12

Suppose Bob has a website that is really popular. Bob has promised users that he will never sell user data, but he never said that he wouldn't put a third party tracker in his website, and he also never said that these third party trackers wouldn't sell user data.

Alice paid Bob hundreds of millions of dollars to put her third party tracker in Bob's website. However, after some time, she noticed that the data collected by her tracker in Bob's website isn't good enough because most of Bob's website users deny cookies that aren't strictly necessary.

Alice told Bob about this and threatened to stop paying money if this problem is not fixed. In fear of losing money, Bob marked Alice's cookie as strictly necessary, even though Bob's website still works without it. Alice is now happy that the data generated by her tracker is very good.

Does Bob violate the law by marking Alice's tracker cookie as strictly necessary, even though Bob's website server doesn't use it?

Now suppose that the story was different. Suppose that Bob didn't just mark Alice's cookie as strictly necessary, but also made his website not work without it. Let's continue the story:

..... Alice told Bob about this and threaten to stop paying money if this problem is not fixed. In fear of losing money, he brainstormed an idea of how to make Alice's cookie part of his website in such a way that the website doesn't work without it. He then arrived at the following solution:

  1. Bob's server retrieves the tracker from Alice's server.
  2. Bob's server then puts the tracker in the user's webpage. Bob's server doesn't add additional data nor user data to the tracker, it simply puts the tracker exactly as retrieved from Alice's server.
  3. The tracker then connects and sends data to Alice's server. The data includes cookie data.
  4. Alice's server then sends the data to Bob's server (remember that Alice never said that she wouldn't sell data, only Bob said that!)
  5. Bob's server then attempts to retrieve the cookie from the data. If there is no cookie in the data, then the server will throw an error. If there is a cookie in the data, Bob's server will then use the cookie data as one of the parameters used by his website's content recommendation engine.

Now Bob's website doesn't work without Alice's tracker cookie. Bob knows very well that he can design his website content recommendation engine in such a way that it still works without Alice's cookie, but he included Alice's cookie anyway because it allows him to argue that his website doesn't work without it. Bob then marked Alice's cookie as strictly necessary in his website. Alice is now happy that the data generated by her tracker is very good.

Does Bob violate the law by marking Alice's tracker cookie as strictly necessary, even though Bob's website can be modified in such a way that it will work without Alice's cookie?

phoog
  • 42,299
  • 5
  • 91
  • 143
pi squared
  • 359
  • 3
  • 7

2 Answers2

32

Does Bob violate the law by marking Alice's tracker cookie as strictly necessary, even though Bob's website server don't use it ?

: YES, that's illegal.

Any cookie that is not fulfilling an absolute technical necessity, such as language choice, current shopping basket, and login data, is by definition not essential. A cookie can not become essential by complex architecture for any other reason than its core functionality in an abstract web page.

It is illegal to set a non-essential cookie without consent or even to have the default for such optional cookies checked. "Planet 49", EUGH, Az. C-673/17

Further, even a contract with the user (Terms of sevice) can not make a cookie essential - and using any data related to an ad-cookie falls under GDPR. "Meta/Facebook v. Bundeskartellamt", EUGH Az. C-252/21

He then arrived at the following solution [...]

: STILL Illegal and even more so.

Nothing made the cookie any more necessary. But by implementing it that way, we are almost exactly at what led to the Planet 49 and Facebook (2023) judgments above.

Trish
  • 50,532
  • 3
  • 101
  • 209
20

Scenario 1:

Bob marked Alice's cookie as strictly necessary, even though Bob's website still work without it.

Bob is breaking the law. Bob's lie that the cookie is strictly necessary does not make it strictly necessary.

Scenario 2:

Now Bob's website doesn't work without Alice's tracker cookie. Bob know very well that he can design his website content recommendation engine in such a way that it still work without Alice's cookie, but he included Alice's cookie to it anyway because it allows him to argue that his website doesn't work without it.

Bob is breaking the law. You state that Bob can (and did) design his website so that it works without Alice's marketing cookie. Also, there must be a clear link between the cookie and the service explicitly requested by the visitor. There's no clear link between what the visitor wants and third party Alice's marketing cookie. This cookie is not strictly necessary.

Lag
  • 20,104
  • 2
  • 46
  • 76