European legislation increasingly restricts the tracking of people on the internet. But the need for companies to record the surfing behavior and interests of people is unabated. That’s why new tracking methods are becoming fashionable, designed to get around legal and technical blockages.
Of a hundred frequently visited websites in the Netherlands, 42 already use a method other than traditional advertising cookies to recognize and profile visitors. This shows research by the Consumers’ Association, published in the latest, members-only Digital Guide† The methods are controversial, because, unlike with cookies, permission is often not requested from the site visitor, while this is prescribed in the GDPR privacy law.
shame red
Most notable accused party: the Consumers’ Association, which records visitors’ preferences on its own website without asking visitors’ permission. So says spokesman Gerard Spierenburg, with shame on his jaws: “We can hardly condemn other parties harshly if we don’t first get our affairs in order. We must be more Catholic than the Pope.”
Companies use at least three methods to still track visitors: ‘fingerprinting’, third-party cookies that are placed as cookies from publishers themselves, and the placement of an invisible pixel. Fingerprinting, the most commonly used method, is like creating a fingerprint of the user by storing characteristics of the device and browser with which he or she visits the site. With these technical and user characteristics of persons they can be identified and profiled. This makes it possible to show targeted advertising.
The second method, third-party cookies placed as publishers themselves, also secretly records preferences. Third-party cookies, for which permission must be requested according to the GDPR, are disguised as own cookies in this practice, in order to circumvent blocking in browsers. Banks such as ING, Rabobank, ABN Amro and Volksbank subsidiaries are legally allowed to use these cookies to combat fraud, because it is ‘functional’ for them. And according to the GDPR, companies can always place ‘functional cookies’ without being asked.
The third method is to place an invisible pixel, which, for example, Facebook uses. This is a minimal image on a web page that sends a signal to the computers of parent company Meta, which can use it to profile customers who refuse cookies via their browser. Facebook actively instructs companies on the platform how they can collect data with these pixels.
Parties that apply fingerprinting deny to the Consumers’ Association that they use it to track users for advertising profiling. For publishers such as DPG Media (Nu.nl, AD.nl), Mediahuis and RTL, the question is whether they remain within the legal framework with fingerprinting. They tell the Consumers’ Association that they mainly use the method to combat fraud and copying material. However, the universities of Leuven and Princeton demonstrate with meticulous research how fingerprinting can still lead to advertising profiling in a sneaky way. It is true that fingerprinting does not directly identify visitors, such as via a cookie on a device, but the collection of collected characteristics nevertheless provides a unique profile.
Date Act
Although the Consumers’ Association warns that fingerprinting and the use of own cookies by websites can be used to illegally track people online, a spokesperson for the Dutch Data Protection Authority (AP) reacts cautiously to the question of NRC whether the regulator is investigating the tracking methods. “When operators of websites violate the law, it cannot be ruled out that the AP will take enforcement action. The AP cannot indicate whether an investigation is currently underway or will be started.”
At the end of February, a new Data Act passed in Brussels that, more powerful than the current GDPR, should protect consumers and give them more control over their data. The European consumer umbrella organization BEUC is pleased with this, but practice will have to show whether the power over personal data will really shift from providers to users.
For that reason, 73 European lobby organizations are now calling European governments and parliaments on to a ban on targeted advertising and all sneaky forms of data collection. They do this under the leadership of digital rights organization EDRi and Amnesty International. MEP Paul Tang (PvdA) has argued for such a ban before.
A version of this article also appeared in NRC on the morning of March 11, 2022