Data-informed decisions keep the profits high while optimizing the costs of acquiring new customers, so almost every single online business wants to monitor what you do on the internet. This keeps their costs low while converting you to a paying customer.
In the meantime, the monitoring has gone wild and governments reacted with more stringent data protection laws.
The GDPR (General Data Protection Regulation) of the European Union is the world’s most famous data protection law, mostly due to the hefty fines.
Despite being aware of the law and the risk of fines, though, websites keep tracking users’ online behavior against the GDPR.
To explain to you how they do that and how you can protect yourself from tracking, we will explain the following:
- What cookies and tracking technologies are
- What does GDPR say about them
- How websites and apps try to sneak them into your device against the laws
- What to do to protect yourself
What Cookies and Other Tracking Technologies Are?
Cookies are small files that websites or apps send to your device to collect certain data. Later on, that data is being processed.
Aside from cookies, websites often use tracking pixels (also known as web beacons), which track the websites you browse, the ads you click, and so on. They show the website owner who did what on the website and when.
Regarding your privacy, there are two types of cookies:
- Essential cookies. These cookies are necessary for the proper functioning of the website or app. An example is a cookie that remembers what you have put into your shopping basket while you still browse the web store. Without such a cookie, the shopping cart would empty when you continue browsing. No consent is needed for these.
- Non-essential cookies. These are the cookies that you may not want on your device. These include statistics cookies, such as Google Analytics, advertising cookies such as the tracking technologies of Google and Facebook. These are the cookies that track you.
You want privacy while browsing the internet. That’s why governments introduce laws that protect your online privacy with fines for those who do not comply.
The GDPR doesn’t address cookies, but it implicitly sets the rules for tracking users online. Basically, they protect your browsing around the internet and forbid websites from collecting your info without knowing.
The most notable exceptions are the laws in the United States and India, according to which websites can track you without asking. Only in California and Nevada, they should tell you that they track you and should let you opt-out of tracking, but that’s all.
When it comes to the GDPR and similar laws, websites should ask you for consent for each purpose of tracking. If you let them use it, it’s your choice. If you don’t let them, they must restrain from injecting cookies into your device.
What Are Businesses Required to Do Regarding Cookies?
According to the GDPR, businesses are required to ask for your explicit consent before using cookies.
Your consent is lawful only if given:
- Specific. Businesses must request a separate consent for each purpose of data collection and processing. If you give your consent for the use of Google Analytics for analytics purposes, it doesn’t give the business the right to use the same data for advertising purposes.
- Unambiguous. The consent is given only by affirmative action by the user. That means clicking an ACCEPT button.
- Easily withdrawn. The user must be given the possibility to withdraw the previously given consent as easily as it has been given. So, if the user only clicked a cookie banner to accept the cookies, they must be provided with a WITHDRAW button to withdraw it. The business must not require forms and emails for withdrawing consent given in such a way.
Nonetheless, online businesses do not always do so.
What Do Businesses Sometimes Do Instead?
They are as creative as they and their lawyers could get. Most often they employ the following strategies:
Assume you accept cookies just by browsing
It is quite common to encounter a cookie banner with these words. There are two big issues with them:
If they ask you for consent, you can accept the request, refuse it, or ignore it.
Have cookie walls
This is a cookie wall:
It requires the user to accept the cookies or pay to get access to the content.
Some websites do it another way to avoid violating the law. They cover most of the screen with the cookie banner, but they don’t require accepting all the cookies before removing them from the screen. In fact, you can go to the preferences center and reject all the cookies. This does not violate the law, although it resembles cookie walls.
However, accepting those terms must be separate from accepting cookies for online tracking.
The consent is specific only when given separately for each specific purpose. This means that the business must request separate consent for each specific purpose of using cookies.
A cookie banner may look like this one:
Yet, the cookie banner above is unlawful. The toggles must not be turned active. It should look like this one:
Now your consent will be unambiguous because you will be the one who will turn the toggle on and click the CONFIRM MY CHOICES button. Anything less than that is against the law.
Ignore data protection laws
Some of them are just not aware that the GDPR and similar laws exist and some hope that the data protection authority won’t come after them.
Whatever their reasons, these websites won’t show you a cookie banner asking for consent. They will just fire the cookies straight into your device. When that occurs, or if any of the acts described above occurs, you may want to act against it to protect your rights.
How to protect Yourself?
When websites act as described above, then your personal data rights are being violated. The GDPR is here to protect you, but you are the one who has to take things into their own hands and seek protection of your online privacy.
If you have been in such a situation, here are the steps you could take in order to remove the violation:
Make sure that the GDPR applies
There is no privacy violation if there is no law that grants you the online privacy rights.
If you or the online business are from a member-state of the European Union, then the GDPR applies and you have the right to seek protection.
But first, you need to determine which laws offer such protection to you.
In general, data protection laws apply to:
- Businesses in their jurisdiction
- Individuals in their jurisdiction
- Any individual in the world who interacts with a business from their jurisdiction.
As a result, business have to comply:
- With the local data protection laws in any interaction with a user from anywhere in the world
- With the user’s local law in the interaction with that specific user.
If the business and the individual are from different countries, then all the laws that apply to each one of them apply to their relationship.
To determine whether GDPR applies to your case, use the following decision tree:
If you arrived at the “GDPR applies” field, keep reading.
Scan the website for cookies
It is very likely that the website you have visited uses some kind of cookies.
If the website welcomes you by mentioning cookies, it is 100% sure they use some.
If you are not sure yet, though, there are cookie scanners available for free on the internet where you can check out what websites use.
A few examples are:
All you have to do is go to the scanner, copy-paste the URL of the website you want to scan and click SCAN.
Then the scanner will do its magic and provide results.
Submit a data subject request
If the applicable laws grant you the right to submit a data subject request, this is the next step to take.
A data subject request is a request that users can submit to businesses to exercise their data subject rights (the user is the data subject).
GDPR grants you the following data subject rights:
|You have the right to: ||What the business must deliver upon your request: |
|Get information whether the business collect and processes your personal data ||Information on whether they collect and/or process your data |
|Access your personal data ||Provide you access to every category of personal information they have about you, the purpose and the means of collection and processing, the recipients, the retention period, etc. |
|Rectification ||Correct the inaccurate data they have about you |
|Erasure of your personal data (the right to be forgotten) ||Delete all the data they have about you |
|Restriction of processing ||Restrict the processing of your data as per your instructions (you may allow them use your data to provide you with relevant content, but not for advertising) |
|Data portability ||Provide you a file or folder with all your data so that you can transfer it to another data controller |
|Object to processing of data ||Stop processing your data as per your instructions |
|Not to be part of automated individual decision-making, including profiling ||Stop using your data in automated individual decision-making, including profiling (basically, remove your data from their algorithms) |
You can submit a data subject request for any of these rights, for a combination of them, or for all of them. It’s your rights, so you decide how you’re going to exercise them.
The GDPR gives them 30 days to respond to your request. They may take another 30 days if your request makes it complicated to respond in the initial 30 days.
If you don’t receive a response in that period, it is time to reach out to the data protection authority.
Lodge a complaint to the competent data protection authority (DPA)
There are two points in time in which you could lodge a complaint to the competent data protection authority:
- Before you submit a data subject request. It is a good idea to make sure that the online business violates your data subject rights before taking any further action. So, submitting a request before lodging a complaint is, generally speaking, a good idea.
However, there are some situations where it is too obvious that your rights have been violated and there is no need to waste time.
For example, if an EU business welcomes you with a cookie wall, it is clear that they are doing something wrong. This is a time when you could go ahead with lodging a complaint to an authority.
- When the business fails to deliver upon your data subject request. Failing to deliver to your request is a violation for itself, but it may also mean that the business has committed a series of violations about which you are not aware yet. That requires action from your side.
Lodging a complaint to the competent authority is as easy as it can get. Although many authorities have complaint forms on their websites, many of them would accept a complaint submitted in any way.
The tricky part here is to figure out which data protection authority is the competent one. But, even if you don’t get it right and lodge a complaint to the wrong authority, they will just refuse your complaint and will tell you what’s the right address. So, in the worst case scenario, you’ll just waste some time.
The following data protection authorities are competent in your situation:
- The DPA in your own country
- The DPA in the country where the business is registered
- If the business is registered abroad, the country where they have a representative.
Here’s a list of all the EU DPAs if you are dealing with the GDPR.
File a lawsuit
Last, but not least, you can file a lawsuit to protect your online privacy rights as long as you suffer some damages due to the violations.
So, the important thing to note here is that a lawsuit may be successful only if you suffer damages, such as financial losses, damaged reputation, and others. If the business has used cookies without your consent, but that hasn’t caused any damages, the administrative procedure through the data protection authority is all you can do.
Online businesses love personal data. If you have an online business, you likely know the value of data in making business decisions, so it comes at no surprise that businesses sometimes go over the line and violate the laws.
If that happens to you, there are ways to act.
But you have to remember that you are the only one who can take action. DPAs may or may not notice that a website violates the laws. After all, there is only one DPA per country and billions of websites worldwide. Tracking all of them is an impossible task.
That’s why if you want to protect yourself, it is you who has to take things into your own hands and go after those who violate your data privacy rights. You have the tools. You just need to use them.