Data-informed decisions keep the profits high while optimizing the costs of acquiring new customers, so almost every online business wants to monitor what you do on the internet. This keeps their prices low while converting you to a paying customer.
In the meantime, the monitoring has gone wild, and governments reacted with more stringent data protection laws.
The GDPR (General Data Protection Regulation) of the European Union is the world’s most famous data protection law, primarily due to the hefty GDPR fines.
Despite being aware of the law and the risk of fines, though, websites keep tracking users’ online behavior against the GDPR.
To explain to you how they do that and how you can protect yourself from tracking, we will explain the following:
Cookies are small files that websites or apps send to your device to collect specific data. Later on, that data is being processed.
Aside from cookies, websites often use tracking pixels (also known as web beacons), which follow the websites you browse, the ads you click, etc. They show the website owner who did what on the website and when.
Regarding your privacy, there are two types of cookies:
You want privacy while browsing the internet. Governments introduce laws that protect your online privacy with fines for those who do not comply.
The GDPR doesn’t address cookies, but it implicitly sets the rules for tracking users online. They protect your browsing around the internet and forbid websites from collecting your info without knowing.
The most notable exceptions are the United States and India laws, according to which websites can track you without asking. Only in California and Nevada should they tell you that they track you and should let you opt out of tracking, but that’s all.
When it comes to the GDPR and similar laws, websites should ask you for consent for each purpose of tracking. If you let them use it, it’s your choice. If you don’t let them, they must restrain from injecting cookies into your device.
According to the GDPR, businesses must ask for your explicit consent before using cookies.
If you consent to their cookies, they can track you online. They must not track you if you don’t accept it, even while allowing you access to their free content.
Your consent is lawful only if given:
Nonetheless, online businesses do not always do so.
They are as creative as they and their lawyers could get. Most often, they employ the following strategies:
It is quite common to encounter a cookie banner with these words. There are two big issues with them:
If they ask you for consent, you can accept the request, refuse it, or ignore it.
This is a cookie wall:
It requires the user to accept the cookies or pay to access the content.
Some websites do it another way to avoid violating the law. They cover most of the screen with the cookie banner, but they don’t require accepting all the cookies before removing them from the screen. You can go to the preferences center and reject all the cookies. This does not violate the law, although it resembles cookie walls.
However, accepting those terms must be separate from accepting cookies for online tracking.
The consent is specific only when given separately for each particular purpose. This means that the business must request separate consent for each specific purpose of using cookies.
A cookie banner may look like this one:
Yet, the cookie banner above is unlawful. The toggles must not be turned active. It should look like this one:
Now your consent will be unambiguous because you will be the one who will turn the toggle on and click the CONFIRM MY CHOICES button. Anything less than that is against the law.
Some of them are unaware that the GDPR and similar laws exist, and some hope that the data protection authority won’t come after them.
Whatever their reasons, these websites won’t show you a cookie banner asking for consent. They will fire the cookies straight into your device. When that occurs, or if any of the acts described above occurs, you may want to act against it to protect your rights.
When websites act as described above, your data rights are being violated. The GDPR is here to protect you, but you are the one who has to take things into your own hands and seek the protection of your online privacy.
If you have been in such a situation, here are the steps you could take to remove the violation:
There is no privacy violation if there is no law that grants you online privacy rights.
If you or the online business are from a member-state of the European Union, then the GDPR applies, and you have the right to seek protection.
But first, you need to determine which laws offer such protection to you.
In general, data protection laws apply to:
As a result, businesses have to comply:
If the business and the individual are from different countries, then all the laws that apply to each of them apply to their relationship.
To determine whether GDPR applies to your case, use the following decision tree:
If you arrived at the “GDPR applies” field, keep reading.
The website you have visited likely uses some cookies.
If the website welcomes you by mentioning cookies, it is 100% sure they use some.
If you are not sure yet, though, there are cookie scanners available for free on the internet where you can check out what websites use them.
A few examples are:
You have to go to the scanner, copy-paste the URL of the website you want to scan, and click SCAN.
Then the scanner will do its magic and provide results.
If the applicable laws grant you the right to submit a data subject request, this is the next step to take.
A data subject request is a request that users can submit to businesses to exercise their data subject rights (the user is the data subject).
GDPR grants you the following data subject rights:
|You have the right to:||What the business must deliver upon your request:|
|Get information whether the business collect and processes your personal data||Information on whether they collect and/or process your data|
|Access your personal data||Provide you access to every category of personal information they have about you, the purpose and the means of collection and processing, the recipients, the retention period, etc.|
|Rectification||Correct the inaccurate data they have about you|
|Erasure of your personal data (the right to be forgotten)||Delete all the data they have about you|
|Restriction of processing||Restrict the processing of your data as per your instructions (you may allow them use your data to provide you with relevant content, but not for advertising)|
|Data portability||Provide you a file or folder with all your data so that you can transfer it to another data controller|
|Object to processing of data||Stop processing your data as per your instructions|
|Not to be part of automated individual decision-making, including profiling||Stop using your data in automated individual decision-making, including profiling (basically, remove your data from their algorithms)|
You can submit a data subject request for any of these rights, a combination of them, or all of them. It’s your right, so you decide how to exercise them.
The GDPR gives them 30 days to respond to your request. They may take another 30 days if your submission makes it complicated to answer in the initial 30 days.
If you don’t receive a response in that period, it is time to reach out to the data protection authority.
There are two points in time in which you could complain to the competent data protection authority:
However, there are some situations where it is too obvious that your rights have been violated, and there is no need to waste time.
For example, if an EU business welcomes you with a cookie wall, it is clear that they are doing something wrong. This is when you could go ahead with lodging a complaint to an authority.
Lodging a complaint to the competent authority is as easy as possible. Although many authorities have complaint forms on their websites, many of them would accept a complaint submitted in any way.
The tricky part here is to figure out which data protection authority is the competent one. But, even if you don’t get it right and lodge a complaint to the wrong authority, they will refuse your complaint and tell you what’s the correct address. So, in the worst-case scenario, you’ll waste some time.
The following data protection authorities are competent in your situation:
Here’s a list of all the EU DPAs if you are dealing with the GDPR.
Last but not least, you can file a lawsuit to protect your online privacy rights as long as you suffer some damages due to the violations.
So, the important thing to note here is that a lawsuit may be successful only if you suffer damages, such as financial losses, damaged reputation, and others. If the business has used cookies without your consent, but that hasn’t caused any injuries, the administrative procedure through the data protection authority is all you can do.
Online businesses love personal data. If you have an online business, you likely know the value of data in making business decisions, so it comes as no surprise that companies sometimes go over the line and violate the laws.
If that happens to you, there are ways to act.
But you have to remember that you are the only one who can take action. DPAs may or may not notice that a website violates the laws. After all, there is only one DPA per country and billions of websites worldwide. Tracking all of them is an impossible task.
If you want to protect yourself, it is you who has to take things into your own hands and go after those who violate your data privacy rights. You have the tools. You need to use them.