Cookies and Pixel Beacons – are you using them lawfully?
Mike Martin LLM Information Rights Law
Data Protection Consultant, Auditor and Trainer
Cookie walls have been showing up a lot recently. They’re the pop-ups demanding you agree to relinquish your privacy and have your internet browsing shadowed while on a website. Of course, the site requires your approval so it can go forth and track your use, then potentially deliver targeted adverts to you over various online platforms and through social media apps.
However, according to the Dutch Data Protection Agency (DPA), many of these cookie walls have gone rogue; and are not complying with European Data Protection Law.
After a barrage of complaints from people with their access to websites blocked after refusing to accept cookies; the DPA agreed to step up their monitoring efforts. The sites were contacted and urged to make changes to ensure their websites complied with GDPR.
Legalities
Some cookies are absolutely necessary for a website to operate, if a user declines the use of an essential cookie then understandably they would be unable to use a site, however, the Dutch DPA’s guidance very clearly states that advance permission is required for non-essential cookies. If you do not agree to browser fingerprinting technology, ad tracking or tracking pixels; you should not have entry to the site denied. Preventing access to a website just because you decline to use non-essential cookies is against GDPR law, and if a site is found to be doing so, it must change immediately.
EU law strives to protect the user from any interference with his or her private life. In particular, it protects from the risk of hidden identifiers and other similar devices entering the users’ terminal equipment without their knowledge – an uncomfortable thought.
The Planet49 Case
In a recent legal case, a German court asked the CJEU for a decision relating to a lottery website; Planet49. The site had ordered users to consent to the storage of cookies so they could play a promotional game.
In early October, the CJEU agreed unanimously that affirmative action must be required to constitute consent, and handed down final judgement. The law now states that cookie consent can’t be assumed — it entails an active opt-in.
Cue Pixel Beacons
Like cookies, Web beacons (AKA Web bugs, clear GIFs, or pixel tags) are used to generate statistics about how sites are used, and to count users who have visited individual pages. They usually tag team with cookies. They are small images (invisible to the untrained eye) that are ingrained into web pages.
Unlike cookies, you can’t reject Web beacons. Because of this, they pose a real threat to user privacy. Online trackers are used primarily for targeted advertising. However, web user profiling has more sinister implications than just targeted ads. These trackers have the potential to impact the prices people are privy to, and the services they can access. Trackers are risky business – with potential for hackers to infiltrate and inject real malware, not just Adtech.
Nevertheless, setting your browser to decline cookies or to urge you for a response, should go some way to keeping Web beacons from tracking your activity. Many browser add-ins can help with this process.
It’s interesting to note that most outbound electronic communications, such as email, contain covert tracking pixels. These pose no problem if consent has been obtained previously, i.e, the subscriber opted-in, and use of cookies was consented and include in a detailed privacy policy. However, unfortunately, many corporate emails are unsolicited.
The Battle Continues
While rogue data capture usage has been on the rise; it has also witnessed the long arm of the law. For now, it remains under scrutinous eyes with the threat of legal backlash should it step out of line. The ICO has now declared that beacons require consent and transparency – and thus the battle to protect user privacy continues.
You can find the latest advice from the ICO here.
If you are unsure about whether your website complies with the GDPR or if you require any data protection advice or training, please contact the specialists here at Griffin House Consultancy. We are here to give you peace of mind. Telephone +44 (0)1673 885533.
Information Governance, Data Protection & GDPR Consultant, Trainer. External DPO and NED.
4 年Thanks for sharing