Scales of Justice in front of the European Union flag
PHOTO: Shutterstock

The use of third-party cookies for ad tracking has always been a contentious issue. Since the introduction of GDPR in 2018, their use has become even more questionable as European regulators start pursuing companies it believes are breaching the regulation, which guarantee internet users the right to privacy from companies that would use their personal data to build business strategies and personalized advertising.

Krux and Bluekai

The case has been taken by Rebecca Rumbul, the UK claimant for the case against Oracle and Salesforce for the Privacy Collective, an organization based in the Netherlands and the UK, that aims to prevent large corporations from selling personal data and information about online behaviors to other companies through an auction without users’ knowledge.

The two companies, the Collective claims, are misusing consumers’ personal data through their third-party cookies Bluekai and Krux. These cookies are hosted on several popular websites such as Amazon, Booking.com, Dropbox, Reddit and Spotify

BlueKai, which Oracle bought for a little over $400 million in 2014, is a cloud-based big data platform that enables companies to personalize online, offline, and mobile marketing campaign. Krux, for its part, is dedicated to capturing customer data from various online platforms in real-time. It was bought by Salesforce in 2016 for $700 million.

Rumbul explained that the claims are being taken forward in the form of ‘class actions' and that the combined claims could exceed $11 billion, as there are potentially millions of individuals that have these tracking cookies on their systems. 

Oracle’s EVP and general counsel Dorian Daley hit back at lawsuit, described it as “meritless action based on deliberate misrepresentations of the facts... As Oracle previously informed the Privacy Collective, Oracle has no direct role in the real-time bidding process (RTB), has a minimal data footprint in the EU, and has a comprehensive GDPR compliance program,” Daley said in a statement cited in Forbes.

Related Article: Is the Cookie Crumbling? 

Cookies Are Not Villains

A spokesperson for Salesforce, also cited in Forbes, said it “disagrees with the allegations and intends to demonstrate they are without merit”. So, are cookies as threatening as Privacy Collective makes out? The universal response appears to be no.

The cookie is not the villain, Palo Alto, Calif.-based Infolinks CEO, Bob Regular, told us. It is simply an anonymous transparent identifier with bad actors taking advantage of it. Like any tool that can be used for good or bad, the cookie simply needs rules and accountability on how it can be used to adhere to privacy laws.  In fact, Regular says that eliminating them would be counter-productive. “Complete elimination of the 3rd party cookie will only encourage further monopolization to occur by the bigger platforms and blackhat methods to rise in search of non-transparent ways to violate privacy. To me, this is a bigger issue than any perceived problem with the cookie,” he said.

More to the point, Germany-based Dirk Steinmetz, the developer of GeneralSync, a tool to sync calendars and contacts without clouds or servers, the problem with cookie tracking in the Oracle/Salesforce cases is not specifically about cookies, but about consent. Like all forms of surveillance, tracking an individual user of a website directly impacts their privacy. After all, its result is a detailed report of their actions on that specific website. Such reports may seem harmless, as they usually do not include obvious personal information like names or addresses. “But they are not anonymous,” he said. “Combining multiple of these reports permits to directly identify the user and their browsing history. From there, it is usually simple to deduce many details a user might want to keep hidden, such as political and religious views, medical conditions and sexual interests.”

Related Article: When Customers Control Their Data 

GDPR Restrictions

The GDPR thus places strict rules on tracking and the data gathered from it. However, users can explicitly agree to more invasive tracking and data sharing by giving 'informed consent'. A company can give their users an explanation on what they want to do with their data and ask them whether they agree with that. If a user agrees that user may get tracked in the way described to them. The products in the current lawsuit require such 'informed consent'. As advertisement platforms, they use multiple methods to gather as much personal details about a user as possible. They then send these details to advertisement networks and companies, to finally receive ads for that user.

The problem is that the process is so complex that a normal person is very unlikely to ever understand it. They use a multitude of tracking methods, including a lot of cookies, and send the resulting data to multiple different recipients, which have their own complex mechanisms to further process and share the data. “The argument is thus that informed consent is impossible: Because the user cannot understand the impact on their privacy, they cannot legally accept to their data being processed,” he said.

The impact of this lawsuit is thus limited to companies using tracking mechanisms that require 'informed consent'. Websites that use less invasive tracking mechanisms are not directly affected, independently of whether they use cookies.

Negating GDPR

Lauren Patrick is VP of marketing at Atlanta-based Curricula, a security awareness training company. The big, current problem with cookie tracking, she said, is that it negates the purpose of GDPR. The goal of GDPR is to protect individuals’ personal right to privacy. A user (consumer) should have the ability to easily give their consent for marketing and to withdraw that consent at any time, which is not possible with third-party cookies.

To comply with GDPR, businesses must ensure proper notice, choice, right of access, rectification, and elimination of individuals’ sensitive data. This is not compatible with strict EU laws around consent to process personal data in third party cookies for ad tracking. “GDPR is designed to protect the individual privacy rights of data subjects. Also, explicit consent is required to collect data from a data subject, in this case, a user's internet browser,” she said. “Ultimately, GDPR is about more than just compliance with a regulation. We all play a part in protecting the privacy and security of sensitive data.

Final Thought

The final, thought goes to Rebecca Rumbul of the Privacy Collective. She points out that while a lot of cookie tracking seems benign, when they are used to much or dig too deep, they can be offensive. “Having advertising targeted at you based on your recent holiday search browsing may seem pretty benign,” she writes, “but would you really be comfortable having all of the websites you visit being added to your profile?...Would you want all of that information traded or linked together as part of an individual record, without your knowledge or any ability to see or challenge it? Probably not.