Sneaky Ways Websites Interfere With Your Privacy Online
Data-informed decisions keep the profits high while optimizing the costs of acquiring new customers, so almost every online business wants to monitor what you do on the internet. This keeps their prices low while converting you to a paying customer.
In the meantime, the monitoring has gone wild, and governments reacted with more stringent data protection laws.
The GDPR (General Data Protection Regulation) of the European Union is the world’s most famous data protection law, primarily due to the hefty GDPR fines.
Despite being aware of the law and the risk of fines, though, websites keep tracking users’ online behavior against the GDPR.
To explain to you how they do that and how you can protect yourself from tracking, we will explain the following:
- What cookies and tracking technologies are
- What does GDPR say about them
- How websites and apps try to sneak them into your device against the laws
- What to do to protect yourself
This extensive monitoring has prompted the creation of rigorous data privacy regulations like the GDPR by governments.
Even with the potential for severe penalties, many websites persist in monitoring users’ online actions in violation of GDPR guidelines.
The article delves into the nature of cookies and tracking technologies, the stipulations of the GDPR concerning them, the methods websites employ to illicitly install these technologies on your device, and strategies for safeguarding your privacy.
Additionally, it offers advice on what steps to take if your data privacy rights are breached.
What Cookies and Other Tracking Technologies Are?
Cookies are small files that websites or apps send to your device to collect specific data. Later on, that data is being processed.
Aside from cookies, websites often use tracking pixels (also known as web beacons), which follow the websites you browse, the ads you click, etc. They show the website owner who did what on the website and when.
Regarding your privacy, there are two types of cookies:
- Essential cookies. These cookies are necessary for the proper functioning of the website or app. An example is a cookie that remembers what you put into your shopping basket while still browsing the web store. Without such a cookie, the shopping cart would empty when you continue browsing. No consent is needed for these.
- Non-essential cookies. These are the cookies you may not want on your device. These include statistics cookies, such as Google Analytics, and advertising cookies, such as the tracking technologies of Google and Facebook. These are the cookies that track you.
What Does the GDPR Say About the Use of Cookies?
You want privacy while browsing the internet. Governments introduce laws that protect your online privacy with fines for those who do not comply.
The GDPR doesn’t address cookies, but it implicitly sets the rules for tracking users online. They protect your browsing around the internet and forbid websites from collecting your info without knowing.
The most notable exceptions are the United States and India laws, according to which websites can track you without asking. Only in California and Nevada should they tell you that they track you and should let you opt out of tracking, but that’s all.
When it comes to the GDPR and similar laws, websites should ask you for consent for each purpose of tracking. If you let them use it, it’s your choice. If you don’t let them, they must restrain from injecting cookies into your device.
What Are Businesses Required to Do Regarding Cookies?
According to the GDPR, businesses must ask for your explicit consent before using cookies.
If you consent to their cookies, they can track you online. They must not track you if you don’t accept it, even while allowing you access to their free content.
Moreover, they must request consent in a specific way. If they do not meet the legal requirements about the way they should ask the consent, it is the same as if they didn’t request it, even if you have agreed to the use of cookies.
Your consent is lawful only if given:
- Freely. The consent is given freely if you choose whether to accept or refuse the cookies. Businesses must not put users in a trap to accept cookies, such as bundling consent to Terms of Use, using cookie walls, etc.
- Specific. Businesses must request a separate consent for each purpose of data collection and processing. If you give your consent to use Google Analytics for analytics purposes, it doesn’t give the business the right to use the same data for advertising purposes.
- Unambiguous. The consent is given only by affirmative action by the user. That means clicking an ACCEPT button.
- Easily withdrawn. The user must be given the possibility to withdraw the previously given consent as easily as possible. So, if the user only clicked a cookie banner to accept the cookies, they must be provided with a WITHDRAW button to withdraw it. The business must not require forms and emails for withdrawing consent given in such a way.
Nonetheless, online businesses do not always do so.
What Do Businesses Sometimes Do Instead?
They are as creative as they and their lawyers could get. Most often, they employ the following strategies:
Assume you accept cookies just by browsing
“This website uses cookies. By browsing this website, you agree to the use of cookies and accept our privacy policy.”
It is quite common to encounter a cookie banner with these words. There are two big issues with them:
- Accepting a privacy policy is nonsense. The privacy policy is a notification. It is a document with which the online business informs the user about their privacy practices. There is nothing to be accepted here. It is just information about how things already are. So, accepting a privacy policy means nothing. On the other hand, accepting cookies means everything to businesses that want to track you online.
- If you don’t click the “ACCEPT” button for accepting cookies, then you haven’t given your consent to the use of cookies. Browsing the website doesn’t mean consent.
If they ask you for consent, you can accept the request, refuse it, or ignore it.
If you accept it, they can use cookies.
If you reject it or ignore it, they must not use cookies. If they use them anyway, they violate your privacy rights.
Have cookie walls
A cookie wall is a cookie banner that doesn’t give you access to the website or app content unless you consent to the use of cookies and tracking technologies. Cookie walls are unlawful.
This is a cookie wall:
It requires the user to accept the cookies or pay to access the content.
Some websites do it another way to avoid violating the law. They cover most of the screen with the cookie banner, but they don’t require accepting all the cookies before removing them from the screen. You can go to the preferences center and reject all the cookies. This does not violate the law, although it resembles cookie walls.
Bundle Terms of Use with privacy policy and consent
Wording such as “By accepting these Terms of Use, you accept our privacy policy and the use of cookies” is against the law. It violates your privacy rights because it doesn’t request specific consent, but it lures you into consent by bundling it to the acceptance of the Terms of Use.
The Terms of Use are a contract between the website or the app and the user. It governs your use of the website or the app. If you want to use an app, you have to agree to the terms set by the app owner.
However, accepting those terms must be separate from accepting cookies for online tracking.
Pre-checked boxes
The consent is specific only when given separately for each particular purpose. This means that the business must request separate consent for each specific purpose of using cookies.
Suppose the website you visit uses cookies for remembering your preferences on the website, an analytics tool for statistics, and an advertising pixel to market their products to you on social media. Later on, it means that they have to request a separate consent for each of them.
A cookie banner may look like this one:
Yet, the cookie banner above is unlawful. The toggles must not be turned active. It should look like this one:
Now your consent will be unambiguous because you will be the one who will turn the toggle on and click the CONFIRM MY CHOICES button. Anything less than that is against the law.
Ignore data protection laws
Some online businesses ignore the GDPR whatsoever. They act as if that doesn’t apply to them. They would use cookies to track you even though it puts them at risk of a fine.
Some of them are unaware that the GDPR and similar laws exist, and some hope that the data protection authority won’t come after them.
Whatever their reasons, these websites won’t show you a cookie banner asking for consent. They will fire the cookies straight into your device. When that occurs, or if any of the acts described above occurs, you may want to act against it to protect your rights.
How to Protect Yourself?
When websites act as described above, your data rights are being violated. The GDPR is here to protect you, but you are the one who has to take things into your own hands and seek the protection of your online privacy.
If you have been in such a situation, here are the steps you could take to remove the violation:
Make sure that the GDPR applies
There is no privacy violation if there is no law that grants you online privacy rights.
If you or the online business are from a member-state of the European Union, then the GDPR applies, and you have the right to seek protection.
But first, you need to determine which laws offer such protection to you.
In general, data protection laws apply to:
- Businesses in their jurisdiction
- Individuals in their jurisdiction
- Any individual in the world who interacts with a business from their jurisdiction.
As a result, businesses have to comply:
- With the local data protection laws in any interaction with a user from anywhere in the world
- With the user’s local law in the interaction with that specific user.
If the business and the individual are from different countries, then all the laws that apply to each of them apply to their relationship.
To determine whether GDPR applies to your case, use the following decision tree:
If you arrived at the “GDPR applies” field, keep reading.
Scan the website for cookies
The website you have visited likely uses some cookies.
If the website welcomes you by mentioning cookies, it is 100% sure they use some.
If you are not sure yet, though, there are cookie scanners available for free on the internet where you can check out what websites use them.
A few examples are:
You have to go to the scanner, copy-paste the URL of the website you want to scan, and click SCAN.
Then the scanner will do its magic and provide results.
Submit a data subject request
If the applicable laws grant you the right to submit a data subject request, this is the next step to take.
A data subject request is a request that users can submit to businesses to exercise their data subject rights (the user is the data subject).
GDPR grants you the following data subject rights:
| You have the right to: | What the business must deliver upon your request: |
| Get information whether the business collect and processes your personal data | Information on whether they collect and/or process your data |
| Access your personal data | Provide you access to every category of personal information they have about you, the purpose and the means of collection and processing, the recipients, the retention period, etc. |
| Rectification | Correct the inaccurate data they have about you |
| Erasure of your personal data (the right to be forgotten) | Delete all the data they have about you |
| Restriction of processing | Restrict the processing of your data as per your instructions (you may allow them use your data to provide you with relevant content, but not for advertising) |
| Data portability | Provide you a file or folder with all your data so that you can transfer it to another data controller |
| Object to processing of data | Stop processing your data as per your instructions |
| Not to be part of automated individual decision-making, including profiling | Stop using your data in automated individual decision-making, including profiling (basically, remove your data from their algorithms) |
You can submit a data subject request for any of these rights, a combination of them, or all of them. It’s your right, so you decide how to exercise them.
Businesses usually include the methods for submitting requests in their privacy policy. However, they are obliged to accept your request no matter how you have submitted it.
So, the best way is to look at the privacy policy. If there is nothing there or hard to navigate, send them an email or contact them through their contact form.
The GDPR gives them 30 days to respond to your request. They may take another 30 days if your submission makes it complicated to answer in the initial 30 days.
If you don’t receive a response in that period, it is time to reach out to the data protection authority.
Lodge a complaint to the competent data protection authority (DPA)
There are two points in time in which you could complain to the competent data protection authority:
- Before you submit a data subject request. It is good to make sure that the online business violates your data subject rights before taking any further action. So, submitting a request before lodging a complaint is, generally speaking, a good idea.
However, there are some situations where it is too obvious that your rights have been violated, and there is no need to waste time.
For example, if an EU business welcomes you with a cookie wall, it is clear that they are doing something wrong. This is when you could go ahead with lodging a complaint to an authority.
- When the business fails to deliver upon your data subject request. Failing to deliver to your request is a violation in itself, but it may also mean that the business has committed a series of violations you are not aware of yet. That requires action from your side.
Lodging a complaint to the competent authority is as easy as possible. Although many authorities have complaint forms on their websites, many of them would accept a complaint submitted in any way.
The tricky part here is to figure out which data protection authority is the competent one. But, even if you don’t get it right and lodge a complaint to the wrong authority, they will refuse your complaint and tell you what’s the correct address. So, in the worst-case scenario, you’ll waste some time.
The following data protection authorities are competent in your situation:
- The DPA in your own country
- The DPA in the country where the business is registered
- If the business is registered abroad, the country where they have a representative.
Here’s a list of all the EU DPAs if you are dealing with the GDPR.
File a lawsuit
Last but not least, you can file a lawsuit to protect your online privacy rights as long as you suffer some damages due to the violations.
So, the important thing to note here is that a lawsuit may be successful only if you suffer damages, such as financial losses, damaged reputation, and others. If the business has used cookies without your consent, but that hasn’t caused any injuries, the administrative procedure through the data protection authority is all you can do.
Final Word
Online businesses love personal data. If you have an online business, you likely know the value of data in making business decisions, so it comes as no surprise that companies sometimes go over the line and violate the laws.
If that happens to you, there are ways to act.
But you have to remember that you are the only one who can take action. DPAs may or may not notice that a website violates the laws. After all, there is only one DPA per country and billions of websites worldwide. Tracking all of them is an impossible task.
If you want to protect yourself, it is you who has to take things into your own hands and go after those who violate your data privacy rights. You have the tools. You need to use them.