Is blocking ad blockers really illegal in Europe?

Once again, media companies are at the receiving end of ad-blocking news this week: It seems that those publishers using scripts to detect whether people visiting their websites have ad blockers installed could be in breach of European Privacy Law.

At least, that’s the case put forward by privacy campaigner Alexander Hanff, who said last week that he’d asked the European Commission whether publishers’ use of ad-blocking detection violated the ePrivacy directive, specifically when it comes to storage of information. He has since tweeted that the EC responded that ad-blocking detection tech does seem in breach of the directive.

It seems Hanff may have been on to something, though there are a few misconceptions floating around too.

First things first: Is ad-blocking detection really illegal?

Not according to the IAB. But it may require consent. The problem with legislation like 2011’s ePrivacy Directive (dubbed Cookie directive) is that the wording and terminology is very broad and, therefore, open to wide and, in this case, polarizing interpretations. “Arguably an extreme interpretation of the text would suggest it requires consent” to run ad-blocking detection, confirmed IAB Europe’s senior policy manager, Matthias Matthiesen.

How broad are we talking? 
Publishers are required to ask for consent to access or store information. Open for debate is whether ad-blocker detection constitutes the storing of information. Many would argue it doesn’t. The IAB Tech Lab has a methodology that’s based on Javascript, which checks the ability of a browser to display advertising. This allows publishers to redirect users to a different experience, like a pop-up asking for the ad blocker to be switched off. A browser when loading a website is following instructions, which are given to it in the form of HTML code.

“Now we have an almost philosophical question to answer,” said Matthiesen. “Does a browser’s rendering of a website constitute ‘storage’ of information in the sense of the law? Does changing instructions based on a browser’s rendering behaviour require ‘access’ of information in the sense of the law?”

Sounds like a can of worms.
Indeed. Websites rely on Javascript to make buttons; the very buttons needed to ask for consent. That’s a bit of a Catch-22, according to Matthiesen. “You need consent to ask for consent? What about caching of some website elements to improve loading speeds? Does that require consent? The Web would be full of requests,” he said.

Rezonence CEO Prash Naidu added that responsive Web design also means websites regularly glean information about the device a user is accessing them with in order to deliver an appropriately formatted page. “This is deemed perfectly legit, and one could argue that determining if ads are being displayed or not falls under the same category.”

Are there any technical misconceptions here?
There seem to be some misconceptions floating around as to what publishers are actually using Javascript to detect: Websites aren’t actually detecting if a user has installed an ad blocker; they’re verifying if ads have been delivered. Technically, they’re two very different things. All sorts of things can affect ad delivery. It could be as simple as a bug or glitches in the browsers, according to Sourcepoint general manager for international Thomas Mendrina. In that process, no personal information is collected on the user; the tech shows only whether the ad has been delivered, not whether an individual visitor is using a blocker. That kind of negates the issue of whether it’s breaching the ePrivacy directive.

“The Cookie Directive was meant to answer some questions about saving cookies in a user’s browser, which is an entirely different thing. No personal information is stored on the user when detecting ad delivery.”

So what should publishers do?
 The IAB Netherlands has already issued instructions. IAB Europe will send more out in the coming weeks, and they’ll look like this: Option No. 1: a consent wall that asks outright consent from every single user for running ad block detection. (Not ideal for user experience.) Option No. 2: a consent banner that informs users about the use of ad-block detection technologies and informs them that “continued use” of the site will be interpreted consent.

Any silver linings here? 
The timing of this is actually pretty good: The ePrivacy directive is actually due for review in the next couple of weeks. “This bad drafting has resulted in a ton of questions, so there’s the opportunity to amend it, and perhaps introduce more exceptions,” said Matthiesen. “Because really this is a situation where essentially publishers have to ask permission from the people who are infringing on their rights, which is absurd.”

Sign up to get the day’s top stories at 6am eastern.