惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
博客园_首页
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
阮一峰的网络日志
阮一峰的网络日志
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 司徒正美
V
V2EX
Cloudbric
Cloudbric
Hugging Face - Blog
Hugging Face - Blog
腾讯CDC
量子位
博客园 - 三生石上(FineUI控件)
博客园 - 叶小钗
K
Kaspersky official blog
博客园 - 【当耐特】
T
Tenable Blog
L
Lohrmann on Cybersecurity
The Cloudflare Blog
S
Schneier on Security
A
Arctic Wolf
Latest news
Latest news
C
Cyber Attacks, Cyber Crime and Cyber Security
罗磊的独立博客
T
The Exploit Database - CXSecurity.com
Cisco Talos Blog
Cisco Talos Blog
小众软件
小众软件
P
Privacy & Cybersecurity Law Blog
WordPress大学
WordPress大学
Simon Willison's Weblog
Simon Willison's Weblog
雷峰网
雷峰网
NISL@THU
NISL@THU
人人都是产品经理
人人都是产品经理
月光博客
月光博客
J
Java Code Geeks
V
Visual Studio Blog
S
Security Affairs
博客园 - Franky
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research
H
Heimdal Security Blog
有赞技术团队
有赞技术团队
V2EX - 技术
V2EX - 技术
AWS News Blog
AWS News Blog
G
GRAHAM CLULEY
T
Troy Hunt's Blog
SecWiki News
SecWiki News
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 聂微东

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Cookies 101 Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
The Criteo case: a big deal for Big Tech
Carlo Cilent · 2024-02-06 · via Blog of Simple Analytics

Last June the French privacy authority (CNIL) fined French ad tech giant Criteo €40m for failing to honor user consent to tracking. In December the Amsterdam District Court also issued a ruling against Criteo which was later confirmed on appeal.

These cases are a big deal. Criteo is a large ad tech multinational that controls personal data from millions of Internet users. But most importantly, the reasoning behind the decision is a departure from the past and may very well send waves across several industries, including ad tech and web analytics,

Here is what the cases are all about, and why they could open up new opportunities for action against illegal tracking.

  1. What are the cases about?
  2. Who must deal with consent?
  3. The “Criteo doctrine”: a deeper look
  4. Joint controllers
  5. The allocation of responsibilities
  6. The effective protection of rights
  7. What does this mean for web analytics?
  8. Final words

Michelin chose Simple AnalyticsJoin them

What are the cases about?

So far, there are three decisions against Criteo:

  • two privacy NGOs (Privacy International and noyb) filed a complaint with the French privacy watchdog (CNIL) claiming that websites were illegally placing Criteo cookies. This complaint was decided in June 2023 and resulted in a €40M fine for the company
  • a Dutch citizen brought the same case in the Amsterdam District Court, resulting in an order to stop placing cookies and deleting the data already collected
  • the District Court’s decision was later confirmed on appeal.

All the cases revolve around the unauthorized use of tracking cookies. Several popular websites used Criteo’s cookies for advertising purposes. This was done without consent, in breach of the GDPR and the ePrivacy Directive.

These look like standard cookie cases: someone realized they were tracked without their consent, took legal action, and won. But what makes these cases special is that the websites- not Criteo- placed the cookies. Criteo was held responsible for cookies written by its customers, and this is a big, big deal.

It is very common for ad tech and web analytics services providers to “offload” the compliance work to their customers- that is, to the websites that use the service.

For instance, let’s say your website uses Google Analytics. Google Analytics uses tracking cookies, which require consent under EU law. This is not Google’s problem: per Google Analytics’ Term of Service, it is up to you to implement Google Analytics in a compliant way (which includes making sure it only writes cookies after visitors accepts them). If you mess this up, you are violating the law, not Google.

This allocation of responsibilities is one of the reasons the Internet has become a cesspool of illegal tracking. Ad tech giants such as Google and Meta provide the Internet with powerful and invasive tracking tools but cannot be held accountable for their misuse. So, users and privacy advocates can only fight back against tracking by going after individual websites, in an endless and largely pointles game of whack-a-mole.

The decisions against Criteo open up new avenues for legal action. The CNIL and the courts said loud and clear that Criteo- an advertising giant with countless partners- cannot wash its hands of the legal obligations that come with the use of cookies. Criteo was held accountable for what its customers did with its cookies, even though Criteo itself didn’t do anything- or rather, because it did nothing to counter the predictable abuse of Criteo cookies.

It is early to say whether this line of reasoning will gain momentum at European level. But there are reasons to be optimistic: the CNIL is a well respected authority that often sets influential examples for other regulators. Furthermore, privacy advocates (such as those involved in the CNIL case) are well aware of the potential of the decisions against Criteo and will surely attempt to leverage this potential in future litigation.

Bottom line: the cases won’t necessarily turn into an influential precedent at a EU level, but there is a very real chance that they do- and provide privacy advocates with a powerful legal tool against tracking.

The “Criteo doctrine”: a deeper look

In a nutshell, this is why the rationale behind the Criteo cases matter. But what is this rationale exactly, and how does it fit the GDPR?

Long story short, the “Criteo doctrine”- so to speak- says that joint controllers must allocate compliance obligations in a way that effectively protects privacy rights. That’s a lot to digest, so let’s break it down.

Joint controllers

Explaining the notion of joint controllership in rigorous terms would require a blog of its own. In a nutshell, joint controllership is the situation where two or more entities handle data together, and they all get a say in what happens to the data. So, if two companies are joint controllers, they both decide what data are collected, why they are collected, how they are processed, and so on.

This was the type of relationship Criteo had with its customers. In fact, the company never claimed otherwise.

The allocation of responsibilities

Joint controllership poses a problem: joint controllers all have obligations under the GDPR, but who exactly needs to comply with which? In other words, how are compliance obligations allocated between joint controllers?

The solution of the GDPR is to allow joint controllers can allocate these responsibilities however they prefer, as long as they clarify this allocation in a legal contract called a joint controllership agreement.

In practical terms, whenever a legal issue arises with joint controllers, lawyers and regulators look to the joint controllership agreement to know who is supposed to do what- for instance, company A is solely responsible for managing consent, while company B is solely responsible for managing the database and reporting data breaches.

There are obvious advantages to this system. Data controllers can allocate compliance duties in an effective way because they know exactly how each party contributes to processing the data. For instance: if company B controls the database, it makes sense for it to be responsible for notifying data breaches. Likewise, if company A has a direct contact with the data subject (that is, the people whose data are being processed), while company B does not, then it makes sense for company A to collect and manage consent.

The downside of this allocation system is that it can fail. And in the case of online tracking, it fails systematically

The effective protection of rights

Countless websites abuse cookies or pixels to track you without your consent. This is illegal, but you can’t take action against providers like Google or Meta because they leave it to the customer to comply with data protection law. You can’t take action against every single website that tracks you, either- they are simply too many!

The “Criteo doctrine” provides a backstop against this failure. It acknowledges that the GDPR allows companies to allocate responsibilities however they want, but also holds that the allocation of responsibilities needs to protect data rights effectively.

So, joint controllers can allocate responsibilities how they like, but the consequence of this discretion is that they must find an allocation that protects privacy rights- or, at the very least, does not spectacularly and systematically fail to do so. This is where regulators draw a line and hold both controllers accountable for violations regardless of what their legal paperwork says.

What does this mean for web analytics?

The "Criteo doctrine" has many important consequences, some of which are difficult to foresee. When it comes to advertising and web analytics specifically, the doctrine means that providers should be much more concerned about the way their tools are used in practice, and take steps to combat abuse.

This is what regulators required from Criteo: the company was ordered to take steps in order to ensure valid consent was collected, rather than taking the customer’s pinky promise at face value. In other words, Criteo was required to audit its partners better than they already did (which is not a terribly high bar).

Auditing compliance sounds complicated and it usually is. But when it comes to cookie use, automated checks from the providers could weed out a lot of cookie violations. Surely automated checks would not spot all non-compliance, but they would still be a good start and show that providers are taking their responsibilities seriously.

On top of better auditing, providers would need to document user consent. This is harder than it sounds: documenting consent can be quite complicated, especially when the data flows are already up-and-running and handles enormous amounts of personal data.

But the general meaning behind Criteo matters more than the specific obligations imposed. Less-than-privacy-friendly providers such as Google Analytics and Meta would need to take steps to ensure that their services are not systematically abused (as is the case today). Should they fail to do so, consumers privacy advocates would be able to hold them accountable by acting against them directly rather than being forced to play whack-a-mole against the entire Internet.

Final words

It is worth highlighting once again that the “Criteo doctrine” has been upheld by two regulators so far: the CNIL and the Dutch courts. It is yet to be seen if it will catch momentum.

It must also be noted that the doctrine is not without drawbacks. Tracking and documenting consent is not an easy task for a data controller, especially when the systems that process the data are already up and running. The doctrine would increase the compliance burden for many companies- including companies that are handling data in proper and non-invasive ways.

We believe the pros outweigh the cons. Outsourcing compliance to individual customers allows many privacy-invasive services to shield themselves behind their ToS or joint controllership agreements. The "Criteo doctrine" could be just the tool we need to hold them accountable as we fight for a better Internet.

We at Simple Analytics do not like tracking. We believe that it is unethical and invasive, and makes the Internet a worse place. This is why we created Simple Analytics: a 100% tracking-free web analytics service that does not collect a single bit of personal data! If this sounds good to you, feel free to give us a try!

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。