Data brokers: Identification possible to sell ads, not to exercise fundamental rights

28 February 2023
Person wears name tag with "cookie-ID" printed on it

Data brokers: Identification possible to sell ads, not to exercise fundamental rights

Today, noyb filed a series of complaints against websites and data brokers that did not correctly address access requests using cookies as an authentication factor. The companies had shown obstructive approaches when authenticating users; ranging from denying the right to access, to requiring additional information, unnecessary to authenticate the user.

Exercising fundamental rights via cookie-based authentication. Tracking cookies are used to identify, profile and target a user with personalized ads. Therefore, cookie data can also be used to identify and authenticate users exercising their GDPR rights. At least in theory. In order to test how cookie based authentication is handled by the industry, users made a number of access requests based on cookie data in a noyb project.

Failure to respond to access request. In order to obtain the information gathered on them, the users attached the cookies placed by the websites to their access request as a means of identification. However, many websites and the data brokers did not answer the access request sufficiently. Instead, they either asked for other forms of identification (such as additional personal details) or ignored the request altogether. noyb therefore filed several complaints against the relevant controllers due to their failure to respond to the access requests and adhere to the principle of data minimization.

Stefano Rossetti, data protection lawyer at noyb: “The idea behind these complaints is simple: if a company can use a cookie to track, profile and send me targeted advertising, why should I not be able to use that very same cookie to exercise my GDPR right?”

EDPB Guidelines on Cookies Based Authentication. The authentication of users via cookies is not only technically possible but also recommended by recent EDPB guidelines according to which, data brokers must implement appropriate procedures that allow users to make an access request with the data that is linked to unique identifiers (like cookies). In light of the principle of data minimization, users therefore have the right to authenticate their identity via data already generated on them and can’t be forced to provide additional personal information.

Contradictory abilities of data brokers. While websites and data brokers identify users for targeted advertising via cookies, they refuse to identify users by the same means, once these make use of their fundamental right to access under Art. 15 GDPR.

Stefano Rossetti, data protection lawyer at noyb: “These complaints open the new litigation series dedicated to digital identity and the possibility of using a tracking tool, in this case a cookie, to exercise GDPR rights.”