The Privacy Case for Non-Tracking Cookies: PageFair writes to the European Parliament

Dr Johnny Ryan GDPR Leave a Comment

In the last month, we have written to the MEPs leading the Parliament’s work on the ePrivacy Regulation (the “rapporteurs”) to propose an amendment. Here is a copy of the letter.

PageFair supports the proposed ePrivacy Regulation, in so far as it will change online behavioural advertising. This is an unusual position for an ad tech company, and we have described why we have taken it in a previous note. We agree with the restriction on the use of tracking cookies in Article 8 of the Commission’s proposal for an ePrivacy Regulation, and in the draft report of the Parliament’s rapporteur.

However, non-tracking cookies should not be treated the same way as tracking cookies. While tracking cookies pose a severe risk to data protection (Article 8 of the EU Charter of Fundamental Rights) and privacy of communications (Article 7 of the EU Charter of Fundamental Rights), non-tracking cookies do not.

The Regulation should be amended to allow for non-tracking cookies. One way to achieve this is to add a point to Article 8, paragraph 1, to permit the use of terminal equipment storage and processing if no personal data are processed.

It is important to permit non-tracking cookies that pose no risk to privacy or to the confidentiality of personal communications for two reasons.

  1. Incentivising the use of non-tracking cookies will help industry to adopt privacy by design.
    Non-tracking cookies do not contain or directly or indirectly reveal metadata, content of communication, or personal data. Nor do they enable individual identification of a person. However, non-tracking cookies are a useful technical means for industry to take privacy friendly approaches, and support innovation.
  2. The current text’s prohibition of non-tracking cookies will disadvantage European businesses and web users. 
    Non-tracking cookies are an important means of enabling both essential and nonessential functions of websites. Websites often use non-tracking cookies to provide functionality that is useful to visitors, whether or not the functionality would be deemed strictly necessary, and irrespective of whether it was explicitly requested by a user. Non-tracking cookies often offer the most secure and robust method of enabling these functions. European companies should not have to revert to outmoded techniques such as passing data via long parameters appended to every URL, which was typical of the earliest “CGI” web applications and was afflicted with reliability and security issues.

To illustrate this point consider several examples of non-tracking cookies that would be prohibited under the current text. These examples show how important non-tracking cookies are to the functioning of websites and services, and show their compatibility with the right to respect for private life and communications and the right to the protection of personal data.

Examples of non-tracking cookies. 

Example 1: A website that changes its appearance periodically 

An artist’s web site is designed so that it changes its background colour every three days for one month after a visitor discovers it. To do this the website sets a non-tracking cookie containing only an expiry date. The website refers to this expiry date, which it finds in the non-tracking cookie, to determine which three day colour rotation to show the visitor.
This is what the information in this non-tracking cookie looks like: Set-Cookie: path=/; expires=Mon, 19 Jun 2017 04:28:00 GMT. This non-tracking cookie has no value as a tracking tool, and makes no impact on the user’s privacy or on the confidentiality of their communications.
In this example the non-tracking cookie is providing an important function for the artist’s website – whether or not the user finds it strictly necessary. This functionality is merely an experiment on the part of the site’s owner, but it may become a useful innovation that differentiates the website, or spurs some unforeseen innovation.

Example 2: Currency localisation widget 

A payments company provides an online widget on which visitors to international shopping sites can see prices in their local currencies. For example, a browser on a US site that appears be visiting from Denmark also displays the price in Danish Krone. This service is not essential, and the user has not requested it. But it is useful, and the website publishers on whose sites the widget appears hope that it will improve their sales.
The widget designers use a non-tracking cookie, which means they can avoid alternative methods that involve storing unique identifiers and personal data. This is a privacy-by-design approach. The non-tracking cookie contains only the letters “DK”: Set-Cookie: path=/; currency=DK. Note that the non-tracking cookie can be overwritten later on if the user chooses. This is a third party non-tracking cookie (the payments company provides the widget to publishers, who embed it on their websites).

Example 3: Adventure game 

A free-to-play game on the web is modelled after a popular “choose your own adventure” novel. In this game the user reads a passage of text, makes a choice, rolls a dice, and is then taken to the next part of the story determined by the choice they made and the result of the dice roll.
To do this the game must store the user’s progress. This includes a record of the game sections already completed, the player’s health, and current situation in the game. The designer could do this in several ways, but using a non-tracking cookie is by far the best.
In this example a non-tracking cookie is not strictly technically necessary to make the game work, but it is an important part of making the game easy to play. One alternative to a non-tracking cookie would have been to require the user to log in and set up an account, after which information about the user’s situation in the game could be recorded on the game’s server. However, the user does not want to log in each time to play the game, and the game designer does not want to have to force the user to set up an account.

Example 4: A/B testing 

A newspaper wants to improve its website in order to increase its number of paying subscribers. It uses “A/B testing”, a popular design method in which visitors are assigned into one of two test groups, called “A” and “B”. Users who in group A are shown the original version of the website, and users in group B are shown a version with potential improvements. The experiment gives the newspaper statistical evidence of the effects of the potential improvements on subscriptions.
To do this, the newspaper must use a non-tracking cookie to store the test group that visitors are randomly assigned to: Set-Cookie: path=/; letter=A. The non-tracking cookie contains only the letter “A” or the letter “B”. Several thousand visitors are in A group, and several thousand are in B.

Example 5: A/B test 2 

Similar A/B testing to that described in the previous example can be conducted by third parties that provide embedded functionality for newspapers: for example, a newspaper contains a daily crossword provided by an external company. The crossword is displayed on the newspaper’s website in an iframe. The crossword company is considering changing its default typeface, and wants to make sure that the choice it makes doesn’t prompt a users to abandon the crossword due to decreased legibility. It would conduct A/B testing using non-tracking cookies in the same way that the newspaper did in Example 4.

Example 6: Frequency capping 

People dislike seeing the same ad repeatedly on different websites. This also wastes advertisers’ budgets. Ad tech companies typically prevent repeated advertising by using tracking cookies, and recording the number of times that a person has been shown an ad in a database next to their unique tracking ID. However, in this example an advertiser wants to prepare for the GDPR by abandoning unique tracking IDs. Instead it will use a short-lived non-tracking cookie that contains the number of times that the ad has been displayed.
The first time that the ad is shown, a non-tracking cookie is set, containing the value “1”: Set-Cookie: path=/; count=1. Each subsequent time the ad is shown, the value of the non-tracking cookie will be increased. When the value of the non-tracking cookie reaches the frequency cap (10, for example), the ad server will no longer return that ad, and will instead display an ad from a different advertiser. When the non-tracking cookie reaches its maximum age (2 weeks, for example), it will expire, and the ad will once again be eligible to be displayed.

Example 7: Personalised stock page 

A financial website is visited many times a day by stock traders seeking the latest information on particular stocks. The operators of a finance website decide to automatically show each visitor the latest stock price on their five most recently searched stock tickets on the front page of the site. This means that frequent visitors will not need to find and reload each separate stock every time they visit the site.
To do this without storing personal data or requiring a login, the website stores a list of the 5 most recently-searched stock tickers in a non-tracking cookie: Set-Cookie: path=/; stocks=NVS,BUD,HSBC,UN,UL.
Whenever the web page first loads, the current prices of these stocks will be automatically displayed beside the core stock ticker search functionality of the website.