Tough cookies: false sense of online privacy due to so-called legitimate interest
You know the drill: a pop-up on your screen asks permission to place cookies. Well, you think as you uncheck everything: my privacy is guaranteed. But it is not that simple, because advertisers abuse the gray area in the law to circumvent that permission.
Internet cookies. They are useful but also annoying, especially the so-called tracking cookies that advertisers use to track your browsing habits. According to the European ePrivacy Directive (Directive on Privacy and Electronic Communications), you can refuse cookies and websites must ask for permission to place them.
You must be able to actively consent to the collection of information via the cookie banner. But even if you reject or refuse everything, advertisers can still try to place cookies that record and store your browsing habits, violating your privacy.
What are cookies?
A cookie is a small piece of software that a website places on your computer or phone when you visit the site. Handy if, for example, you do not want to log in every time, because the site will remember your login details. But cookies can process much more data, such as tracking your privacy-sensitive browsing behavior and forwarding it to advertisers.
Companies have come up with dubious ways to collect data from you. Irene Kamara, Assistant Professor of Cybercrime and Human Rights and PhD candidate Alicja Joanna Kucharska are researching these practices in the context of technology and human rights, within the Tilburg Institute for Law, Technology, and Society (TILT).
If a platform such as Instagram wants to collect personal data from someone, it may only do so on the basis of one or more of the six options offered by the General Data Protection Regulation (GDPR). The sixth and final option is the so-called legitimate interest, where companies and organizations do not have to ask for permission, but have to make their own assessment.
Kamara: ‘The GDPR is intended to provide rules on how personal data should be analysed and shared. Within the framework of the law, legitimate interest offers advertisers the opportunity to place cookies without permission.’
‘When an organisation wants to collect personal data on the basis of this option, they are obliged to assess three legal conditions,’ Kucharska explains: ‘The purpose of the data collection must firstly be lawful, secondly it must be necessary for the intended purpose and finally the purpose must outweigh the fundamental freedoms of the user.’
Gray area
‘The problem is not so much that the law is inadequate,’ Kamara adds. ‘It is all about compliance and enforcement of the law. Because a violation of the legitimate interest is less easy to enforce, because of the interpretation of the criteria. Because what is ‘lawful’, what is ‘necessary’ and what ‘weighs more heavily’? In practice, many organisations abuse these criteria to collect personal data.’
‘We call it abuse because companies do not ask for permission when invoking legitimate interest. They have to make the test internally and users do not know that,’ says Kamara. Moreover, this consideration is not always in the interest of the user, she believes.
False sense of control
Some websites do give their users the option to turn off consent for legitimate interest for each advertiser, usually in a separate tab. But that list of advertisers can sometimes be infinitely long.
‘I think that companies will eventually just collect and process data, counting on the fatigue of users to take the step to object for multiple purposes of data processing,’ Kucharska sighs. ‘Moreover, the user will not be able to fully understand the practical consequences of shifting the button to ‘consent’ or ‘no consent’.
Kamara: ‘Legitimate interest therefore gives users a false sense of control. This is not what the legislator had in mind. We have to get rid of that. The points of the GDPR are not intended as a shopping list: if we cannot meet this criterion, we will try to apply another criterion in order not to have to ask for permission.’
Solution
There is no simple solution to the problem as long as the law is not changed. If you want to play it safe as a user and protect yourself from intrusive cookies, it is advisable to refuse ads and use privacy-friendly browsers, says Kamara: ‘I always take the trouble to reject everything.
‘But I do not think this should be a responsibility for every individual user. The providers must take their responsibility in this.’
Kucharska: ‘The Dutch Data Protection Authority (DPA) does not have the means to prevent all alleged abuses. For my thesis, I created an accessible questionnaire for companies to be able to properly conduct the legitimate interest test.
‘But companies do not always want to spend time on such a list. Perhaps lawsuits against larger players who break the rules can help. By imposing high fines, these cases can serve as an example for others.’
