The discussion about data protection in online tracking is more topical and relevant than ever. On the one hand, this is due to the unclear conditions and, on the other hand, to the forthcoming changes. The important thing is that we have to find a suitable middle ground.
Companies that offer online services or track their users’ data face several challenges concerning data protection in online tracking. Legally, it is far from clear which data protection requirements apply.
Data Protection: Either/Or Models Under Discussion
“There is no entitlement to being able to use the content on the Internet free of charge.” At an event last year, an employee of a data protection authority gave a similar answer to whether it is okay in terms of data protection law if, for example, website visitors are given a choice. Either the user gives their consent to the advertising tracking for the unrestricted use of the content of the offer – for example, a publisher. Or the offer can be used without tracking but with a subscription.
In terms of data protection law, this model, which Spiegel Online has introduced, for example, raises the question of whether the visitor’s consent is still given voluntarily. Finally, the only alternative is to take out a paid subscription.
Like almost everything in data protection law, the answer to this question is discussed differently. What is the price of the subscription? Is the tracking information displayed understandably? Is it possible to revoke consent once given?
Data Protection In Online Tracking: Consent Has Disadvantages For Companies
From the company’s point of view, one can only say hands off the consent! At least when there are alternatives to personal processing data. Why? The requirements for consent are very high and partly formalistic. Nevertheless, the sword of Damocles of revocation hovers over every consent given.
But what are the alternatives to consent? In principle, data protection law offers many options for dealing with data in a permissible manner. This is, for example, the need to fulfil contractual obligations. If a buyer has ordered a package, the company must use the address details for delivery. The same case occurs when meeting legal requirements. These are, for example, requirements for legal retention requirements for documents that contain personal data.
However, data processing in the online area is (unfortunately) an important topic in data protection law. Roughly speaking, this applies to everything that companies somehow offer via apps or websites. There are special requirements at the European level for cases in which companies access user devices or store information there.
So the classic: cookies. These European requirements are currently anchored in the so-called Privacy Directive. In most cases, the prior consent of those affected is required. The unique feature: This regulation has priority over the ubiquitous General Data Protection Regulation (GDPR).
Therefore, the particular situation in Germany is that there has been a very controversial discussion for years as to whether the legislature has also provided for this requirement (consent) by law. Legal proceedings are also currently underway before the Federal Court of Justice.
Legal Requirements For Tracking: EU Succession Regulations Are To Be Expected
But apart from the legal battlefield: For every company with services in the online area that records user behaviour – both for statistical and advertising purposes – or also evaluates their owners’ use of mobile devices, the currently negotiated Privacy regulation may be relevant.
The European legislator is looking for a successor to the e-privacy directive mentioned above. Of course, to put it bluntly, it is also about succession planning. They are also affected by this: the legal requirements for the use of tracking technologies.
In a recently published draft status from the Council of the European Union, the proposal of the current Council Presidency can now be found that under certain circumstances, tracking of users should no longer only be possible with prior consent.
There, the legislators are thinking that, for example, storing cookies or setting pixels could also be permissible if a company can demonstrate legitimate interests and the legitimate interests of those affected do not outweigh them.
Online Tracking Privacy: Problem With “Reasonable Expectations”
Of course, one asks oneself: Who should decide based on which criteria? As with the GDPR, the legislator bases the interests of those affected on their “reasonable expectations”. Of course, this term is of little help in practice if you love demanding specifications. What is “reasonable”, and what can one “expect”? Can we now assume that offers on the Internet are refinanced through the display of advertising?
Is it reasonable to believe that site operators create statistical analyses and evaluations for advertising purposes? Ask ten people, and you will probably get ten different answers in different variations.
The more profound and socially relevant question is: Under what conditions should tracking for advertising purposes be possible in the future? Which regulatory variant best meets the objective?
On the one hand, the economy should not be harassed too much with exaggerated and possibly impractical requirements, which may also make new services more difficult. On the other hand, the privacy of those affected must be protected. The discussion on this topic is currently more relevant than ever.