Cookies: How to protect our privacy
Advertising has always been a very valuable asset for all companies as it allows them to publicize and position their products to consumers. Like everything else, the way of advertising has also undergone changes in recent years, with cookies playing an increasingly important role.
Its relationship with data protection is very close, since cookies are a small file with data that is downloaded to the user’s computer each time he/she visits a web page, being one of the main objectives that the server of that page can remember and identify the equipment and other important data of the user, to offer more personalized experiences and content of interest the next time he/she enters the web, enhancing the consumer’s interest in certain products.
As can be seen, the use of cookies is an advantage for both companies and users, since browsing experiences are more fruitful. However, its use can be an invasion of privacy and therefore, it is essential that users are aware of this, to decide whether to accept or reject such advantages.
But how can users be aware of the use of cookies?
Cookies and Data Protection
As we well know, for data processing to be legal, it must comply with the General Data Protection Regulation (GDPR), and in the case of cookies, exactly the same applies. Since their use involves a disclosure of personal data, it is essential to comply with the principle of transparency, as well as to obtain the consent of users for those cookies that require it in order to legitimize the data processing involved in their use.
As for the information, it should be sufficiently complete to allow users to understand the purposes and use to which their data will be put. Taking into account that every website must have a cookie policy, the basic information that should appear, without prejudice to complement it in the second layer of information of the privacy policy, should be the following:
- Definition and generic function of cookies.
- Information on the type of cookies.
- Who uses them and if there are third parties, establishing the RGPD that information on third parties must be directly visible
- Information on how to accept, refuse or revoke consent.
- On international transfers.
- When profiling involves automated decision making.
- Retention period…
According to the Spanish supervisory authority (Agencia Española de Protección de Datos), in order to comply with transparency requirements, the information must be displayed in a concise, intelligible manner, in clear and simple language and must be easily accessible, providing a clearly visible link to the cookie policy.
As for consent, Article 4 of the GDPR defines it as:
“any freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data concerning him/her”
For its part, the European Data Protection Board Directive 5/2020 provides a more detailed analysis of it, stressing that for consent to be freely given, access to services and functionalities cannot be made conditional on the user’s consent, since then no real choice is being offered. This occurs when, for example, a website does not allow access to services or content without first clicking the “accept cookies” button; however, the CEPD recalls that there may be certain cases in which non-acceptance prevents access to the website, but the user must be informed about this and offered an alternative access to the service without having to accept the use of cookies.
On the other hand, for the validity of the consent, the interested party must have made a clear affirmative action, such as clicking the “accept” button, being evident that, by doing so, he/she accepts the cookies, otherwise, when the acceptance implies, in addition, other actions, it must be warned separately; Likewise, the acceptance of the terms and conditions of use of the website must be independent from the acceptance of the privacy policy or cookies and, finally, although cookies are not usually used in situations where the GDPR requires explicit consent of the data subjects, when this is necessary, because of special categories of data, consent can only be obtained through acceptance buttons with additional information on the type of data to be processed.
That said, it should be noted that consent is only an option, so the possibility to refuse cookies and withdraw previously granted consent must be clearly offered, using a system that allows to withdraw consent in a simple way, otherwise, it may be grounds for a penalty, such as the one brought by the National Commission for Informatics and Liberties (CNIL) to Google and Facebook, of 150 and 60 million euros respectively.
Finally, CEPD warns that continuing to browse without accepting the cookie policy does not imply acceptance of cookies and that there are some, such as session cookies or user security cookies, which do not require consent, as they are essential for the operation of the website.
The legal obligations of cookies are clear, but how can we protect ourselves from them?
How to protect ourselves from cookies?
Apart from the possibility of rejecting all cookies or only allowing those necessary for the operation of the website, there are other more technical measures that we can personally configure to prevent cookies from being so exhaustive.
In this regard, the Spanish supervisory authority has prepared a very detailed document on measures to minimize tracking on the Internet, from which we can highlight some very effective measures.
- We must inform ourselves about the level of privacy and security offered by the application, avoiding installing those that are not strictly necessary, as this way we will avoid risks from the beginning.
- We must check if our browser has advanced anti-tracking protection, to activate the “Do not track” option, thus expressing to the websites our desire not to be tracked.
- We can block third-party cookies, which are the most invasive, by configuring this option in the same way as the previous one.
- We can also choose to configure the browser in such a way that when it closes, cookies are deleted, however, we can also choose to delete them manually from time to time.
- We should also avoid keeping the session open indefinitely; regarding advertising, we can configure the device so that it does not use the advertising identifier to create profiles or show personalized ads based on our location.
- We must review and configure our social network profiles since, although it may seem a closer and more reliable context, it is the place where more exposure may come to have personal data.
The end of cookies
When we visit a website we not only access a single Internet site, but at the same time we are redirected to other third-party servers that are generally those that offer advertising services and analytical data from the main website, and it is this access to third parties that allows cookies to be installed by data controllers that do not manage the website to which we have voluntarily accessed, being in many cases unnecessary for the provision of the service explicitly requested by the user.
This invasion is the main reason why most measures are aimed at minimizing third-party cookies or avoiding them altogether, to the point that Google has launched an initiative called The Privacy Sandbox, which aims to phase out third-party cookies and limit covert tracking by creating new web standards that provide publishers with safer alternatives for personal data. This project is currently under development, with the last update in April 2022, and many of the proposals are under discussion or testing period, however, it will not be until the end of 2023 when Chrome will start the second transition period, where support for third-party cookies will be phased out.
No Comments