Privacy AdvisorIAPP Westin Research Center

Cookie Monsters of Silicon Valley Come to Brussels

How is the migration away from cookies as a tracking technology likely to be received by EU regulators?

November 25, 2013

By Kelsey Finch
IAPP Westin Fellow

In the world of online tracking, the cookie is king – but there may be a regime change on the horizon. Cookies, the little bits of browser-based code that follow a user’s activity from website to website, are under more regulatory scrutiny than ever, especially in Europe. Alas, even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market.

Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework.

The Technology

The digital advertising industry, worth $120 billion globally, is one of the primary drivers of the Internet economy and, concurrently, tracking and cookie technologies. Most cookies in use today are third-party cookies, on which a sprawling ecosystem of marketers, platforms, trackers, ad networks, analytics providers and data aggregators has been built. At this November’s IAPP Practical Privacy Series in New York, leaders from the online marketing world described the U.S. third-party data collection landscape in more depth, including a timely presentation on “Behavioral Advertising, Do Not Track, and Other Tracking Practices.”

Ambiguity remains, however, as to whether the e-Privacy Directive’s “storing” and “gaining access to stored information” language fully capture native device identifiers. While the Article 29 Working Party’s opinions broadly suggest they do, those opinions are non-binding and the issue has yet to be tested in court.

However, because cookies are a browser-based technology, their utility is increasingly limited as peoples’ digital lives spread across more and more devices. Instead, device identifiers are better suited to track the full range of consumer online activities. Moreover, the businesses best positioned to offer unique device identifiers are large first-party providers with wide, built-in (and logged-in) customer bases, giving them the ability to track user accounts across multiple platforms. For example, Google’s new proprietary AdID program could follower users (who are frequently logged-in to Gmail) from their Chrome browser account to their Android-based smartphone or tablet and even to a computer running the Chrome OS. Microsoft’s cookie replacement would similarly track account holders’ activities across desktops, tablets and smartphones running Windows OS; Xbox consoles; and through Internet Explorer or Bing usage.

Device identifiers and stateless tracking techniques, such as browser fingerprinting, are less visible mechanisms for online tracking than cookies; they are also newer technologies, and are accordingly less clearly targeted by regulators. However, they implicate the same – indeed some would say greater – privacy concerns than cookies, and it is likely that the EU privacy protections, which are broadly-written, will impose the same requirements on cookie-less tracking.

E-Privacy Directive, Article 5(3)

The amended EU e-Privacy Directive, also known colloquially as the “Cookie Directive,” provides that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information . . . about the purposes of the processing” (emphasis is the author’s).

The e-Privacy Directive’s regulation of stored “information” covers a broad set of data points, including the non-personal technical information and codes on which tracking technologies rely. As regulated “terminal equipment” may include computers, tablets and smartphones, both browser-based cookies and other device identifiers may be implicated. Indeed, the October 2013 Article 29 Working Party Opinion providing guidance on obtaining consent for cookies also specifically applies to “similar tracking technologies . . . used for various purposes (from enhanced functionalities, to analytics, targeted advertising and product optimization, etc., by the website operators or third parties).”

Ambiguity remains, however, as to whether the e-Privacy Directive’s “storing” and “gaining access to stored information” language fully capture native device identifiers. While the Article 29 Working Party’s opinions broadly suggest they do, those opinions are non-binding and the issue has yet to be tested in court. If hardware and software designers already have access to embedded identifiers without needing to intervene in order to “store” or “gain access” to stored information on a device (or do so in a way that meets one of the exemptions discussed below), they may not be subject to the e-Privacy Directive’s high consent requirements. This could create a new competitive advantage for the multi-platform giants of the tech industry, somewhat similar to the alleged advantage those companies would gain vis-à-vis third-party intermediaries if the budding “do not track” standard came to pass.

To the extent that Article 5(3) does apply, businesses will be required to obtain opt-in consent for the use of digital tracking techniques. Such consent must be an unambiguous indication of wishes (i.e., the product of an “active choice”), based on specific and appropriate information and freely given prior to the storage of and access to information. While the recent Article 29 Working Party Opinion details what valid consent may look like, member states disagree as to whether implied consent, including through browser settings or other applications, suffices.

Finally, the e-Privacy Directive contains two key exemptions to the prior opt-in consent requirement: storage or access (1) “for the sole purpose of carrying out the transmission of a communication over an electronic communications network,” or (2) “as strictly necessary in order for a provider of an information society service explicitly requested by the subscriber or user to provide the service.” A June 2012 Opinion by the Article 29 Working Party provides a more in-depth analysis of these exemptions with regards to cookies, but notes that “the term should not be regarded as excluding similar technologies.” In particular, third-party advertising, first-party analytics and social plug-ins for logged-out social media users are not exempt.

For more in-depth analysis, see the presentation of Ruth Boardman, of Bird & Bird, LLP, at the 2012 IAPP Academy, on “cookie catch-up” and implementing the e-Privacy Directive.

Data Protection Directive & the General Data Protection Regulation

While the e-Privacy Directive captures a wide range of technical and operational information, device identifiers that also implicate an individual’s personal information (in Europe, “personal data”) are additionally subject to the EU Data Privacy Directive and, soon, the proposed General Data Protection Regulation (GDPR) (see the latest compromise draft by the European Parliament LIBE committee here).

In a 2010 Opinion on behavioral advertising, the Article 29 Working Party reaffirmed that “in most cases, cookies and IP addresses are to be considered personal data,” due to their capacity to identify and single out individuals through their behavior. It went on to elaborate that “when behavioral advertising entails the processing of personal data, ad network providers also play the role of data controller.” It seems likely that other behavioral advertising mechanisms, even device identifiers or stateless trackers, will be treated similarly.

With the GDPR potentially making its way to European Parliament vote, many companies are focused on their future compliance concerns rather than their current programs. According to the compromise text, online tracking restrictions appear primarily in Articles 20 and 33, which concern “profiling” and controller responsibilities, respectively.

Profiling would be defined as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behavior.” As Christopher Kuner explains in his review of the Commission proposal, such a definition “seems to cover many routine data processing operations . . . such as to evaluate the performance of employees.”

Article 20 would impose strict restrictions on automated profiling, including an individualized right to object to profiling – and a right to be informed of that right “in a highly visible manner.” Users may be subject to profiling that produces a “legal effect” or “significantly affect[s] the[ir] interests, rights or freedoms” only if users have (1) consented, (2) entered into a contract with the controller that sufficiently safeguards their legitimate interests or (3) profiling is expressly authorized by a local law that also provides suitable safeguards. Notably, consumer consent would need to be explicit, as well as freely given and informed; “silence, mere use of a service or inactivity should therefore not constitute consent” (emphasis added by the author).  

Finally, profiling of “sensitive” personal data (such as racial or ethnic origin, political opinions, religious beliefs, health information or union membership) would be flatly prohibited, and even permissible profiling would be required to include some measure of “human assessment.” Article 33 would impose a related obligation on data controllers to conduct a data protection risk assessment of the potential impact of any profiling that would produce legal effects or similar affect an individual.

Conclusion

Ultimately, neither technological advancements nor legislative reform seem likely to lessen the amount of digital tracking consumers are subject to; however, combined, these forces may dramatically shake up just who will be conducting the tracking. In the technological jump from browser-based cookies to device identifiers and other less-visible tracking mechanisms, large first-party tech firms with built-in audience bases and manufacturing branches are likely to vie for control of the behavioral tracking market, at the expense of expansive third-party networks and layers upon layers of online intermediaries that currently dominate the space.

In the face of dramatic technical and market realignment, to what extent individual privacy rights will also be transformed remains an open question. Although current EU legislation in the e-Privacy Directive and the Data Protection Directive appear ready to capture cookie-less tracking techniques, practical pushback from business and some member states suggest that this is not yet a foregone conclusion. Similarly, while the proposed GDPR would significantly ratchet up privacy rights and compliance obligations for those in the profiling market, a final draft remains a tentative prospect on the horizon. By the time it is passed, both the technology and the market may have shifted yet again.

Read More By Kelsey Finch:
FTC v. Wyndham: Round One
Straight from the Pacific Ocean: A Tidal Wave of California Privacy Laws
Location Tracking: Now Coming to a Government, Employer and Retailer Near You