The Privacy Case for Non-Tracking Cookies: PageFair writes to the European Parliament

Dr Johnny Ryan GDPR 8 Comments

In the last month, we have written to the MEPs leading the Parliament’s work on the ePrivacy Regulation (the “rapporteurs”) to propose an amendment. Here is a copy of the letter.

PageFair supports the proposed ePrivacy Regulation, in so far as it will change online behavioural advertising. This is an unusual position for an ad tech company, and we have described why we have taken it in a previous note. We agree with the restriction on the use of tracking cookies in Article 8 of the Commission’s proposal for an ePrivacy Regulation, and in the draft report of the Parliament’s rapporteur.

However, non-tracking cookies should not be treated the same way as tracking cookies. While tracking cookies pose a severe risk to data protection (Article 8 of the EU Charter of Fundamental Rights) and privacy of communications (Article 7 of the EU Charter of Fundamental Rights), non-tracking cookies do not.

The Regulation should be amended to allow for non-tracking cookies. One way to achieve this is to add a point to Article 8, paragraph 1, to permit the use of terminal equipment storage and processing if no personal data are processed.

It is important to permit non-tracking cookies that pose no risk to privacy or to the confidentiality of personal communications for two reasons.

  1. Incentivising the use of non-tracking cookies will help industry to adopt privacy by design.
    Non-tracking cookies do not contain or directly or indirectly reveal metadata, content of communication, or personal data. Nor do they enable individual identification of a person. However, non-tracking cookies are a useful technical means for industry to take privacy friendly approaches, and support innovation.
  2. The current text’s prohibition of non-tracking cookies will disadvantage European businesses and web users. 
    Non-tracking cookies are an important means of enabling both essential and nonessential functions of websites. Websites often use non-tracking cookies to provide functionality that is useful to visitors, whether or not the functionality would be deemed strictly necessary, and irrespective of whether it was explicitly requested by a user. Non-tracking cookies often offer the most secure and robust method of enabling these functions. European companies should not have to revert to outmoded techniques such as passing data via long parameters appended to every URL, which was typical of the earliest “CGI” web applications and was afflicted with reliability and security issues.

To illustrate this point consider several examples of non-tracking cookies that would be prohibited under the current text. These examples show how important non-tracking cookies are to the functioning of websites and services, and show their compatibility with the right to respect for private life and communications and the right to the protection of personal data.

Examples of non-tracking cookies. 

Example 1: A website that changes its appearance periodically 

An artist’s web site is designed so that it changes its background colour every three days for one month after a visitor discovers it. To do this the website sets a non-tracking cookie containing only an expiry date. The website refers to this expiry date, which it finds in the non-tracking cookie, to determine which three day colour rotation to show the visitor.
This is what the information in this non-tracking cookie looks like: Set-Cookie: path=/; expires=Mon, 19 Jun 2017 04:28:00 GMT. This non-tracking cookie has no value as a tracking tool, and makes no impact on the user’s privacy or on the confidentiality of their communications.
In this example the non-tracking cookie is providing an important function for the artist’s website – whether or not the user finds it strictly necessary. This functionality is merely an experiment on the part of the site’s owner, but it may become a useful innovation that differentiates the website, or spurs some unforeseen innovation.

Example 2: Currency localisation widget 

A payments company provides an online widget on which visitors to international shopping sites can see prices in their local currencies. For example, a browser on a US site that appears be visiting from Denmark also displays the price in Danish Krone. This service is not essential, and the user has not requested it. But it is useful, and the website publishers on whose sites the widget appears hope that it will improve their sales.
The widget designers use a non-tracking cookie, which means they can avoid alternative methods that involve storing unique identifiers and personal data. This is a privacy-by-design approach. The non-tracking cookie contains only the letters “DK”: Set-Cookie: path=/; currency=DK. Note that the non-tracking cookie can be overwritten later on if the user chooses. This is a third party non-tracking cookie (the payments company provides the widget to publishers, who embed it on their websites).

Example 3: Adventure game 

A free-to-play game on the web is modelled after a popular “choose your own adventure” novel. In this game the user reads a passage of text, makes a choice, rolls a dice, and is then taken to the next part of the story determined by the choice they made and the result of the dice roll.
To do this the game must store the user’s progress. This includes a record of the game sections already completed, the player’s health, and current situation in the game. The designer could do this in several ways, but using a non-tracking cookie is by far the best.
In this example a non-tracking cookie is not strictly technically necessary to make the game work, but it is an important part of making the game easy to play. One alternative to a non-tracking cookie would have been to require the user to log in and set up an account, after which information about the user’s situation in the game could be recorded on the game’s server. However, the user does not want to log in each time to play the game, and the game designer does not want to have to force the user to set up an account.

Example 4: A/B testing 

A newspaper wants to improve its website in order to increase its number of paying subscribers. It uses “A/B testing”, a popular design method in which visitors are assigned into one of two test groups, called “A” and “B”. Users who in group A are shown the original version of the website, and users in group B are shown a version with potential improvements. The experiment gives the newspaper statistical evidence of the effects of the potential improvements on subscriptions.
To do this, the newspaper must use a non-tracking cookie to store the test group that visitors are randomly assigned to: Set-Cookie: path=/; letter=A. The non-tracking cookie contains only the letter “A” or the letter “B”. Several thousand visitors are in A group, and several thousand are in B.

Example 5: A/B test 2 

Similar A/B testing to that described in the previous example can be conducted by third parties that provide embedded functionality for newspapers: for example, a newspaper contains a daily crossword provided by an external company. The crossword is displayed on the newspaper’s website in an iframe. The crossword company is considering changing its default typeface, and wants to make sure that the choice it makes doesn’t prompt a users to abandon the crossword due to decreased legibility. It would conduct A/B testing using non-tracking cookies in the same way that the newspaper did in Example 4.

Example 6: Frequency capping 

People dislike seeing the same ad repeatedly on different websites. This also wastes advertisers’ budgets. Ad tech companies typically prevent repeated advertising by using tracking cookies, and recording the number of times that a person has been shown an ad in a database next to their unique tracking ID. However, in this example an advertiser wants to prepare for the GDPR by abandoning unique tracking IDs. Instead it will use a short-lived non-tracking cookie that contains the number of times that the ad has been displayed.
The first time that the ad is shown, a non-tracking cookie is set, containing the value “1”: Set-Cookie: path=/; count=1. Each subsequent time the ad is shown, the value of the non-tracking cookie will be increased. When the value of the non-tracking cookie reaches the frequency cap (10, for example), the ad server will no longer return that ad, and will instead display an ad from a different advertiser. When the non-tracking cookie reaches its maximum age (2 weeks, for example), it will expire, and the ad will once again be eligible to be displayed.

Example 7: Personalised stock page 

A financial website is visited many times a day by stock traders seeking the latest information on particular stocks. The operators of a finance website decide to automatically show each visitor the latest stock price on their five most recently searched stock tickets on the front page of the site. This means that frequent visitors will not need to find and reload each separate stock every time they visit the site.
To do this without storing personal data or requiring a login, the website stores a list of the 5 most recently-searched stock tickers in a non-tracking cookie: Set-Cookie: path=/; stocks=NVS,BUD,HSBC,UN,UL.
Whenever the web page first loads, the current prices of these stocks will be automatically displayed beside the core stock ticker search functionality of the website.

  • Robert Madge

    Johnny, are you suggesting that the “non-tracking cookies” should not be considered as personal data?

    • Robert, if a cookie does not contain personal data, or reveal any personal data, then it can not be considered personal data.

      • Robert Madge

        In examples that you give, the cookie is clearly storing information relating to an identifiable natural person – such as the five most recently searched stock tickets. A website is processing this information. Why is this not a controller processing personal data, under the terms of the GDPR?

        • Not when one’s considers what an identifiable natural person is. From Article 4 of the GDPR: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

          Let’s test your contention. You suspect that a list of stock tickers could identify, or contribute to the identification of, a person. Though very unlikely, it is remotely conceivable that with a very large volume of stock tickers, stored in the cookie over a long time, one might be able to match these to some record of an individual’s stock trades. This would be a little bit similar to Arvind Narayanan and Vitaly Shmatikov’s reidentification of Netflix users by using imdb movie preferences (see https://www.cs.cornell.edu/~shmat/shmat_oak08netflix.pdf).

          If this is a risk then it can be removed by setting a modest expiry date on the cookie.

          • Robert Madge

            This is an interesting proposition. However, I don’t think that the GDPR limits the identification (or potential identification) to the external world beyond the user’s device. When the website looks at the cookie, it will certainly have access also at that moment to the user’s IP address, and so it can directly link the stock trades to the IP address.

          • I don’t understand your first point about the external world beyond the device?
            On the second point, your logic is that the person is identifiable because of the IP address, and therefore “any information relating” to that person is personal. This is well argued.
            We realised that to operate an advertising system that can be entirely non-personal (when consent is absent) then one has to already have taken steps to record the IP address, and to never have it available for the use you propose.

          • Robert Madge

            Johnny, I made a reference to “the external world” because I thought that your own example of a Netflix-like re-identification suggested that the only cases that needed to be considered were outside the “world” of the user’s device. Your later comment does not seem to take this position.

            On my side, I don’t understand the phrase “to already have taken steps to record the IP address”. If we take the case of the website that has placed, that updates and that reads the cookie, this website also has access to the user’s IP address. The website could decide not to connect the details of the IP address with the user information stored in the cookie, but this is the kind of decision a ‘data controller’ makes. I do not see how that stops the user information from being ‘personal data’.

            Moving beyond the semantics of the GDPR, the intent of the regulation is to cover all use of personal information and provide individuals with an appropriate level of protection and a set of rights. The intent of the advertising system you describe is to make use of information about a person in order to present them with individualised (or at least group-targeted) adverts. When the advertising system makes use of this personal information, the GDPR would aim to see that the information is protected and the user is able to exercise their rights. That would mean that there has to be a lawful basis for processing and the user would have to be notified as well as have all the rights of access, objection etc.

          • Sorry Robert, I just edited previous my reply to add the word “not” in a very important place!