The IWGDPT has recently claimed that respect for context and purpose limitation, transparency and control are key elements as far as web tracking is concerned. Following the last meeting held in Prague (Czech Republic) in April, the IWGDPT adopted a working paper to discuss the privacy challenges that web tracking raises and issued some recommendations in order to mitigate such risks.

The International Working Group on Data Protection in Telecommunications is based in Berlin and formed by “representatives from Data Protection Authorities and other bodies of national public administrations, international organizations and scientists from all over the world” focusing on “improving the protection of privacy in telecommunications”.

To whom the working paper is intended?

The IWGDPT specifically addresses this paper to:

  1. providers of web sites
  2. software developers
  3. service providers that offer tracking technology
  4. service providers that use tracking technology

Although it is also applicable to web browsers on other devices like smart mobile devices and smart televisions, the IWGDPT expressly notes that the paper does not address specific additional risks of apps on mobile devices.

What is web tracking?

To the IWGDPT web tracking presupposes the “collection and subsequent retention, use or sharing of data on individual online behaviour across multiples websites (or devices) by the use of (tracking technology such as) cookies, JavaScript or any kind of device fingerprinting” allowing to create “very detailed predictive profiles of individual behaviour” and leading “to the actual application of the profile to an individual”.

Furthermore, “web tracking technology enables a constant flow of real-time information about users, such as registration data, search activities, behavioural data, site visit statistics and conversion data reflecting how a user respond to individual offers”.

And goes on giving some examples of web tracking such as:

  1. outreach measurement – “the degree to which users are served with ads across the web”;
  2. engagement measurement – “the degree to which users interact with services across the web”;
  3. audience measurement – “the degree to which micro profiles can be derived from users interacting with services across the web”.

With the evolution of technology, web tracking is now present on mobile devices, which “are becoming more and more personal devices (…) therefore making the link between the device and the individual stronger”. In addition, they contain unique identifiers as well as user name, password, age, gender and address book, not to mention the geolocation data also available on mobile apps.

The IWGDPT underlines also that “digital data trail may result from unintentional or unwilling disclosure of data, and may result in unnecessary disclosure of (personal) data”, providing several examples of how a digital data trail can be generated, and that “data can be stored in graph databases by various services on the web”.

Privacy risks of web tracking

Users’ unawareness of being tracked is a concern regarding privacy. The tools used within the web tracking limit or even do not allow users to acknowledge they are being tracked. Examples of this lack of transparency of web tracking are the web beacons and iFrames that “are invisible to the human eye”.

In most jurisdictions web tracking falls within the definition of processing personal data because the technical tools used allow the identification of users and/or making automated decisions.

On one hand, the industry argues that unique identifiers of web tracking should not be considered personal data because most of the data is de-identified and from that moment such data no longer falls in the personal data definition. Furthermore, machines are the ones that are being traced back rather than individuals.

On the other hand, the IWGDPT considers that machines and especially smart phones are currently a genuine extension of a specific user rather than a tool that can be easily used for more than one user. Besides, even in case the data is de-identified it is possible to de-anonymise and link such data to a certain user.

Recommendations

Concerned with the privacy risks raised by web tracking, the IWGDPT makes in this working paper the following recommendations to all web tracking players:

  1. Bear in mind respect for context and purpose limitation

Data is collected in a certain context and should stay that way without being used in another context. Thus, measures should be taken to ensure this principle, which is particularly relevant in automated data collection, processing and sharing practices.

Users should be previously informed of the purpose of the data processing, which should only be changed after renewed information and choice is given to such users.

  1. Transparency
  • Refrain from the use of invisible tracking elements;
  • Notify the user in an intelligible way when the user agent is about to send/receive a web tracking identifier to/from the origin/destination server;
  • Display an indicator noticeable enough to the user whenever web tracking is in progress”, giving special attention to special groups of web users (ex.: disabled users).
  1. Give control to the user

Tracking tools should have a user control mechanism and an explicit choice should be given to the users concerning tracking (ex.: “when browser software is to be installed, activated or updated”).

Moreover, “if the browser does not provide a user interface, the default setting should be such that the user is not tracked”.

Users should be entitled to change settings, access the choices once made as regards to web tracking and be reminded that such previous choices can be revoked at any time and in an easy way from the technically point of view.

The user agent indications for not being tracked should be strictly respected.

Whenever users have chosen not to be tracked, “(passive) fingerprinting in order to derive a unique user identifier” should not be deployed.

User control mechanisms in place should be auditable and able to be “enforced by the competent private and public bodies chartered with enforcing rules”.

Final remarks

Currently most of us are faced with the following dichotomy: more and more information and less and less time (and mood) to assimilate it.

Thus, most of the web tracking is generally welcome because they filter the huge amount of information available in accordance to the users’ preferences allowing them to receive only the information on which they are, or most probably will be, actually interested in.

What users do not want for sure is to be subject to unlawful practices, such as being offered a product for a price much higher than its retail selling price just because they know, due to web tracking, that it is a kind of product on which I would be interested in. However, this is something to be severely fight against in another framework (i.e. competition law, consumer law, etc.) rather than privacy and data protection.

Empower users with control mechanisms seems to be a good way of approaching the web tracking privacy risks but I found hard to implement some of the recommendations. For instance, what means and time would be considered adequate to inform and give the user choice concerning the use of web beacons on the e-mail I’m going to send him?

In conclusion, I believe that the majority agrees on the principles but the bone of contention lies on the means, timings and ways of implementing such principles as well as their extent, not to mention the doubts on the effectiveness of such principles when implemented, i.e. will the users’ choices reflect their true will and needs?