What happens to your data when you accept cookies? (1)
By Alicia Hegar, Óscar F. Civieta: Do you know what happens to your data after clicking 'accept cookies'? We analyze the main companies -located around the world- that manage the data collected on some of the most read websites in Spain.
Something has changed in the way we browse the Internet. At the beginning of 2024, the pop-up window that invited us to click on "accept cookies", and which had become customary, began to include a second option. Since then, we can reject them. Before too, it was another story to discover how.
The change occurs because the Spanish Data Protection Agency (AEPD) gave until January 11, 2024 for the websites to follow the European guidelines. The EU ruled in 2022 that the option to reject cookies - the data files that a website collects every time it receives a visit - must be just as visible as the option to accept them. But there was a trick: Brussels also gave the possibility that rejecting them would have an economic cost.
Since then, digital newspapers throughout Europe cover their pages so that people who do not subscribe to the medium cannot even see the headlines on the front page, since they are hidden under a pop-up window. What's more, in some cases – when the medium works with subscriptions – it is possible that, even if you give your consent to assign cookies (that is, paying with your data), you will not be able to read all the articles.
Choosing when faced with this dilemma is complex, especially because in those same pop-up windows it is specified that the data is shared with the "partners" of the medium. And these are counted in the hundreds. Therefore, after looking at an immense list, more and more people click the "accept" button with resignation. At La Marea we wanted to find out what personal data we are transferring every time we accept cookies, who is collecting it and for what purpose. To do this, we have analyzed the cookie configuration of the 10 most read digital newspapers in Spain, which add millions of readers every day, and also their partner lists. The journey, we warn, has been opaque and changing.
We get on the train
In reality, as soon as we accept cookies, we are getting on hundreds of trains with a single ticket. Each medium has around 800 partners who collect these cookies. In February 2024, when we started the report, we found a total of 1,062 different associated companies. Many of them were constantly repeated. Specifically, there were 328 that appeared in the 10 lists analyzed. During the investigation, we have verified that these partners – also known as vendors – can change in very short periods of time, especially on websites that are supported by advertising, as Adrianus Warmenhoven, cybersecurity expert and spokesperson for the NordVPN company, explains: « “Websites that rely heavily on advertising revenue may often update their partnerships with ad networks and data brokers.”
The media, argues a data protection expert who prefers to remain anonymous, have the option of selecting the companies that will receive the cookies that their readers consent to. However, it is common for them to choose to incorporate complete lists, although then they only work effectively with some of them.
An example of this is what happens in elDiario.es, the only digital one of the ten most read that has responded to the questionnaire sent by La Marea. Last February it had 797 associated companies, those of "the list of partners incorporated by default by our cookie consent provider (the most used in the Spanish media, Didomi)." This newspaper, one of the few that practices transparency and, among others, publishes its sources of income every year, confirmed that it only works directly with 10 or 20 of those partners, "but each of them does it in turn." with other technologies, with which we must also connect indirectly. And, logically, the law requires that all of them be reported.
The response is similar to that of the director of a local newspaper consulted, not being aware that his media had more than 200 associated companies. At the time, the programming manager signed up for the Google advertising service, and from there the rest of the companies joined in. In principle, all of them can receive cookies from their readers, if they accept them to read the articles.
It is true that users have the option to select which companies on the list obtain their information. You can also do it by discarding partners by blocks, through the purposes or purposes. For example, reject all companies that collect declarative or navigation and interaction data. The media have been progressively incorporating this option, but it is still difficult to find it on the websites, although in reality it is the only feasible way to reject cookies, since the large number of partners that each media usually has makes it extremely difficult for a user to go one one deciding with whom they want (or not) to share their privacy.
Main destination: USA
Our trip is international. The main offices of the partners present in the 10 media analyzed are spread throughout the world. The United States is the favorite destination for our cookies, but they also travel, among other destinations, to China or the United Arab Emirates.
Samuel Parra, a technology law lawyer, warns that the main risk of this trip through different countries "is that the protection and containment measures regarding privacy are weaker (or non-existent) than those we have in Europe and that translates into "uncontrolled marketing of our information, even for directly illicit purposes."
Arriving at the first stop, let's stop for a moment to analyze where we are. The country changes, but the seasons are similar. The majority of associated companies, sometimes with names and definitions that are difficult to decipher, work in the online advertising and marketing sector. Although there are those dedicated to organizing sporting events or selling apartments, to betting sites, carrying out market research or publishing weather information.
Many are sold to potential clients highlighting the size of their database and the ability they have to deliver advertising to millions of people individually. Thus, Zeotap, for example, boasts of having a database made up of more than 500 million IDs. User identifiers that are also classified into hundreds of categories according to their tastes and lifestyle, as we see on their website.
This does not imply that Zeotap offers all these IDs to its clients. "What it is saying is that it has a great capacity for data collection and analysis and, therefore, a very high reliability in profiling users, which translates, for example, into better segmented advertising," clarifies Parra. .
Zeotap also ensures that 100% of the data it offers is consented data. Here it is worth asking if, when the alternative is to pay and, furthermore, the information about what is accepted is unclear or insufficient, giving our data is a consensual act.
Speaking in terms of millions is not atypical in the industry. Yoc, another of the partners, boasts of having a single market from which “hundreds of millions of users” can be accessed. Zeta Global mentions a database of 200 million users in Europe. And at Pixalate, they themselves claim to monitor more than 5 million apps, 80 million domains and more than 300 million OTT devices. The latter are all devices other than computers and mobile phones that are used to watch videos, such as smart televisions or video game consoles.
Source: https://www.lamarea.com/2024/06/04/investigacion-que-sucede-con-tus-datos-when-le-das-a-aceptar-cookies-1/
No comments:
Post a Comment