The Autoriteit Persoonsgegevens (AP) has reported (1) it will start checking more often in 2024 whether websites are properly asking permission for (tracking) cookies or other tracking software. This is still not a luxury, even though Google has announced (2) that it intends to finally stop third-party cookies in its main Web browser, Chrome.
This post briefly discusses the importance of cookie laws in general, the rules of thumb offered by the AP and whether there are other specific cookie violations that the AP should pay attention to.
The problem with third-party cookies is that the negative effects are not apparent to the Internet user. After all, if you click agree when a cookie banner appears, apparently nothing happens. What's more, something positive happens instinctively, because as an Internet user you are rid of the annoying cookie banner that stood in the way of an undisturbed visit to a website.
However, in many cases the agreement triggers an unrestrained processing of data. Depending on the website, sometimes dozens of "partners" will place or (if a cookie was already placed) read cookies after the agreement. The cookie enables the partners to follow the user within the website and across the Internet and to compile a profile of the website visitor. Also, through a process called "cookie-syncing," these parties exchange information about the Internet visitor with each other and numerous third parties. This is mostly done as part of the Real Time Bidding System (RTB System), which was invented to show real time personalized ads based on the profile data collected.
That this rampant data sharing has substantial risks is evidenced by a recent study (3) by the Irish Council for Civil Liberties. This identifies the security risks of the RTB system as a threat to national security. The report concludes that data from the RTB system is sent to Russia and China and national security agencies can easily access the data indirectly and retrieve numerous sensitive data about individuals. This could also include data on (family members of) politicians and military personnel.
Consent is valid only if informed . Given the amount of data processing that arises when consent is given for cookies, one can question whether a data subject can ever be fully informed about it. The Belgian Data Protection Authority also questioned this in its decision (4) on IAB Europe.
However, the AP's announcement seems to be mainly concerned with countering so-called "dark patterns. Tricks that tempt the Internet visitor to make a thoughtless choice, for example by making some options less visible, by giving the consent button an attractive color compared to the decline button or by already checking certain boxes. This is not allowed because then there is no free consent, as evidenced by fines imposed by the French regulator CNIL against Google and Facebook and by guidelines from the EDPB (5).
The AP provides a series of useful examples (6) of how to do it and how not to do it.
For many websites, there will be areas for improvement regarding the cookie banner used. However, a more serious problem seems to be that cookie banners (even if they seem to comply with the requirements of the AP) regularly turn out to be worthless. Frequently, cookies are already placed or read before consent is given or even after consent is explicitly denied. This is serious because Internet visitors who are under the assumption that they are not exposed to cookies when visiting websites are then tracked anyway and their cookie ID is shared with third parties. Contrary to what one might expect, this occurs regularly. No doubt the AP will also be paying attention to this in 2024.
(1) https://autoriteitpersoonsgegevens.nl/actueel/ap-pakt-misleidende-cookiebanners-aan
(2) https://blog.google/products/chrome/privacy-sandbox-tracking-protection/
(3) https://www.gegevensbeschermingsautoriteit.be/burger/iab-europe-wordt-verantwoordelijk-gehouden-voor-een-mechanisme-dat-in-strijd-is-met-de-avg
(4) https://www.iccl.ie/digital-data/europes-hidden-security-crisis/
(5) https://edpb.europa.eu/our-work-tools/documents/public-consultations/2022/guidelines-32022-dark-patterns-social-media_en
(6) https://autoriteitpersoonsgegevens.nl/themas/internet-slimme-apparaten/cookies/heldere-en-misleidende-cookiebanners
