, that:

in a proposed reform of the law on Tuesday, the commission attempted to clear up legal confusion by deciding that detection of an ad blocker would not break EU rules.

The above interpretations of the new Regulation seem to conflict. So what does the Commission and importantly the new Regulation actually say?

Firstly, in the Q&A contained in the Fact Sheet published by the Commission, the Commission says the following:

…the proposal allows website providers to check if the end-user’s device is able to receive their content, including advertisement, without obtaining the end-user’s consent. If a website provider notes that not all content can be received by the end-user, it is up to the website provider to respond appropriately, for example by asking end-users if they use an ad-blocker and would be willing to switch it off for the respective website.

The above seems pretty clear that the Commission sees the checking by publishers to see if a device can receive ads, as not requiring consent. I interpret this as meaning the Commission are saying that accessing information from an end user’s device for the purpose of ad blocker detection is an exception to the rule in the Regulation that any accessing of information from end user devices is prohibited unless prior consent (amongst other things) is given. This statement from the Commission probably formed the basis of the FT article referred to above.

So on the basis of the above, why the deep regret from the EMMA and ENPA in their press release? Well, whilst the position from the Commission seems to be clear, the actual drafting of the Regulation itself is unfortunately not so clear.

The Regulation doesn’t refer expressly to ad block detection or ad blockers at all. This is unsurprising given its aim of being technologically neutral and futureproof etc etc. However, Recital 21 of the Regulation does say:

the mere logging of the fact that the end-user’s device is unable to receive content requested by the end-user should not constitute access to such a device or use of the device processing capabilities.

On the face of it you might think that the above Recital sets out the same position as per the principle referred to above in the Commission’s Fact Sheet. However, it’s not very clear.

The Recital refers to “content requested by the end-user” and in the Commission’s Fact Sheet, the Commission includes “ads” within such content. However, when someone implements an ad-blocker, they are not requesting “ads”. The precise reason why they have implemented the ad blocker is because they only want editorial and specifically do not request advertising. The Recital therefore implies that the mere logging of the fact that the end-user’s device is technically unable to receive the editorial requested by the user won’t constitute access to the device. However, if a publisher logs the fact that the user’s device is unable to receive other content which the user has not requested (e.g. ads) and almost definitely doesn’t want (i.e. because they have an ad blocker installed) then perhaps that does constitute accessing the device?

The other problem is that the point of Recitals is to provide guidance or background as to how the legislative provisions are to be interpreted. In most cases the Recitals also summarise the legislative provisions themselves. However, it’s not clear where the above principle is actually covered in the Regulations themselves.

The consent requirements for local data/device access are contained in Article 8. This states that the use of processing and storage capabilities and the collection of information from users’ devices is prohibited unless any of the grounds in Articles 8(1)(a)-(d) apply. Art 8(1)(b) provides for the user’s consent to be a valid ground. Art 8.1(d) gives “web audience measuring” (i.e. analytics) as another permitted ground. However, there does not appear to be an express ground permitting the collection of information from users’ devices to log the fact that the end-user’s device is unable to receive content requested by the end-user.

Perhaps this is because the Commission are not saying that this type of local access is expressly excluded from the prohibition by being a permissible “ground” (as per “consent” and “web audience measurement”) but rather that this type of local access doesn’t itself constitute local access at all. This doesn’t seem to make sense though because it does constitute local access – in which case why not just include it as an additional ground in Article 8(1)?