"AdBlockers" block the display of advertising on a website. Detectors "Adblockers" can detect users of these "AdBlockers" and prohibit (most often) navigation in case of positive detection.
But is it legal?
Why this question ?
While walking on Twitter, I came across this article: Outlaw publishers when they target adblockers?
The content of this article
This article quotes Alexander Hanff, a privacy consultant and campaigner for the Think Privacy movement:
Detecting that a user uses one is a violation of European law. I spent this last year talking to regulators across Europe who confirmed it all to me, he says. The detection of an adblocker is technically illegal. All these sites that post warning messages to users, such as The Guardian, are technically illegal if they use scripts.
But what would be the legal basis for such an assertion?
Should we believe this article?
For me, as it stands, this statement is as valuable as " the use of spaghetti is illegal, my cousin told me ».
Being a lawyer means justifying what you say and, failing that, our developments have no value.
I am not saying that this statement is necessarily false, I am simply saying that it has no weight because it is unsupported.
How Adblockers and AdBlockers Detectors Work
To understand the legal developments that follow, it is important to understand how technically it works.
The vast majority of Adblockers are Web browser plugins (such as Adblocker plus) and remove web pages displayed in your browser from HTML tags containing content that they identify as advertisements.
For example, content like this can be removed from the web page:
Of course, I do not pronounce for all Adblockers or for all Adblockers detectors on the planet, but I went to look at the source code of some "well-known" (Like Adblock More) and that's how they work.
Food for thought
While chatting on Twitter, I was told two tracks that we will dig together.
IT law and freedom
Some have mentioned the fact that these tools (ie Adblockers detectors) would be illegal for lack of consent of the user regarding the processing of his personal data.
I do not share this view for at least two major reasons.
Personal data ?
First of all, I do not think such processing manipulates personal data.
Personal data is defined by theArticle 2 of Law 78-17 :
Personal data is any information relating to a natural person identified or which can be identified, directly or indirectly, by reference to an identification number or to one or more elements of its own.
Here, the only data that is normally processed is the browser configuration: does it contain a tool that removes ads?
In my opinion, detecting the presence of an Adblocker tool does not identify a natural person, directly or indirectly.
For the CNIL, a data becomes personal when the identification of a person becomes possible (possibly after cross-checking): name, first name, photos, IP address, etc.
This is not the case here, because at most you can divide the population of the planet into two categories: those who use an Adblocker and those who do not use it ... I do not see how one could then identify a nobody.
As an illustration, the CNIL considers that is not a personal data (and therefore is exempt from consent) a geolocation of a user of a website « no more accurate than the scale of a city ».
How does knowing a binary information about a person (Adblocker or not) be a personal fact while knowing a person's city would not be?
Moreover, under this hypothesis, we would arrive at an ubiquitous situation. If the determination of the presence of an Adblocker was a processing of personal data, all of these common actions performed on the Internet by web developers should also collect the consent of the user:
- dynamically change the display of a website to fit the screen of a phone or tablet;
- dynamically change the language of a website based on the browser language of the user;
- determine the version of a browser to send him a "most compatible" website;
Even if the determination of the presence of an Adblocker would be a processing of personal data, I do not think that the consent of the user is necessary.
It must be understood that the computer law and freedom 78-17 was thought to frame the use than a third could do with our personal data.
You then keep the complete possession of your data: in the case of a conventional Adblockers detector, no data is transmitted to the server.
So two things one:
- the controller (within the meaning of the law 78-17) is the user (ie you): I do not see why consent should be collected;
- the controller (within the meaning of the law 78-17) is at the level of the "server": the " personal data Does not allow an identification since it is not transmitted to the controller (seeArticle 2 of Law 78-17):
In order to determine whether a person is identifiable, all means must be considered in order to allow his identification. available to or at the disposal of the controller or any other person.
Directive 2002/58, Article 5 (3)
In our reflection on Twitter, we also mentioned Article 5 (3) of the Directive 2002/58 / EC :
Member States shall ensure that the use of electronic communications networks for the purpose of storing information or accessing information stored in the terminal equipment of a subscriber or user is permitted only if the subscriber or the user, is provided, in compliance with Directive 95/46 / EC, with clear and complete information, among other things about the purposes of the processing, and that the subscriber or the user has the right to to refuse such treatment by the controller. This provision shall not preclude technical storage or access aimed exclusively at making or facilitating the transmission of a communication over an electronic communications network, or strictly necessary for the provision of a communication service. information society specifically requested by the subscriber or the user.
Under this formulation hides the consent of the user when using cookies.
Nevertheless, it must be emphasized that an Adblocker detector and a cookie work in a very different way.
A computer "cookie" is a kind of small file that will store information (for example, on the user) and will transmit it to the web server during browsing.
Therefore, the information stored in the cookies are transmitted to the server throughout the navigation of the user: this technique allows in particular to track / track a user.
It is for this reason that the legislator wished to frame this practice in order to avoid a generalized tracking of the Internet users.
In this case (ie Adblockers), all treatments are normally performed local. Therefore, no transmission is made and the analogy of the cookie can not apply in my opinion.
Moreover, to be convinced of this, it is enough to read carefully Article 5 (3) of the Directive 2002/58 / EC : " in order to store information or access to information stored in the terminal equipment of a subscriber or user ". No storage is done on the browser (everything is dynamic), no data is accessed by a third party.
Conclusion on legality
As you will have understood, I do not share the opinion of some people concerning the illegality of such conventional detectors at the look texts on privacy and cookies.
Nevertheless, my analysis does not go beyond:
- I do not comment on the existence of an Adblocker detector that goes beyond what is technically necessary (eg transmission to the server of truly personal data, storage of information in a cookie, etc.)
- I do not know if another text (for example, in consumer law or competition law) would not make conventional Adblockers detectors illegal.
[Update] The interpretation of the European Commission?
The Commission's letter
After the first publication of my article, Alexander Hanff published on Twitter an excerpt of an opinion of the European Commission that I reproduce here.
In essence, the drafter of the notice states that Adblockers' detectors must collect the user's consent under section 5 (3) of the Directive 2002/58 / EC. The reason for this is that the scripts would be saved in the browser and the letter of Article 5 (3) covers " any information Which would be stored.
So to put it simply, the European Commission does not seem to agree with me ...
But let us explain why I maintain my position.
Indeed, if we were to accept the interpretation of the Commission or Alexander Hanff, the user's consent should be collected as soon as he displays a simple Web page: indeed, each page is also stored (temporarily) in the browser for display.
But that would not be very practical.
I was then told that the user had already given his implicit consent since he wanted the display of this web page. This is true…
As soon as a script exists in a page, should it be an agreement of the additional user (reminder, each web page contains dozens and dozens of scripts to operate the drop-down menus, to make animations, etc.)?
We understand that it would not be viable ...
Would it then be a user agreement when the page contains a script that the user " will not "(Ie in this case the famous detector)?
We touch there then a philosophical debate and not technical or legal: a a priori on the wish of the user ...
(By the way, now that you point this out to me, does the user want the left column of the webpage to be displayed ... because maybe not, I'm going to ask him for his consent ... ).
I do not think that this interpretation can lead to a reasonable solution.
For simplicity :
- Article 5 (3) of the Directive 2002/58 / EC must be interpreted strictly and a user's consent must be required for all content which is transmitted (because stored temporarily) from the server (arg ... ).
- Article 5 (3) of the Directive 2002/58 / EC must be interpreted in order to correspond to the recitals of this Directive (and in particular its recital (24) which corresponds to the protection of privacy) and only the uses of ' plotting Transmitting personal data to a third party must be framed.
I let you make your own opinion!