Online profiling: find your way around the latest news

Anyone who has surfed the internet in recent years cannot fail to know that the behavior of online users can form the starting point for carrying out targeted marketing campaigns. The banners that invariably open when we access a website, for example, alert the user to the use of profiling cookies. The Privacy and Cookie Policies that we are often asked to read before carrying out certain actions - such as an online purchase or subscription to a newsletter - instead describe in great detail, or at least should, the treatments for marketing purposes that are carried out on respective sites. The frequency with which we are exposed to these information, however, often corresponds to that with which we "trash" them, accepting everything, so as not to lose ourselves in reading documents that are often long and with a complicated and inaccessible vocabulary.

The problem it also reached the ears of the Privacy Guarantor, who recently launched “A hackathon to make privacy policies something that everyone can read (and understand)”, “Objective? Shorten them by 50% "for true informed consent [Doc. Web 9495622].

To help readers navigate and protect themselves in the world of online marketing, therefore, we have decided to write this article, in which we will mention the latest news on the subject.

How profiling cookies work

The term cookie indicates a small text file in which brief information relating to navigation on a particular website is stored, which is installed in the device of the visitor who accesses it. In subsequent accesses, cookies will be sent back to the site that generated them (first-party cookies) or to those provided by third parties able to recognize them (third-party cookies) and it will be possible to pursue different purposes: not just marketing , but also of a technical nature or to improve the browsing experience, for example by storing preferences for the language of the page visited or authentication credentials.

Coming to profiling and third-party cookies - whose installation is subject to the user's prior consent - there are different types, including, in particular:

profiling cookies: which create a user profile that can be used, for example, to display content advertising in line with the preferences expressed while browsing the site; retargeting cookies: which are created in order to send advertising content relating to products in which the user has already expressed interest; social cookies: they relate to social network plug-ins that allow you to share, follow or express appreciation for the contents of the site - other than the social network - you are visiting. These functions allow social networks to identify their users and collect information even while browsing other sites.

Retention times

This is, therefore, a lot of information. But how long can they be kept? This is decided by the Data Controller of personal data, ie the person who determines the means and purposes (usually, the owner of the site).

Photo credit - depositphotos .com This answer was recently given by the Guarantor , with provision of 15 October 2020 [Doc. web n. 9486485] issued against Carrefour. The facts examined were as follows: the complainant complained of receiving a promotional text message from the Company in 2018, without suitable feedback being given to his subsequent request for information. It emerged, therefore, that the message had been sent on the basis of a consent acquired with the signing of a contract in 2007 and, therefore, even more than 10 years before the advertisement. What is the verdict of the Guarantor, then?

According to the Authority "the passage of time alone is not a sufficient parameter, in itself, to assess the suitability of the legal basis. The consent to the processing of personal data for promotional purposes, [...] must be considered valid, regardless of the time elapsed, until it is revoked by the interested party, provided that it was originally acquired correctly and that it is still valid in light of the applicable rules at the time of processing as well as the storage times established by the owner, and indicated in the information, in compliance with art. 5, par. 1, lett. e) of the Regulations.

Having said that, the disputed sending of the promotional message must be considered lacking a suitable legal basis, not only as it was sent after ten years, but rather as it lacks the aforementioned conditions of validity ".

In other words, the law does not impose a precise limit for the retention of personal data collected for marketing purposes, but it will be up to the Data Controller to decide how long to keep them, in compliance with the principle set out in art. 5, par. 1, lett. e) of the GDPR: the data must therefore be kept for a period of time not exceeding the achievement of the purposes for which they are processed.

Because it is an innovative decision

The story just represented constitutes a significant novelty, destined to have significant practical consequences on the activity of many economic operators.

Until now, in fact, it was usual to refer to the provision of the Guarantor of 24 February 2005 on the Fidelity cards , which set two years as the maximum retention period for data collected for marketing purposes and one year if for profiling purposes. The only way to overcome these limits was to activate a specific procedure for verifying the existence of particular conditions by the Guarantor, provided for by article 17 of the Privacy Code, now also repealed.

The decision, however, , arrives in the same period of the provision of the French Personal Data Processing Authority, the CNIL, again against Carrefour (Délibération de la formation restreinte n ° SAN-2020-008 du 18 November 2020 concerning the société CARREFOUR FRANCE), with which important information has been provided regarding the use of third-party analytical cookies.

These indications, however, seem to have been implemented also on this side of the Alps with the "Guidelines on the use of cookies and other tracking tools "- Annex 1 - of 26 November 2020, [Doc. web n. 9498472], which will be briefly illustrated in the next paragraph.

Analytical cookies: do you need consent?

What do you say, then, about the use of third-party analytical cookies?

Until now, it was possible to use this type of cookie without requesting prior consent, provided that the personal data obtained from them were used in aggregate and anonymous form (General Provision of the Guarantor of 8 May 2014 [web doc. . n. 3118884]).

The new Guidelines confirm this possibility, provided that the treatment takes place in compliance with some further requirements. Thus, for example, to avoid the direct identification of the data subject through the use of analytics cookies, the measures that involve the potential traceability of the cookie to multiple devices must be evaluated. As the Guarantor clarifies, therefore, this objective can be pursued with IP version 4 (IPv4) addresses by masking the fourth numerical component. This will introduce an uncertainty in the attribution of the cookie to a specific interested party equal to 1/256 (approximately 0.4%). Similar procedures should also be adopted with regard to IP version 6 (IPv6) addresses, which have a different structure and an enormously higher address space (being made up of binary numbers represented with 128 bits).

In in any case, then, such data - even if already appropriately minimized - must not be combined with other elaborations that increase the possibility of user identification.

The main criticality introduced by the new Guidelines, however, concerns this clarification: it must be guaranteed that "third parties refrain from combining such analytics cookies with other processing (customer files or statistics of visits to other sites, for example) or from transmitting them to third parties". If this is not the case, even this type of cookie can only be activated if the user expressly consents (as for the profiling cookies mentioned above).

Conclusions

Cookies they are tracking tools that each of us has had to deal with and which in recent years are given more and more importance, precisely because of their diffusion and their impact on online browsing experiences.

Consider that, precisely on the basis of a use of cookies that did not respect the requirements of the law, the CNIL, the French Guarantor Authority, has recently sanctioned not only Carrefour France, as mentioned above, but also Google LLC and Google Ireland, on the one hand, and Amazon Europe Core, on the other, with penalties of 100 and 35 million euros respectively.

Although only some of the possible legal profiles have been addressed in this article connected to them (there would be many others, co me, for example, the recently regulated case of the cookie wall), even the less experienced user will be able to orient themselves better and make informed choices in light of the considerations made and, above all, paying attention to the information available online.