GDPR and the use of web tracking

Despite the distractions of Brexit, a research report on web tracking published a mere two weeks ago has already attracted the notice of the European parliament to an online abuse that has reached endemic proportions.

The research, by Cybot – an online tracking consent solution provider – reveals the frightening extent of sensitive personal data leakage from European government and health service web sites via uncontrolled use of third party tracking.

What’s the problem?

Merely visiting a web page containing a tracker will silently inform the tracking service that the data subject visited the page – only metadata maybe, but highly indicative of the person's interest in the subject of the page, and another data point in a potentially sensitive profile. Even worse is the news that such tracking can cascade – the first party tracking service may, and often does, pass the parcel onward to other trackers, leading to extremely wide and essentially uncontrolled data sharing. It's worth noting that not a few of the trackers identified in this report seem entirely unnecessary (e.g. a YouTube tracker on a UK government page) or downright inappropriate (e.g. a twitter tracker on a health service page about incipient alcoholism or a Facebook tracker on an HIV advice page). We should be asking (loudly) who made the decisions to include such tracking on these pages and on what authority they did so, regardless of which it’s the data controller that will be ultimately deemed responsible and liable.

What makes this report particularly horrific is the sensitive nature of the sites concerned and that they’re government owned, but the same abuse occurs on vast numbers of commercial and even non-commercial web sites. Just for example, the inclusion of a conventional Facebook or Twitter ‘Like’ button on a web page is sufficient for Facebook or Twitter to be automatically and silently informed of every visit to that page, without the visitor having to click on the button and regardless of whether they have chosen to sign up to Facebook or Twitter. Given the prevalence of such buttons on web pages and bearing in mind that, courtesy of a 2016 European Court of Justice ruling, an IP address alone may constitute personal data, even if nothing more than that and the page visited were to be tracked the inevitable outcome is a detailed personal lifestyle and interests profile in the hands of the tracking service provider. However numerous studies have shown that considerably more information than that minimum can be transmitted to tracking services, making absolute identification of individuals perfectly feasible, and entirely without their knowledge or consent.

However, explicit tracking and profiling for advert targeting is not the only concern. Third party web analytics services are used widely and legitimately for determining the effectiveness of a web site, but the information provided by visits to its pages is potentially open to wider use by an analytics service without this necessarily being obvious to either the web site owner or its visitors. If this information were to be retained by the analytics service, a quite sophisticated personal profile of an individual could be accumulated from their visits to multiple web sites that all use that service. The individual might well not be made aware of this (which would breach the transparency principle), and furthermore should any of this data refer, for example, to health or to political interests we could enter the territory of the ‘special categories’ of sensitive personal data, requiring explicit consent from the data subject (GDPR Article 9) for use (including retention) of the data by the analytics service.

What's at stake?

As such processing takes place without the knowledge of data subjects and completely outwith their control, it’s likely to breach their rights under the legislation. The point is that the GDPR is not data law – it’s human rights law. Consequently your duty is not limited to protecting the data – it extends to protecting the rights and freedoms of your data subjects. So the ‘data subject rights’ addressed in Chapter III of the GDPR are far from the sum total of their rights. As Recital 4 states “This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.” Recital 75 goes further: “The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage ...”. Non-material damage can include psychological and emotional harms, so annoyance at receiving unsolicited marketing material from a tracker-based advertising service or worry about being profiled by a social networking service the data subject has chosen not to subscribe to could well qualify as breaches of their rights and freedoms and lead to upheld complaints (as indeed they are already doing in Europe).

Taking control

The fundamental source of this problem is the data controller failing to ensure services it engages (whether its marketing folks, its web developers or some other third party service) fully respect the privacy of the controller’s data subjects. As the data controller has a duty under the GDPR to ensure that all processing they specify or approve is lawful, the controller is likely to be jointly responsible and liable with a service they engage if a complaint is upheld against any processing by that service (the general accountability principle and, specifically with reference to trackers, the European Court of Justice, Advocate General’s Opinion in Case C-40/17). Therefore, the minimum safe course of action to protect your data subjects, and thereby protect your business, is to thoroughly research the privacy regime of any prospective third party service, then put yourself mentally in the place of a data subject and decide whether you would accept that privacy regime yourself. You will probably also need to provide quite detailed instructions to your subcontractors, particularly to your web developers as recent research has shown that they don’t generally consider user privacy or security unless explicitly instructed to (and, even if so instructed, may in the absence of specific technical guidance deliver inadequate implementations of both). The provision of such instructions to data processors is in any case required by Article 28 of the GDPR, so the key issues will be the level of detail deemed necessary in those instructions, and indeed whether you are in a position to negotiate (or even investigate) the privacy regime of a prospective data processor. This means extreme caution should be exercised when engaging with ‘standard offering’ processing services (particularly those based in third countries) as their contracts are typically non-negotiable and their terms and conditions are often short on detail. It may seem safe to assume policy equates to performance, but it’s actually fraught with hazard to rely on unconfirmed assertion – of Privacy Shield certification, for example – without further investigation of what actually goes on in practice. Just signing up to a service because it’s available, convenient and has plausible T&Cs can be catastrophically unlawful.

Whenever, as a result of due diligence, there is any doubt about the adequacy of a third party service’s privacy management (including any vagueness or evasiveness in responding to enquiries), it should be avoided and an alternative service sought that demonstrably fulfils its obligation to deliver ‘data protection by design and by default’ (GDPR Article 25) and is entirely transparent about its privacy regime. Then, if you go ahead, you must ensure that you either provide explicit instructions to the service provider as a processor for your business or as an absolute minimum (e.g. where its contract is non-negotiable) you fully approve the processor’s terms, conditions and processing specifications, because you as controller will be held responsible for their legality. Your own privacy notice should clearly identify the specific third parties you have taken on as processors and describe both their relevant processing on behalf of your business and any processing of the same data or data gathered from or about your data subjects that they carry out as controllers in their own right alongside their processing for your business. Because you’re effectively obliging your data subjects to expose themselves to the third party service in order to do business with you, you’re ultimately responsible for the actions of that third party, so it's not good enough just to refer your data subject to the third party’s privacy notice.

It’s your obligation

Particularly where a web site is funded by it, care must be taken when including brokered advertising on your site, as the tracking and profiling required for delivery of targeted adverts intrinsically wrest control from the data subject. This is of itself a possible infringement of their rights and freedoms, unless the data subject is fully and explicitly informed of the specific tracking in use before any of it takes place and is provided with an effective mechanism for avoiding it without being denied the service your site offers. For several reasons it's highly questionable whether it’s sufficient merely to describe in your privacy notice how to turn cookies off. Firstly, the cookies may have already been sent before the visitor sees the instructions, secondly because cookie controls in browsers cannot distinguish between ‘necessary’ cookies without which the web site can’t deliver the service and other cookies that are not strictly necessary for delivery of the service, and thirdly because it’s not really reasonable to put the responsibility for protecting their privacy on visitors to your site themselves (it's your responsibility). And with the increasing use of distributed hosting that draws different parts of your web site from multiple third party providers, you become responsible for any tracking performed by all those third party providers. Oh, and just to make sure we all understand, it’s not just about cookies – any mechanism that tracks a web site visitor or gathers information about their browsing can constitute processing of personal data if the information collected either intrinsically identifies them or can be accumulated to identify them. Most of these other mechanisms can only be turned off by techniques that inhibit access to a site (e.g. the visitor disabling scripting or images). So no more “By using this web site you agree to our use of cookies” statements please, particularly on pages that themselves carry other automated trackers that have already silently done their work.

Mike Barwise
Director, BiR
28/03/2019