Large Internet companies need permission to place tracking cookies. That the cookies are placed through third parties does not relieve them of their responsibility, according to the Amsterdam District Court in summary proceedings between an anonymous plaintiff and LinkedIn and Microsoft.
Large Internet companies are not allowed to place or read tracking cookies without permission. This is because it violates the AVG and the Telecommunications Act. That ruled Amsterdam District Court in summary proceedings between a private individual and LinkedIn and parent company Microsoft.
Tracking cookies are cookies that can also be read when visiting other sites. This allows organizations to track the behavior of their site visitors over time and create user profiles, for example. The plaintiff argued in summary proceedings that placing such tracking cookies without consent violates privacy rules.
The case primarily involved third-party tracking cookies. LinkedIn offers the LinkedIn Marketing Solutions service for companies that run campaigns with targeted users, for which tracking cookies are installed. Parent company Microsoft does something similar with its Microsoft Advertising service.
An investigation by the English company Collective Shift, hired by the plaintiff's lawyer, revealed that tracking cookies from these services were on the plaintiff's computer. This even though he had explicitly not consented to this. Microsoft is thus collecting individual personal data about the plaintiff's Internet behavior, Collective Shift concluded.
LinkedIn and Microsoft called Collective Shift's report a "hot mess," but their own technical analyses also showed that 19 of the 52 websites visited by the plaintiff set tracking cookies without prior consent, or even after consent was explicitly denied.
That prior data subject consent is required for the placement and delivery of tracking cookies, based on Article 11.7a of the Telecommunications Act, and for the processing of personal data collected thereon under the AVG, the defendants agreed. But they argued against plaintiff's claims that for some of the tracking cookies they are not the data controller but only processor, and that the obligation under the Telecommunications Act lies with the website operators using the marketing tools and not with defendants.
The judge does not go along with that. "The defendants involved cannot hide behind their partners for obtaining consent. They have contractually outsourced the obtaining of consent to its partners and that is allowed. That means that áf the partner provides information about and obtains consent to the placement of cookies, defendants do not have to do so as well. However, the defendants involved remain (also) responsible themselves as data controllers for ensuring that consent is obtained in a legally valid and lawful manner for placing and reading out the tracking cookies and they can also be held liable for this on the basis of Article 26 (3) AVG, regardless of what is stated in the contract with its partners," the judgment states.
The defendants must stop placing and reading tracking cookies on the plaintiff's devices without permission. If violated, they must pay the plaintiff 500 to 1,000 euros per violation per day, up to a maximum of 25,000 euros per defendant.
