Goodbye cookies? – How online tracking will change

//by Kristin Benedikt//

For years, the EU has been struggling to find a new legal framework for the Internet.  It is not just a question of the confidentiality of electronic communication or data security.  The key issue is still the conditions under which companies are allowed to track online user behaviour and whether consent must always be obtained.  There are ongoing discussions even now regarding cookies in the legal proceedings of the ePrivacy Regulation. Why this question will be old news tomorrow and why the regulation of the advertising industry can only succeed by thinking outside the box:

1. Functionality 

Originally, cookies had the purpose of bridging the so-called “statelessness of the web”.  Every click on a website, every user action, cannot be assigned to a user for technical reasons.  Cookies are used so that we can still shop online, log in to email accounts, use online banking or social media, and do not have to re-enter our user data with every click.  Cookies are not just “small text files that are stored in the browser” as almost every privacy policy states.  Strictly speaking cookies are nothing more than a digital name tag with which we identify ourselves on the Internet.  Cookies have been increasingly replaced by other tracking technologies for years.  Instead, browser fingerprinting, tracking pixels, or other identifiers are used.  Apps can do without cookies altogether by using for example, the so-called Advertising-ID from the provider of the operating system of mobile devices.  This makes it more difficult for users to control tracking themselves.  

2. Legal framework

The current regulations of online tracking are no longer up to date.  At the European level,

the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his or her consent.  This shall not prevent any technical storage or access […]as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service (Art. 5 (3) ePrivacy Directive)1. 

The storage of information refers to the setting of cookies.  In the future, the ePrivacy Directive will be superseded by the ePrivacy Regulation and will consider the technical developments of the last ten years, but also enable innovations such as artificial intelligence.  

An important aspect that is often overlooked: Two different legal frameworks apply to online tracking. 

To the extent that the integrity of the device is accessed (this includes setting cookies, granting app permissions, and using identifiers), the ePrivacy Directive, or in the future, the ePrivacy Regulation applies.  

Only then, when the information of the end device is processed at the controller, do the regulations of the GDPR (General Data Protection Regulation) also apply.  This only leads to legal uncertainty because the relationship between ePrivacy and the GDPR is unclear in many cases, e.g.:

• The ePrivacy Directive focuses on the party accessing information on the end device, while the GDPR focuses on the controller.  

• Consent is the sole legal basis within Art. 5 ePrivacy Directive unless certain exceptions apply.  The GDPR on the other hand, regulates various legal bases in Art. 6, including the balancing of interests.  This opens up a great deal of leeway for companies when processing data.  

This legal uncertainty has further consequences:

Users have been flooded with cookie banners for quite some time.  Yet many of the banners are unsuitable for obtaining effective consent from the user, or they are not required at all because the app provider or website operator does not need consent from the user.  

Some European supervisory authorities have named concrete practical cases in which consent is not required under the ePrivacy Directive.  This applies, for example, to the use of cookies and other tracking technologies in the following cases: 

• Web audience measuring

• storage of user preferences, for example, language and country

• authentication

• fraud prevention measures

• billing

From the perspective of the supervisory authorities, these processing activities are “strictly necessary” within the meaning of Art. 5(3) of the ePrivacy Directive.  

Despite these recommendations of the supervisory authorities, legal uncertainty still prevails.  This is partly because no one-stop-shop procedure applies under the ePrivacy Directive as it does under the GDPR.  As a result, each supervisory authority interprets the law differently and there is hardly any enforcement of the law by the supervisory authorities in Europe, although many breaches in cookie banners and tracking procedures are obvious. However, this is likely to change quickly with the complaints by Maximilian Schrems´ NGO – NYOB. Schrems has issued more than 500 complaints about unlawful cookie banners.2

A solution could be mandatory setting options for users by data trustees.  Such a provision is also being discussed in the legislative process for the Data Governance Act.3  Users regain their data sovereignty by indicating their privacy preferences to a neutral third party.  The data trustee does not pursue any economic self-interest and may only forward user data if the user has given one-time consent.  This kills two birds with one stone: the user is freed from the flood of banners and companies can process user data in a legally secure manner.  The German legislature has firmly anchored the model of the data trustee, the so-called Personal Information Management Systems (PIMS) in a new Internet Data Protection Act.4 If PIMS succeeds in establishing itself on the German market, it would be a German showpiece that can be considered a blueprint for the ePrivacy Regulation. 

3. New standards – new problems

While legislators are still struggling to find new rules on data protection, the tech giants are developing new technical standards whose impact will affect not only data protection but the entire digital economy.

Google is planning “anonymous” user tracking that does without cookies. 5 Apple has implemented tracking protection for users with iOS 14.5. Only apps that are programmed according to Apple’s “privacy laws” are allowed to track users.6

What at first glance sounds like an achievement in data protection, on the other hand reinforces the monopoly position of the tech giants. Through their technical standards, the tech giants create a technical framework for themselves that is so narrow for all other companies that only the principle of “eat or die” applies.

For this reason, the competition authorities in the EU, especially Germany, are conducting proceedings against Apple and Google. 7 And that is a good thing! Data protection law alone cannot guarantee the free movement of data. The last three years after the GDPR came into force have shown that.

Kristin Benedikt is Judge in Germany and has been working with Bavarian Supervisory Authority (Bayrisches Landesamt für Datenschutzaufsicht) responsible for Data Protection and Internet.