CJEU: cookie-based analytics collects sensitive data

Image of Carlo Cilento

Published on Aug 9, 2023 by Carlo Cilento

The big fines against Meta made the news lately but one decision flew under the radar: the Bundeskartellamt ruling of the EU Court of Justice.

That is a shame because the ruling is dynamite. It throws a wrench into Meta’s compliance strategy, calls the company’s entire business model into question, and could create a world of problems for Big Tech in the long run by allowing competition authorities to look at market abuses.

Last but not least, the ruling clarifies that analytics cookies can, and often do, collect sensitive data (guess who has been saying this all along?).

There is a lot to say about this decision, so we will break the analysis in two parts. This blog analyzes what the ruling says about sensitive data and what it means in the larger picture. The second blog focuses on the rest of the decision and explains how it could have a huge impact on both Meta’s business model and Big Tech in general.

Let’s dive in: here is what the Bundeskartellamt ruling is about, what it means, and why it could be a game changer!

  1. What is the case about?
  2. What does the ruling say
  3. What does the ruling say about sensitive data?
  4. Is that surprising?
  5. What does this mean for cookie-based analytics?
  6. Conclusions

What is the case about?

The Bundeskartellamt case sits in between data protection law and antitrust law. In 2019 the German competition authority (Bundeskartellamt) found that Meta was abusing its dominant position on the social media Market. In order to correct this abuse, the authority ordered the company to change its Terms of Service and privacy policies for German users.

In a nutshell, the authority held that Meta could not process off-Facebook data (that is, data collected on other websites through Facebook cookies and other trackers) without the user’s consent. It also questioned Meta’s legal bases for serving personalized advertising to Facebook users.

Meta did what Big Tech always does and challenged the decision all the way. This strategy backfired horribly and led to an even worse ruling from the EU Court of Justice (CJEU) on July 4.

What does the ruling say

There is a lot to be analyzed in Bundeskartellamt, but here are some of the main points:

  • web analytics cookies can collect sensitive data
  • a competition authority can take GDPR violations into account when assessing the abuse of a dominant position
  • Facebook cannot provide targeted advertising without consent

To be clear: the CJEU does not exactly “decide” cases, but rather clarifies the interpretation of the law. So, when we say that “the Court found that Facebook cannot provide targeted advertising without consent”, what we mean is that the CJEU confirmed an interpretation of the GDPR, under which Facebook does, in all likelihood, process sensitive data. Whether that is ultimately the case, is up to the German Court to decide based on the facts of the case. But when it comes to the meaning of the law, the Court is bound to the ruling of the CJEU.

With that out of the way, let’s see what the CJEU said about sensitive data and why it is such a big deal.

What does the ruling say about sensitive data?

Meta not only tracks Facebook users on its own social network. It also uses cookies, APIs, and other tools to track the user’s browsing behavior and app use outside the platform. In Bunderskartellamt the Court found that these trackers collect sensitive data when someone visits certain websites or uses certain apps (for instance, gay dating apps).

Two very important things need to be noted. First: these trackers work just like any cookies used in web marketing and analytics. So, by extension, the rationale behind the ruling applies to any cookie-based analytics service (including the biggest player, Google Analytics).

Second: the Court very clearly specified that a data set needs to be treated as sensitive data when it contains any sensitive data. If you have one thousand daily visitors, and only one of them is googling the side effects of their medication, then all the data must be treated as sensitive.

Bottom line, web analytics and marketing cookies collect sensitive data, and they do so very, very often.

This is not a hypothesis but rather a logical consequence of Bundeskartellamt. It is only a matter of time before a Court or a privacy authority makes this point when dealing with Google Analytics or other cookie-based analytics providers.

Is that surprising?

Not at all. This decision is a consequence of an older ruling that we already analyzed in depth- and even back then, we saw this coming.

Here are the legal issues at stake. The GDPR treats some special categories of data as sensitive data. These are information like your sexual orientation, your religious and political affiliations, data about your health, and so on. Sensitive data are a lot of trouble if they are misused or fall into the wrong hands, so the requirements for processing sensitive data are more stringent than the ones for processing common personal data.

We used to think of these special categories of data as a set of labeled boxes. There was a box for sexual orientation, one for religious beliefs, one for ethnic origin, and so on. Everything inside the boxes was sensitive data, everything outside the boxes was not. There were some unclear cases but for the most part, that was it.

But here's the catch: what happens when you can use the data outside the box to figure out what is inside? Does this make the data outside the box sensitive data as well?

Last year the Court answered “yes” and opened Pandora’s box.

Bundeskartellamt is the logical consequence of that precedent. The GDPR does not say that your browsing history and app usage are sensitive data, but you can make a lot of inferences about someone based on their browsing history- and a portion of those inferences often relate to sensitive data. So, you need to treat all that data as sensitive data.

What does this mean for cookie-based analytics?

In a word, it means trouble. Sensitive data are regulated very strictly. If you use cookie-based analytics, then you must complying with all the rules for processing sensitive data, which is not easy.

For instance, sensitive data can only be processed in specific cases under the GDPR. For web analytics, the only plausible scenario is when explicit consent is given. How would that work in practice?

Well, the online advertising industry struggles even with collecting “basic”, non-explicit consent under the GDPR. Countless websites extort consent through deceptive cookie banners even though this is not compliant. There is no way the current online advertising environment would be able to meet the higher bar for explicit consent.

Explicit consent is not the only issue. Article 35 GDPR requires a data protection impact assessment (DPIA) in certain risky processing scenarios, which include the large-scale processing of sensitive data. It is not 100% clear what large-scale means, but it is not a stretch to think that this rule would apply to many websites using cookie-based analytics- and it would definitely apply to larger websites.

In practical terms, these websites would need to explain in their paperwork how the privacy risks of collecting a ton of sensitive data from visitors, and feeding them to the privacy dumpster fire that is the online advertising ecosystem, is a good idea and does not entail intolerable and vastly disproportionate privacy risks. On top of assessing risks, they also need to explain how they plan on mitigating them.

Good luck with that.

Overall, Bundeskartellamt will surely become a very serious problem for websites which are related to sensitive topic, and for third-party cookies in general.

Speaking of which, the Norwegian data protection authority has some interesting advice on web analytics (please note that we are using a machine translation for the Norwegian text):

datatylsinet screenshot 2.JPG

Norway is not an EU Member State but it is a Member of the EEA. So the GDPR applies integrally and the authority is thinking of European law here- not Norwegian law! And it is probably no coincidence that this advice was published short after Bundeskartellamt.

This does not mean that other European authorities necessarily agree with this, but we are not alone in believing that cookie-based analytics has a serious compliance problem with sensitive data.

Conclusions

Bundeskartellamt is not exactly a revelation. Privacy advocates have been raising awareness over the risks of tracking technologies for years now. We knew long before the ruling that cookie-based advertising is dangerous and extremely invasive of individual privacy.

But stating the obvious is important because many organizations systematically downplay the risks of tracking.

Google and many other providers need to pitch the product, so they try their best to sweep the privacy issues under the carpet. They play the rhetorical card of user control over the data while knowing that this semblance of control is nothing but a farce.

Customers of these companies buy into the narrative and don’t think too hard about the privacy implications of the tools they use. After all, cookie-based analytics is standard practice by now. Everyone has been doing it for years, so it can’t be that bad!

But it is that bad, and Bundeskartellamt proves beyond doubt that the current practices in web analytics and marketing are neither GDPR compliant nor sustainable long-term.

All in all, this would be a great time to ditch cookies altogether. Web analytics without cookies is entirely possible, and it’s exactly what we do.

We built Simple Analytics to provide companies with all the insight they need, without collecting personal data at all! Privacy is the cornerstone of Simple Analytics. We don’t use cookies, fingerprint, or track users in any way. If this sounds good, feel free to give us a try!