May 06, 2020

Web Cookies and Shadow Data Collection: The Legal Implications

Jordan L. Fischer

The past five years has seen a renaissance of data privacy regulation across the globe. Starting with the European Union’s General Data Protection Regulation in 2016, many different regions and countries have created privacy laws that place a stronger emphasis on transparency and individual control in the collection of personal information. Following in the steps of the GDPR, Japan, Brazil, Canada, and India have all adopted, or are in the process of adopting, privacy legislation that substantially mirrors the GDPR. Continuing the trend, the California Consumer Privacy Act of 2018 brought GDPR-like data privacy to the United States.

A common trend throughout these regulations is a focus on mandating companies be transparent about their data collection practices and to provide individuals with control over how their data is used. Unfortunately, many companies continue to collect large amounts of personal information by employing dark patterns: those techniques that are used to nudge users to provide information, or consent to certain practices, that are not in the individual’s best privacy interest. The use of cookies on websites highlights a key area of these dark patterns and shadow data collection practices that is directly implicated by these new privacy laws.

This article provides an overview of cookies, and their use on websites to collect personal information. Further, this article explores the legal guidance from two prominent privacy laws, the GDPR and the CCPA, and how these laws are tackling this specific data collection tactic. Ultimately, this article highlights that there are key legal differences between the approach to the use of cookies that creates opportunities for dark patterns within websites to continue to survive and thrive, making meaningful privacy decisions for users engaging on the Internet and the digital economy challenging.

Understanding Cookies and the Internet

In short, a cookie is “a small file that stores information for a Web site. As you browse the web, each website may choose to save some data in a cookie file, which is stored locally in your web browser. The next time you visit the website, your web browser provides the cookie back to the website, allowing it to remember the data that was previously saved. Cookies are commonly used for a lot of mundane functionality, such as remaining logged into a website and displaying the items in a shopping cart. However, the type of data stored in a cookie is not restricted and websites can just as easily store personal information in cookies.

There are two main types of cookies: session cookies and persistent cookies. Session cookies are saved until the web browser application is closed. Each time the browser is opened, a new, empty session begins. Conversely, persistent cookies remain saved in the web browser between many sessions; they are only removed if the expiration date has passed, or are manually deleted by the user. Both session and persistent cookies can store a wide variety of information, some of which may be considered sensitive, including passwords or account numbers.

In addition to these two types of cookies, there are different sources of cookies: first-party and third-party. First-party cookies are set by the same website that the user is visiting. Third-party cookies are set by different third-party services that the website may be using, such as advertisers. The Network Advertising Initiative describes third-party cookies as follows:

The sites you visit may work with ad networks or other service providers to help provide content or services, including advertising. Those partners also use cookies. But because these partners place cookies using their own web domains, they are called “third-party” cookies. NAI members, working with publishers, use third-party cookies to make advertising more engaging to users and more valuable to publishers and advertisers.

For example, when visiting the homepage of a website such as The New York Times, there are more than 100 cookies listed as in use on the website. When a user first enters the website, you can find cookies that are attributable to The New York Times, typically listed as some derivative of nytimes.com. These would be considered first-party cookies, used to support the functioning of the website. However, these account for only a portion of the cookies used. Other cookies that are visible include amazon-adsystem.com, bing.com, doubleclick.net and twitter.com, to name a few. These cookies consist of third-party cookies, some of which are set by advertisers to dynamically place advertisements on the website during each visit.

Because these cookies can, and do, collect personal information, the use of these cookies are increasingly scrutinized, and regulated by, these new privacy laws.

Relevant European Union Legal Guidance

There are two prominent sources of privacy law within the EU that directly impact the use of cookies:

  1. The Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive”).
  2. The Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “General Data Protection Regulation” or the “GDPR”).

It is important to note the difference between a “directive” and a “regulation” as distinct forms of EU laws. A “directive” is “a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. Conversely, a “regulation” is “a binding legislative act” that “must be applied in its entirety across the EU. As such, individual member states do not have the ability to revise or interpret the law into their own legislation; instead, it applies automatically to each member state without any action taken by the member state.

The ePrivacy Directive is intended to create a cohesive EU-wide approach to ensure privacy “with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community. The scope is limited to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. Since this law is a directive, it leaves some discretion up to each member state to adopt its requirements as the member state so chooses.

Specifically, the ePrivacy Directive recognizes that cookies, in some instances, are necessary for the functioning of websites, and should be allowed for a legitimate purpose. However, the use of those cookies “should be allowed on condition that users are provided with clear and precise information in accordance with [the GDPR] about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Finally, the ePrivacy Directive makes clear that “[u]sers should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment.

The GDPR impacts a broader range of processing activities on personal data than the ePrivacy Directive. The regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. The GDPR outlines two main objectives: (1) “to protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data” and; (2) to ensure the free movement of personal data within the Union.

The GDPR expressly recognizes that cookies may be considered personal data subject to its requirements:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

While the ePrivacy Directive directly relates to electronic communications, which include websites, the GDPR applies to any processing of personal data, regardless of the technology used for that processing. The European Data Protection Board (the “EDPB”) guidance recognized that while these two laws may have some overlap in scope, the ePrivacy Directive and the GDPR co-exist without conflict, especially since the ePrivacy Directive directly references and incorporates the GDPR.

The Court of Justice of the European Union (the “CJEU”) reinforced the harmonization between the ePrivacy Directive and GDPR in its recent judgment in Case C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v.Planet49 GmbH. This case addressed the consent of visitors to an online gambling company website regarding the transfer of their personal data to the company's sponsors and partners. It also addressed consent to the storage of that information and the access to that stored information through the use of cookies on a user’s computers.

At issue were both first-party and third-party cookies, and the transfer of information from the website to third-parties such as advertisers. The specific question referred to the CJEU was “[d]oes it constitute a valid consent . . . if the storage of information, or access to information already stored in the user’s terminal equipment, is permitted by way of a pre-checked checkbox which the user must deselect to refuse his or her consent? In its judgment, the CJEU conducted an exhaustive review of both the ePrivacy Directive and the GDPR.

The CJEU held that “a user’s consent may be given by any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including ‘by ticking a box when visiting an internet website’. As such, a pre-checked box is not valid and “[o]nly active behaviour on the part of the data subject with a view to giving his or her consent may fulfil that requirement. Further, as it relates to the information that must be provided related to those cookies, the Court clarified that:

clear and comprehensive information implies that a user is in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed.

The CJEU judgment enforced that, under the GDPR and the ePrivacy Directive, cookies may only be used on websites if a user affirmatively elects for those cookies to be stored on the users device or transfer the user’s personal data. It is not valid for cookie consent to be collected “by way of a pre-checked checkbox which the user must deselect to refuse his or her consent. And, this affirmative opt-in consent applies to any category of cookie (session or persistent) and whether the cookie constituted of first or third party cookies.

The California Consumer Privacy Act

The California Consumer Privacy Act of 2018 (the “CCPA”) also addresses the use of cookies to collect personal information. The CCPA went into effect on January 1, 2020 and regulates the collection of “consumer personal information” by businesses. Not all businesses are impacted by the CCPA; it impacts only those businesses that meet certain thresholds.

Generally, the CCPA provides certain data rights for consumers regarding notice, access, and deletion. The CCPA does expressly recognize that cookies fall under its purview. Cookies are expressly included within the definition of “Unique identifier” or “Unique personal identifier. And, both terms are incorporated into the definition of “personal information. As such, businesses subject to the CCPA must provide notice of the categories of personal information collected via cookies. This notice includes the transfer or sale of any personal information, which would directly relate to the use of third-party cookies, and a consumer’s right to opt-out of the “sale” of her personal information.

The California Attorney General is charged with adopting Regulations to further interpret the requirements of the CCPA. The proposed regulations confirmed that “[a] business that collects personal information from a consumer shall provide a notice at collection. This notice must: (1) “[u]se plain, straightforward language and avoid technical or legal jargon”; and (2) “[u]se a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable. These notice requirements would apply to cookies since they are considered personal information under the regulation.

Since this regulation is so new, and as yet, not enforced by the California Attorney General, the breadth of its impact on the use of cookies is yet to be tested. However, the CCPA aligns with many of the core privacy principles supported by the GDPR; preparing for the CCPA to impact the use of cookies in a similar vein is not a wasted effort.

Identifying the Privacy Concerns with Cookie Data Collection

Under recent privacy laws and their interpretations, it is clear that cookies are considered personal data or personal information subject to proactive privacy protections. It is important, within this legal framework, to understand the privacy concerns associated with the increased use of cookies in the digital environment. While first-party cookies, those used by the actual website to support its platform, can -- and do -- collect personal information, it is often those third-party cookies that raise the most glaring concerns from a privacy perspective.

As data continually increases in value -- in some respects becoming the “oil of the digital era -- the collection of that data becomes more attractive to all businesses. Shoshana Zuboff, professor emerita at Harvard Business School, explains the risks of this increasingly massive data collection online, or “surplus behavioral data,” as follows:

I define surveillance capitalism as the unilateral claiming of private human experience as free raw material for translation into behavioral data. These data are then computed and packaged as prediction products and sold into behavioral futures markets — business customers with a commercial interest in knowing what we will do now, soon, and later.

Most often, these surveillance capitalism, or the creation of massive online dossiers on individuals, is derived through the use of cookie and tracking technologies. From a privacy perspective, there are two key concepts that are at tension with the use of cookies to collect personal information: transparency and control.

A core tenant of privacy law is transparency, i.e the knowledge the user has regarding the collection and use of her personal information. Both the GDPR and the CCPA emphasize the use of clear and easily understood language to provide notice of any personal data collection. However, studies have shown that cookies, their use, and the data collected are very misunderstood by users.

Second, privacy laws tend to focus on the idea of user control over data collection, or “informational self determination. For most, user control centers around the concept of “consent”; i.e., providing users with the ability to consent via cookie banners or notices to the collection of personal information during a website visit. And, consent goes hand-in-hand with transparency; i.e., notice.  Both of these concepts are necessary to show actual control by the user.

Meaningful Consent to Data Collection

Assuming that a user understands the data collection by cookies, there is still a lack of meaningful control over that collection. “Dark patterns” used to “nudge” users to make certain privacy decisions related to the collection of data via the Internet continues to result in success for those companies using those techniques to collect information. In other words, users are often encouraged in ways outside of their perception to make privacy decisions.

Adding to the complexity of online data collection is that the method of notice and/or consent “have mostly been privacy policies and opt-in/out interfaces, which legally can be seen as ‘pre-formulated declarations of consent, or ‘click- wrap’ contracts. The use of privacy notices/policies on websites is the predominant method for companies to address any notice requirements. In fact, the CCPA expressly requires businesses to maintain and annual update these privacy notices on all websites.

The issue is that many of these privacy notices are long, written in legalese, and very challenging for readers to understand. In a recent study by The New York Times Privacy Project, the author analyzed the length and readability of privacy policies from approximately 150 websites and apps. The study found that

The vast majority of these privacy policies exceed the college reading level. And according to the most recent literacy survey conducted by the National Center for Education Statistics, over half of Americans may struggle to comprehend dense, lengthy texts.

And, the increasing obligations with new privacy laws, some of which require additional or conflicting information be provided in these notices, only adds complexity and contributes to diminishing capacity of users to actually understand the data collection practices provided in the form of privacy notices/policies.

Effectively Providing Privacy Online

Where does the digital economy -- and its obsessive use of cookies to support a variety of economic data flows -- go from here? How does the internet embrace, and incorporate, a concept of meaningful consent and control for users around data collection? Thus, ultimately resulting in effective privacy laws that protect individuals and allow businesses to use that data in a legally compliant manner.

The laws are lining up to require more meaningful consent and control for users; meaning, less deception in the collection of personal information online. For example, the use of “dark patterns to make people consent to data collection, may no longer be sustainable if the GDPR’s data protection by default principle is enforced.”

Further, there is a strong initiative, at least from the EU, to require positive action, rather than in-action, to allow cookies to collect data. While this same opt-in requirement is yet to be adopted within the US, positive action requirements align strongly with the concepts of consent and control. And, there is an increasing push by the actual companies providing the web browsers; i.e. Chrome by Google, Mozilla Firefox, Safari, etc., to block third-party cookies by default, removing any option on the part of the website to convert to an opt-in model. However, opt-in consent will only do so much to ensure privacy protections if users remain ignorant of the actual informati on transactions that occur on these digital platforms.

Laws like the GDPR and CCPA are only the beginning. Data privacy is bleeding into every aspect of business as the collection and use of data drives more and more of our economy. Ultimately, businesses need to embrace transparency in the collection of information, especially when that collection is often not apparent to the users, as is the case with cookies.  Understanding the corresponding legal requirements, even as those requirements evolve, is key to compiling with these privacy laws that will only continue to grow in influence. For users to take control of their digital lives, they need to know the impacted data, where it is stored, who it is shared with, and how it is protected.. Empowering users, while also guiding companies, should be the ultimate goal of any data privacy law.

    Jordan L. Fischer

    XPAN Law Group and Thomas R. Kline School of Law at Drexel University