The Cookie Conundrum: The Tech Industry’s Pursuit of Privacy Rules Adherence and Ad Earnings Boost
As the EU is relentlessly imposing fines for the unauthorized use of cookies, tech companies are actively seeking alternative methods to access individuals’ data. But can they have their cake and eat it too?
By Zsuzsa Detrekoi
In the increasingly competitive landscape of online advertising, the pursuit of user data has become more cutthroat. Regulators have taken a more assertive stance in protecting individuals against the relentless data mining practices employed by tech companies and advertisers. Amidst this heated struggle, cookies emerge as a pivotal component.
Expensive cookies
Five years after the adoption of the General Data Protection Regulation (GDPR) in Europe, cookies have emerged as one of the primary causes behind the imposition of substantial fines under this regulation. Authorities have identified four key cases where the use of cookies was deemed unlawful: the unauthorized placement of cookies on users’ devices, insufficient consent and inadequate cookie policies, the absence of viable options to decline cookies compared to accepting them, and the transfer of users’ data from the European Union (EU) to the United States
Despite the decrease in the occurrence of setting cookies without consent since the implementation of the GDPR, instances of penalties being imposed for this violation still persist. In 2022, SA Rossel & Cie, a media, telecom, and broadcast company, was fined by the data protection regulator in Belgium, APD, for placing unnecessary cookies on websites browsed on visitors’ devices without their consent. Similarly, the furniture retailer IKEA faced sanctions from the data watchdog AEPD in Spain for installing cookies on end-users’ devices without obtaining prior consent from the data subjects.
In a major decision in summer 2021, the Luxembourg National Commission for Data Protection (CNPD) levied an astronomical fine of €746m against tech behemoth Amazon, making it the second largest GDPR fine in Europe to date. However, the exact rationale behind this record-breaking penalty remains shrouded in secrecy, as the specifics are being withheld until the fine becomes legally binding. The case revolves around Amazon’s questionable ad targeting techniques and its improper cookie policy. Amazon has lodged an appeal, with the first hearing scheduled to take place in January 2024.
In separate developments, the French data authority, CNIL, has levied fines against tech giants Google and Facebook in late 2021. The companies have been penalized for their failure to offer a seamless option to decline cookies while the process of accepting them was found effortless. The CNIL highlighted that users had to navigate through multiple clicks to reject all cookies on these platforms, while a single click sufficed for accepting them.
Finally, in a landmark decision, the Irish Data Protection Commission (DPC) has imposed a record high fine of €1.2bn on tech giant Meta. The fine, which is related to GDPR violations, was issued in May 2023. The company was found guilty of transferring users’ data from Europe to the US, including the data collected through Metapixel cookies used by Facebook. The Privacy Shield agreement, which had facilitated the free flow of personal data between the US and EU, had been invalidated by the Court of Justice of the European Union in 2020, a ruling known as Schrems II. In response, the EU and US adopted a new Data Privacy Framework in July 2023.
The California Privacy Rights Act, which stands as the most stringent privacy law in America, only requires businesses to provide an opt-out mechanism, allowing the use of cookies on websites as long as users are given the option to opt out.
Although cookies are responsible for the majority of data protection-related sanctions, the GDPR does not explicitly regulate cookies. The EU had initially planned to address this issue through the adoption of ePrivacy regulations alongside the GDPR. These regulations were specifically designed to cover cookies. The aim was to simplify the rules surrounding cookie consent requests, allowing internet users to easily accept or refuse tracking cookies and other identifiers through their browser settings. However, the ePrivacy regulations have encountered obstacles in the legislative process and remain unresolved. If a resolution is not reached by the end of the year, the Commission may be forced to consider withdrawing the proposed regulations.
Privacy or enhanced online experience?
The decisions made by regulators regarding cookies under the GDPR have a significant impact on the world of online advertising. However, it is not solely regulators that are driving these changes. Tech companies are also taking on a crucial role in the management of cookies. In a noteworthy move, Google unveiled its intentions in January 2020 to gradually eliminate third-party cookies from Chrome, its widely used browser.
In a world where online advertising reigns supreme, third-party cookies have emerged as a powerful tool for tracking users’ every move on the internet. Unlike their simpler counterparts, these cookies are generated and placed on users’ devices by different websites than those they visit later.
Imagine this scenario: you’re browsing an e-commerce site, searching for the perfect T-shirt. Little do you know, when you later peruse a completely different website for your daily dose of news, you’re bombarded with advertisements for the very same T-shirts you were eying earlier. It all comes down to the fact that both the e-commerce website and the news portal share the same advertising platform. This allows the news website to identify you based on a unique ID stored in third-party cookies, enabling them to target you with those T-shirt ads. These cookies meticulously track your browsing history and gather data about your interests, ultimately enabling advertisers to follow you around the vast expanse of the internet.
Third-party cookies have both advantages and disadvantages. On one hand, they enhance user experience by displaying tailored advertisements and aiding websites in comprehending user behavior, ultimately leading to improved customer service. However, they also give rise to notable privacy concerns through profiling based on browsing history and pose security risks due to tracking. Additionally, the lack of transparency surrounding these cookies generates further apprehension. These concerns are the main reasons why authorities have taken action in the form of issuing fines as mentioned earlier.
In a move that sets it apart from its rivals, tech giant Google has announced a delay in ending support for third-party cookies. While competitors like Apple, Firefox, and Safari have long restricted third-party cookies, offering users the option to enable them through settings, Google has chosen a different path. The company now plans to disable third-party cookies for a mere 1% of its Chrome users in the first quarter of 2024, with the ultimate goal of a full shutdown by late 2024.
Earlier on, Google unveiled a new technology, FLoC (Federated Learning of Cohorts), aimed at revolutionizing online tracking methods by eliminating the need for third-party cookies. However, this initiative has faced significant backlash from multiple entities, including Britain’s antitrust regulator, the Competition and Markets Authority. As a response to the criticism, Google has now abandoned FLoC and put forth an alternative strategy called Topics, which aims to eradicate the use of cookies.
Topics utilizes advanced algorithms to categorize users based on approximately 350 interest categories by thoroughly analyzing their browsing history. The technology enables the storage of the top five interest categories directly on users’ devices, subsequently facilitating their sharing with the websites they frequent. As a result, users are presented with targeted advertisements tailored to their specific interests. All related data is deleted after a period of three weeks to ensure privacy for users.
However, privacy concerns are not the only factor at play in Google’s strategy. The dominance of Google-run Chrome, which holds a commanding 63% share of the global browser market, raises significant antitrust concerns. Unlike a cross-browser or cross-platform solution, Topics falls short in its ability to effectively target audiences with its broad selection of 350 interest categories. This raises legitimate concerns that Topics could potentially serve as a tool for Google to solidify or even expand its advantage in the advertising market, further distorting competition.
Cookies: changing the recipe?
The ongoing struggle for dominance in the cookie industry raises questions about who will ultimately reap the greatest rewards. The ability to discern users’ interests holds immense value for advertisers and tech giants alike, driving them to explore avenues for obtaining such data. However, this valuable information is deemed personal data under regulations like GDPR, creating a perpetual conflict between safeguarding individuals’ privacy and the pursuit of user information.
Authorities are expected to intensify their efforts in monitoring the various methods employed by tech companies to obtain user data, particularly those that violate EU regulations. As a result, it is highly likely that they will be able to effectively prevent advanced tracking methods.
But as tech companies have consistently demonstrated a tendency to bypass stringent regulations rather than adhere to them, they will undoubtedly increase their endeavors to extract additional data from advertisers and telecommunication companies, a strategy aimed to safeguard their dominion over ad sales chains and evade potential penalties. In the ongoing battle for users’ data access, it is highly probable that they will safeguard their substantial market advantage.
Zsuzsa Detrekoi is a technology and law expert with the Media and Journalism Research Center.
