The fight to protect privacy – Google to slay the (3rd party) cookie monster!

Growing concerns about privacy in today’s era have pushed tech corporations operating web browsers, to take steps to limit the amount of personal data they collect. Google, which relies on advertising revenues to a great extent, has decided to take a slightly different approach in the same direction – to phase out third-party cookies over the course of 2 years, instead of blocking them in one blow. In this write-up, the author focuses on what cookies are, what role they play on the Internet, and how they give rise to considerable privacy concerns, in light of Google’s move.

What are cookies and how do they function?

Cookies have been defined as “plain text files that store user settings for a particular website”. The data carried by cookies makes it easy to identify users and to recognize them at a later point. They are usually of two types – first-party cookies and third-party cookies.

Viewed from a technical standpoint, there is no substantial difference between a first-party cookie and a third-party cookie. They primarily differ in two aspects – source and purpose.

Source: Each cookie has an owner, i.e. a domain name that it is associated with. First-party cookies are issued, or planted by the primary website that is actually viewed/accessed by a user (“Primary Website”), onto the user’s device. Third-party cookies, on the other hand, are not created by the Primary Website, but by third-party websites that have either embedded content on the Primary Website, or third party advertisers that have purchased some real estate on the Primary Website.

For instance, if YouTube has embedded a video on the Primary Website, e.g. WikiHow, when the video starts to load, YouTube can track the video player and the user’s activities on the Primary Website using the (3rd party) cookies planted by YouTube on the user’s device.

Purpose: First party cookies are ordinarily used to enhance user experience by providing features such as “Remember password” and keeping the user logged onto its account on the Primary Website. Third-party cookies, on the other hand, are largely used to support online advertisements. Advertisers that have purchased real estate on any website affix certain tags to these websites which enable them to track their ads as well as the activity of users viewing the website. It is the use of third-party cookies that is the reason why we see an ad for a website/platform selling gym accessories or apparel beside our Facebook feed, after having browsed gym memberships on another website a few minutes earlier.  

Privacy Concerns

Given that cookies have the ability to store and retrieve user information, they have given rise to substantial privacy concerns, which are now sought to be regulated by governments world over through legislations such as the European Union’s General Data Protection Regulation (2016) (“GDPR”), the California Consumer Privacy Act (2018), and the draft Personal Data Protection Bill (2019) (“PDP Bill”) that has been mooted by the Government of India.

Though the Indian counterpart (the PDP Bill, which is undergoing scrutiny by a Joint Parliamentary Committee) does not discuss cookies, Recital 30 of the GDPR brings cookie identifiers within the ambit of the definition of ‘personal data’. Hence, cookies impose an additional obligation upon the data controller[1] (under the GDPR) to procure the user’s consent to process its personal data, which consent has to be – freely given, specific, informed and unambiguousSimilarly, under the PDP Bill, consent has to be free, informed, specific, clear and capable of being withdrawn (with ease) (Section 11). 

As illustrated below, a lot of websites display a disclaimer on the website at the very beginning, ensuring that the user is made aware of the use of cookies. Cookie disclaimers merely state ‘this website uses cookies’. The problem with a cookie disclaimer is that it merely intimates the user and asks for an “ok” or “I agree”. It doesn’t seek any consent as is required by the GDPR and leaves no choice to the user (other than to leave the website). It doesn’t expose the cookies and tracking present on the site, their purpose and properties, as is the objective of the concept of consent as envisaged by the GDPR. A cookie disclaimer doesn’t specify whether the website uses non-essential cookies (the third-party cookies). What is missing here is an “active consent” from the user to use its personal data.

Another manner of seeking consent is by way of a notice to the user seeking the user’s consent to process its personal data, while specifying the purpose of collection and manner of further use of such personal data. The notice below is one such example.

This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Source: cookiebot.com/en/

In the case of first-party cookies, it is relatively simple for the data controller to specify what information is being collected from the user, how it is processed and by whom, since the purpose of a first-party cookie is straightforward. However, in case of third party cookies, the process gets complicated. As illustrated above, the data controller could be intimating the user that it will “share information about the user’s use of the site with its social media, advertising and analytics partners, who may combine the information with other information”. This may seem like it is protecting the data controller by ensuring compliance on paper, though it is still problematic from the user’s standpoint. Most websites are monetized by employing these advertising models based on a steady network of third-party cookies. In such a situation, the user may know that its personal data is being used for advertising purposes but won’t know the purposes for which it will be processed and by whom, which is indeed the objective of having specific, informed and unambiguous consent. The user may be providing consent on the basis of its impression of the Primary Website and will have no control over its personal data once it clicks “I agree” on the website’s notice. This defeats the purpose of having such a definition for ‘consent’.

Consent taken by websites using cookies – is it really free?

Another aspect to reflect upon is the potentially coercive element inherent in procuring consent. What if the services being provided by the website are conditional on the user providing its consent to the use of its personal data? This would mean that the user has to necessarily opt for the employment of cookies or has to forego using the website in its entirety. This would not be ‘free consent’ in the true sense as it involves ‘detriment to the user’ in case of failure/refusal to provide such consent. As per Recital 42 of the GDPR “consent should not be regarded as freely given, if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment”.

Similarly, Section 11(4) of the PDP Bill, specifically states that the provision of goods and service should not be made conditional upon the user giving consent to processing of personal data (not necessary for that purpose). In such a scenario it becomes even more relevant for the notice employed for procuring consent to be as specific and clear as possible, which is difficult with third-party cookies. Third-party cookies function in a wide network where it is not possible for the controller to envisage exactly all the entities that will eventually process the personal data and the uses to which the personal data will be applied once it leaves the controller’s ‘control’.

Google and the cookie monster

Recognizing the pitfalls of allowing these hitchhikers to follow users across the Internet, Apple Inc. (of Safari) and Mozilla Corp. (of Firefox) have already blocked third-party cookies from their browsers, and Google is following in their footsteps.

Google’s representatives have claimed that this move is aimed at providing advertisers, publishers and other industry-insiders with the impetus to come together to create a new set of open web standards, that are more privacy dedicated than the existing practices. It is only when an alternative is developed that support for these cookies will be completely withdrawn.

Why is Google taking a softer approach towards third-party cookies than Firefox Corporation and Apple?

Below are a few points to consider while trying to wrap one’s head around why Google chose to phase out, instead of eliminating third-party cookies like the others:

  1. Google’s business model is largely reliant on ad revenues and eliminating the cog (third-party cookies) in the wheel (the ad ecosystem) would have a major impact on it;
  1. Being the market leader in web browsers (holding64% of the global market share), any changes made to Google Chrome would permeate through the industry and greatly affect its rivals. Unlike Google Chrome, its rivals would not have access to the amount of logged-in user data that Chrome has access to by virtue of being a part of the Google umbrella. Access to a large amount of logged-in user data will still help Chrome with its targeting and tracking activities, in spite of losing out on data collected by third-party cookies (once they are phased out).

It is safe to assume that Google’s move has the potential to create massive ripples in the online advertising ecosystem, while giving rise to major competition issues. As mentioned earlier, with Chrome continuing to have access to Google’s logged-in user data, and also withdrawing support for third-party cookies, it threatens to disrupt the entire online ad ecosystem by creating barriers to entry. In essence, Chrome will have access to the oxygen (users’ personal data) for the ad ecosystem that won’t be accessible by new entrants (advertisers) or even existing advertisers who are not associated with Google. It can only be hoped that Google succeeds in protecting the interests of consumers (in respect of privacy) without foreclosing other advertisers.

Google’s Privacy Sandbox

In August 2019, the Google Chrome team spoke about a proposition they were working on – the ‘Privacy Sandbox’ – to restrict tracking of users. It has been described as a “secure environment for personalization that also protects user privacy”. A machine learning software will be used in the browser to assess people’s interests, and that information will be shared with advertisers only when it reflects large groups of people, ensuring that the objective of tracking can be fulfilled without advertisers knowing the users’ personal details. In this manner, Google aims to limit the amount of users’ personal data that is being shared with third parties who have not secured specific consent from the users to that effect.

Author’s views

Though similar initiatives have been taken in the past (see the Firefox example above), because of Google’s dominant status, its decision is likely to transform the ad-tech industry as the world has known it so far. As per reports, Google Chrome has an estimated global market share of 62.8%, while Apple’s Safari occupies a mere 15.8% market share, and Internet Explorer is at the fag-end with just 2.47%.

Additionally, in the particular case of 3rd party cookies, since other commonly used browsers have already blocked these cookies as a default, Google’s move is likely to be a curtain call for these tracking activities. In this opaque digital ad ecosystem where the users will never really know-how and what part of their personal data is being tracked, we are yet to see how reassuring these initiatives end up being to the users, and how successful they are in the fight for privacy. Another potential implication of phasing out these cookies is that it cuts off advertisers’ access to a substantial amount of user data that helps it to tailor its targeting of ads. Not only is this going to impact advertisers, but as a result of less efficient targeting, it will generate fewer clicks and in a pay-per-click model particularly, that would mean that Chrome will lose out on revenue as it will only get paid when advertisers generate clicks. The question now is how well Google manages to balance the multiple interests involved – preserving the status quo of its revenues (without hurting its advertisers) versus protecting users.

Disclaimer: This post has been prepared for informational purposes only. The information/or observations contained in this post does not constitute legal advice and should not be acted upon in any specific situation without seeking proper legal advice from a practicing attorney.

Learn more about our Technology practice.

#Google #CookieMonster #Privacy #Technology #GameChangerLawAdvisors #India

Disclaimer

As per rules of the Bar Council of India, advocates are not permitted to solicit work or advertise. By clicking on the “I agree” button below and accessing this website, the User acknowledges that by accessing this website (www.gamechangerlaw.com):