Tracking Cookies and Data Protection Laws
Have you ever tried to visit a website, only to immediately be denied access because you chose not to accept tracking or cookies? Many users have experienced this but wonder whether websites have the right to do this.
They don’t really give you a choice, right? You either choose to accept cookie tracking and the other scripts they will run on your computer or look for another website that has what you need. It’s not a very flexible system, so most users go ahead and agree to whatever the popups say so that they can continue to browse the site.
Several legal provisions apply to tracking cookies, and this guide will explore these implications. In most cases, websites that only let visitors access content if they accept tracking cookies are in direct violation of the GDPR and other privacy laws. Let’s dive in!
Tracking cookies and data protection laws
Cookies: What are They?
Before we get into data tracking and various privacy protection laws, you must first understand cookies. What are they? Why do businesses and marketers rely so heavily on cookies for their websites?
Cookies is the name used to represent files that download to your device when you browse a website. The site providers will put these files on your smartphone or computer to collect and store data about your visit.
Tracking cookies can determine what visitors are doing on their websites. Likewise, they can go as far as to collect information about the other websites you visit. This is an essential tool for marketers, as they can leverage this data to create targeted advertising.
You can avoid having cookies downloaded to your device by using incognito mode. When your browser has this setting turned on, it will not save history data or non-essential cookies.
In this guide, we will focus on the tracking subset of cookies. If you wish to learn more about the regulatory requirements that apply to other types of cookies, review the information from the Dutch Authority for Consumers and Markets (ACM).
If you would like to know more about cookies and all the types of cookies, read our guide about cookies: What are cookies ?
Data Tracking Cookies
The most prevalent type of cookies used are also the ones that invade your privacy the most: data tracking cookies. These scripts are used primarily by marketers who wish to better understand and trace online behavior.
They can record data like the type of device used, the IP address, and what websites they visit. Gathering this information allows businesses to create individual consumer profiles that can be used for commercial activities and targeted advertising.
The Cookie Act – Targeting Tracking Cookies
There are legal provisions for tracking cookies, such as the Dutch Telecommunication Act. This law is referred to as the Cookie Act for short since it outlines rules for managing cookies. It is based on European privacy guidelines and will be finalized at the end of 2021 or in early 2022.
The Telecommunication Act includes rules that would require businesses to obtain user consent before they could place cookies on a device or browser. The users would also have the right to be informed of the reasoning behind using the cookies.
There are some exceptions to this rule, but only when cookies are needed to ensure that the website works properly. Another exception exists if the cookies only serve to enable communication within an electronic communications network. In these instances, the need to inform and obtain consent is not applied.
Understanding the GDPR
You may be wondering how this connects to the GDPR, or the General Data Protection Regulation, which is the leading privacy law in the EU. The goal of this legislation is to protect the personal data of the member states’ residents.
While it does not directly govern the use of tracking cookies, the connection is implied since it involves processing and transferring personal information. So, what exactly does the GDPR have to say when it comes to the use of tracking cookies?
Necessity vs. Consent
The key to understanding how the GDPR relates to tracking cookies is necessity vs. consent. Organizations can process personal data only if there is a legitimate basis. Not only must a legitimate reason exist for data processing to be allowed, but the business must also prove that basis.
The GDPR lists six justifications that would allow this to occur. For example, it includes information that is essential for the performance of a contract.
Even so, if a company is to collect data and track activity through cookies, they must always obtain cookie consent first. The consent must be requested in a legally valid manner, and should be obtained before any scripts are loaded to their devices.
For the consent to be considered legally valid, it must be specific, freely given, informed, and unambiguous. That means that simply using a box with a default setting of checked is not enough.
When you consider websites with a cookiewall, that will not let you access content unless you accept tracking cookies, they are not compliant with these rules. The consent is not freely given since users are pressured into agreeing with these terms.
If the cookies used do not invade the user’s privacy, though, then the organization does not need to get consent ahead of time.
Transparency is Key – Tracking Cookies
Another aspect to consider is transparency. The GDPR is like the Dutch Telecommunication Act in that organizations must give users the details about what information is being collected and why. They must indicate why the data must be gathered and how they are processed.
You can’t hide these details in the fine print either. They must be provided in a concise and intelligible manner.
Final Thoughts on tracking cookies
Whenever a website uses tracking cookies, users must be informed right away. Similarly, the site must gain valid consent before placing any tracking cookies on their browser or device. In other words, users need to have the real option to reject these cookies – otherwise, they can’t exercise the privacy rights granted under these regulations.
The site must remain accessible even if the user refuses cookie tracking – or else it violates the GDPR.