Sneaky Ways Websites Interfere With Your Privacy Online

Updated: 25 February 2021
Updated: 25 February 2021

Data-informed decisions keep the profits high while optimizing the costs of acquiring new customers, so almost every single online business wants to monitor what you do on the internet. This keeps their costs low while converting you to a paying customer.

In the meantime, the monitoring has gone wild and governments reacted with more stringent data protection laws.

The GDPR (General Data Protection Regulation) of the European Union is the world’s most famous data protection law, mostly due to the hefty fines.

Despite being aware of the law and the risk of fines, though, websites keep tracking users’ online behavior against the GDPR.

To explain to you how they do that and how you can protect yourself from tracking, we will explain the following:

  • What cookies and tracking technologies are
  • What does GDPR say about them
  • How websites and apps try to sneak them into your device against the laws
  • What to do to protect yourself

Websites Breach GDPR

What Cookies and Other Tracking Technologies Are?

Cookies are small files that websites or apps send to your device to collect certain data. Later on, that data is being processed.

Aside from cookies, websites often use tracking pixels (also known as web beacons), which track the websites you browse, the ads you click, and so on. They show the website owner who did what on the website and when.

Regarding your privacy, there are two types of cookies:

  • Essential cookies. These cookies are necessary for the proper functioning of the website or app. An example is a cookie that remembers what you have put into your shopping basket while you still browse the web store. Without such a cookie, the shopping cart would empty when you continue browsing. No consent is needed for these.
  • Non-essential cookies. These are the cookies that you may not want on your device. These include statistics cookies, such as Google Analytics, advertising cookies such as the tracking technologies of Google and Facebook. These are the cookies that track you.

What Does the GDPR Say About the Use of Cookies?

You want privacy while browsing the internet. That’s why governments introduce laws that protect your online privacy with fines for those who do not comply.

The GDPR doesn’t address cookies, but it implicitly sets the rules for tracking users online. Basically, they protect your browsing around the internet and forbid websites from collecting your info without knowing.

The most notable exceptions are the laws in the United States and India, according to which websites can track you without asking. Only in California and Nevada, they should tell you that they track you and should let you opt-out of tracking, but that’s all.

When it comes to the GDPR and similar laws, websites should ask you for consent for each purpose of tracking. If you let them use it, it’s your choice. If you don’t let them, they must restrain from injecting cookies into your device.

What Are Businesses Required to Do Regarding Cookies?

Valid Cookie Consent

According to the GDPR, businesses are required to ask for your explicit consent before using cookies.

If you consent to their use of cookies, they can track you online. If you don’t accept it, they must not track you, even while allowing you access to their free content.

Moreover, they must request consent in a specific way. If they do not meet the legal requirements about the way they should request the consent, it is the same as if they didn’t request it at all, even if you have agreed to the use of cookies.

Your consent is lawful only if given:

  • Freely. The consent is given freely if you have a choice whether to accept or refuse the cookies. Businesses must not put users in a trap to accept cookies, such as bundling consent to Terms of Use, using cookie walls, etc.
  • Specific. Businesses must request a separate consent for each purpose of data collection and processing. If you give your consent for the use of Google Analytics for analytics purposes, it doesn’t give the business the right to use the same data for advertising purposes.
  • Unambiguous. The consent is given only by affirmative action by the user. That means clicking an ACCEPT button.
  • Easily withdrawn. The user must be given the possibility to withdraw the previously given consent as easily as it has been given. So, if the user only clicked a cookie banner to accept the cookies, they must be provided with a WITHDRAW button to withdraw it. The business must not require forms and emails for withdrawing consent given in such a way.

Nonetheless, online businesses do not always do so.

What Do Businesses Sometimes Do Instead?

How Websites Violate Cookie Consent

They are as creative as they and their lawyers could get. Most often they employ the following strategies:

Assume you accept cookies just by browsing

“This website uses cookies. By browsing this website you agree to the use of cookies and accept our privacy policy.”

It is quite common to encounter a cookie banner with these words. There are two big issues with them:

  • Accepting a privacy policy is nonsense. The privacy policy is a notification. It is a document with which the online business informs the user about their privacy practices. There is nothing to be accepted here. It is just information about how things already are. So, accepting a privacy policy means nothing. Accepting cookies, on the other hand, means everything to businesses that want to track you online.
  • If you don’t click the “ACCEPT” button for accepting cookies, then you haven’t given your consent to the use of cookies. Browsing the website doesn’t mean consent.

If they ask you for consent, you can accept the request, refuse it, or ignore it.

If you accept it, they can use cookies.

If you reject it or ignore it, they must not use cookies. If they use them anyway, they violate your privacy rights.

Have cookie walls

A cookie wall is a cookie banner that doesn’t give you access to the website or app content unless you consent to the use of cookies and tracking technologies. Cookie walls are unlawful.
This is a cookie wall:

Cookie Wall

It requires the user to accept the cookies or pay to get access to the content.

Some websites do it another way to avoid violating the law. They cover most of the screen with the cookie banner, but they don’t require accepting all the cookies before removing them from the screen. In fact, you can go to the preferences center and reject all the cookies. This does not violate the law, although it resembles cookie walls.

Not a Cookie Wall

Bundle Terms of Use with privacy policy and consent

Wording such as “By accepting these Terms of Use you accept our privacy policy and the use of cookies” is against the law. It violates your privacy rights because it doesn’t request specific consent, but it lures you into consent by bundling it to the acceptance of the Terms of Use.

Bundle Terms & Conditions

The Terms of Use are a contract between the website or the app and the user. It governs your use of the website or the app. If you want to use an app, you have to agree to the terms set by the app owner.

However, accepting those terms must be separate from accepting cookies for online tracking.

Pre-checked boxes

The consent is specific only when given separately for each specific purpose. This means that the business must request separate consent for each specific purpose of using cookies.

If the website you visit uses cookies for remembering your preferences on the website, an analytics tool for statistics, and an advertising pixel to market their products to you on social media, later on, it means that they have to request a separate consent for each of them.

A cookie banner may look like this one:

Unlawful Cookie Banner

Yet, the cookie banner above is unlawful. The toggles must not be turned active. It should look like this one:

Lawful Cookie Banner

Now your consent will be unambiguous because you will be the one who will turn the toggle on and click the CONFIRM MY CHOICES button. Anything less than that is against the law.

Ignore data protection laws

Some online businesses just ignore the GDPR whatsoever. They act as if that doesn’t apply to them. They would use cookies to track you even though it puts them at risk of a fine.

Some of them are just not aware that the GDPR and similar laws exist and some hope that the data protection authority won’t come after them.

Whatever their reasons, these websites won’t show you a cookie banner asking for consent. They will just fire the cookies straight into your device. When that occurs, or if any of the acts described above occurs, you may want to act against it to protect your rights.

How to protect Yourself?

When websites act as described above, then your personal data rights are being violated. The GDPR is here to protect you, but you are the one who has to take things into their own hands and seek protection of your online privacy.

If you have been in such a situation, here are the steps you could take in order to remove the violation:

Make sure that the GDPR applies

There is no privacy violation if there is no law that grants you the online privacy rights.

If you or the online business are from a member-state of the European Union, then the GDPR applies and you have the right to seek protection.

But first, you need to determine which laws offer such protection to you.

In general, data protection laws apply to:

  • Businesses in their jurisdiction
  • Individuals in their jurisdiction
  • Any individual in the world who interacts with a business from their jurisdiction.

As a result, business have to comply:

  • With the local data protection laws in any interaction with a user from anywhere in the world
  • With the user’s local law in the interaction with that specific user.

If the business and the individual are from different countries, then all the laws that apply to each one of them apply to their relationship.

To determine whether GDPR applies to your case, use the following decision tree:

GDPR Algo

If you arrived at the “GDPR applies” field, keep reading.

Scan the website for cookies

It is very likely that the website you have visited uses some kind of cookies.

If the website welcomes you by mentioning cookies, it is 100% sure they use some.

If you are not sure yet, though, there are cookie scanners available for free on the internet where you can check out what websites use.

A few examples are:

All you have to do is go to the scanner, copy-paste the URL of the website you want to scan and click SCAN.

Cookie Scanner

Then the scanner will do its magic and provide results.

Submit a data subject request

If the applicable laws grant you the right to submit a data subject request, this is the next step to take.

A data subject request is a request that users can submit to businesses to exercise their data subject rights (the user is the data subject).

GDPR grants you the following data subject rights:

You have the right to: What the business must deliver upon your request:
Get information whether the business collect and processes your personal data Information on whether they collect and/or process your data
Access your personal data Provide you access to every category of personal information they have about you, the purpose and the means of collection and processing, the recipients, the retention period, etc.
Rectification Correct the inaccurate data they have about you
Erasure of your personal data (the right to be forgotten) Delete all the data they have about you
Restriction of processing Restrict the processing of your data as per your instructions (you may allow them use your data to provide you with relevant content, but not for advertising)
Data portability Provide you a file or folder with all your data so that you can transfer it to another data controller
Object to processing of data Stop processing your data as per your instructions
Not to be part of automated individual decision-making, including profiling Stop using your data in automated individual decision-making, including profiling (basically, remove your data from their algorithms)

 

You can submit a data subject request for any of these rights, for a combination of them, or for all of them. It’s your rights, so you decide how you’re going to exercise them.

Businesses usually include the methods for submitting requests in their privacy policy. However, they are obliged to accept your request no matter how you have submitted it.

So, the best way is to look at the privacy policy. If there is nothing there or it is hard to navigate, just send them an email or contact them through their contact form.

The GDPR gives them 30 days to respond to your request. They may take another 30 days if your request makes it complicated to respond in the initial 30 days.

If you don’t receive a response in that period, it is time to reach out to the data protection authority.

Lodge a complaint to the competent data protection authority (DPA)

There are two points in time in which you could lodge a complaint to the competent data protection authority:

  • Before you submit a data subject request. It is a good idea to make sure that the online business violates your data subject rights before taking any further action. So, submitting a request before lodging a complaint is, generally speaking, a good idea.

    However, there are some situations where it is too obvious that your rights have been violated and there is no need to waste time.

    For example, if an EU business welcomes you with a cookie wall, it is clear that they are doing something wrong. This is a time when you could go ahead with lodging a complaint to an authority.

  • When the business fails to deliver upon your data subject request. Failing to deliver to your request is a violation for itself, but it may also mean that the business has committed a series of violations about which you are not aware yet. That requires action from your side.

Lodging a complaint to the competent authority is as easy as it can get. Although many authorities have complaint forms on their websites, many of them would accept a complaint submitted in any way.

The tricky part here is to figure out which data protection authority is the competent one. But, even if you don’t get it right and lodge a complaint to the wrong authority, they will just refuse your complaint and will tell you what’s the right address. So, in the worst case scenario, you’ll just waste some time.

The following data protection authorities are competent in your situation:

  • The DPA in your own country
  • The DPA in the country where the business is registered
  • If the business is registered abroad, the country where they have a representative.

Here’s a list of all the EU DPAs if you are dealing with the GDPR.

File a lawsuit

Last, but not least, you can file a lawsuit to protect your online privacy rights as long as you suffer some damages due to the violations.

So, the important thing to note here is that a lawsuit may be successful only if you suffer damages, such as financial losses, damaged reputation, and others. If the business has used cookies without your consent, but that hasn’t caused any damages, the administrative procedure through the data protection authority is all you can do.

Final Word

Online businesses love personal data. If you have an online business, you likely know the value of data in making business decisions, so it comes at no surprise that businesses sometimes go over the line and violate the laws.

If that happens to you, there are ways to act.

But you have to remember that you are the only one who can take action. DPAs may or may not notice that a website violates the laws. After all, there is only one DPA per country and billions of websites worldwide. Tracking all of them is an impossible task.

That’s why if you want to protect yourself, it is you who has to take things into your own hands and go after those who violate your data privacy rights. You have the tools. You just need to use them.

Written by: Petar Todorovski

Petar Todorovski is interested in just about anything where law and technology intersect. His work includes legal consultation for companies, drafting IT-related legislation for the Macedonian government, and designing legal tech apps for a data protection management platform.

He has experience in data protection, cybersecurity, trust services, digital transformation of public services, access to justice, and writing for the internet.

He is a big advocate of automation, user-centered design, and the use of plain language in the legal industry.

Petar takes a break from law and tech by having a Crossfit workout, enjoying the outdoors, and reading smart people’s blogs.

Leave a Reply

Your email address will not be published. Required fields are marked *