To track or not to track

In November 2021, the European Data Protection Supervisor (“EDPS”), the most prominent EU data protection adviser, called on EU legislators to ban targeted advertising on the basis of pervasive tracking.

So what is online tracking and what makes it so harmful it needs be outright banned like tobacco advertising? In our ‘Privacy untangled’ series we, the team at Webclew, try to break down complex privacy topics so you don’t have to get confused.

Tracking explained

Any webpage you visit is made up of a series of ‘requests’. Some of these requests fetch text or images. Others allow you to authenticate or make search queries. And then there are requests that capture your interactions for analytical and advertising purposes. Each request contains several pieces of information about your browser - your IP address, your browser and device type, your browser language and so on - and your interaction with the domain – URL, clicks, viewability and so on.

The combination of an identifier, interactions with a domain (e.g., scrolling down to the end) and context about the domain (e.g., article about cooking containing keywords such as ‘Dutch oven’) allow domain owners and third parties to compile detailed behavioral profiles of your online presence. This online presence is often linked to ‘real-world’ personal characteristics once you are authenticated.

Wait, aren’t cookies tracking me?

Tracking and cookies are often used interchangeably, but they are in fact two distinct, yet complementary things. Cookies are small text files stored in your browser. Think of them as post-it notes that help your browser to keep you logged in or hold items in your shopping basket. In the context of tracking, cookies store a unique identification number that helps tie your browsing behavior together on servers receiving those requests.

Towards a formal definition of tracking

Tracking is primarily governed by the ePrivacy Directive (2002) which has been adopted in national legislation. GDPR principles also play an important role in server-side processing, but ePrivacy provisions take priority over data collection as it is a more specific legislation. Interestingly, ePrivacy nor GDPR define tracking. While the term is widely used in the context of advertising, tracking can be associated with many forms of online data collection. Apple’s policies on IDFA, a unique identifier for your iPhone, illustrate this:

Tracking refers to the act of linking user or device data collected from your app with user or device data collected from other companies’ apps, websites, or offline properties for targeted advertising or advertising measurement purposes.

However, monitoring someone’s navigation on a domain is also useful for gathering usage statistics and recommending content to specific user profiles. Therefore, I would define tracking as "analyzing a series of requests tied to at least one unique user identifier". These requests can then be enriched with insights about the context of the page or the user.

Is tracking even legal

Yes, it can be. The legal framework is actually quite straightforward. Article 5 of the ePrivacy Directive considers consent the norm for any access or storage to a browser or device less a number of narrowly defined exceptions. The French DPA CNIL provides a clear list of these exceptions:

  • Remembering an active user choice
  • Authentication to a service
  • Keeping track of the contents of a shopping cart and supporting invoicing
  • Customizing the user interface if that is an essential and expected part of the service (e.g., language, layout preferences)
  • Load balancing
  • Limiting limit free access to paid content
  • Privacyfriendly analytical trackers

This applies to any number of requests regardless of the number of the lifespan of data collection, the use of third-party services and the type of metadata collected. What really matters is the underlying purpose and the level of addressability of a user.

Why ban tracking when it is based on an opt-in?

Quality of consent is the crux of the matter. The ad tech industry and regulators have been playing a cat-and-mouse game on what constitutes valid consent. You can learn more about it in a separate post coming soon. The EDPB seems to have lost faith in a sustainable setup:

Given the many risks associated with online targeted advertising, the EDPS urges the co-legislature to consider additional rules going beyond transparency. [....] The EDPS therefore similarly urges the co-legislature to consider a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking.

The European Commission had not gone so far in its proposal of the Digital Services Act (DSA) so it seems the EDPS is cracking the whip to avoid watering down the protections within the proposal. It is unclear how far EDPS can push the agenda. However, it is clear that enforcement against inappropriate and excessive ad tracking is on (also see APD’s decision on TCF). Domain owners need to first get a grip on tracking even if they have limited transparency themselves on the tracking by third party ad tech and social media services. Next, they need to put more efforts into explaining what goes on within the CMP, privacy and cookie policy.