Every click you make; they’ll be watching you!

By Paula Carney-Hoffler

If you are anything like me, you may find yourself receiving a lot of newsletter subscriptions or marketing communications, whether you signed up to them or not. There is nothing quite like keeping up to date with the happenings in the world, but are your behaviours being monitored without your knowledge or permission?

A while back, I received an email from a well-known Irish brand, which stated the following, “Since you haven’t opened our emails in a while”. I was quite taken aback by this comment, and to a certain extent it felt very intrusive and pretty creepy. Was this company monitoring what I read? I don’t remember consenting to this. I consented to receive marketing, but not to be tracked!

So scratching the itch I ventured a look at their Privacy Statement, to where it stated that they were using Click Through Technology (CTR/CTOR), also known as “did they read it” or a more nefarious description “spy cookies”, to monitor subscriber behaviours and interests .Now, we are all aware of e-Privacy Regulations, where the deployment of non-essential cookies and tracking technology requires the consent of the data subject. Knowing if someone reads a specific article or if they opened an email really does not meet the strictly necessary or communications requirement. Their Privacy Statement advised that I could revoke my consent for these cookies; however, their CMP did not provide a way to object to tracking in emails. My only option was to unsubscribe from the service completely.

So, let’s look at the issues of using Click Through technology and what it means in the context of data protection starting with e-Privacy Regulations, specifically 5(3) of S.I.No. 336/2011:

“(3) A person shall not use an electronic communications network to store information, or to gain access to information already stored in the terminal equipment of a subscriber or user, unless
(a) the subscriber or user has given his or her consent to that use, and
(b) the subscriber or user has been provided with clear and comprehensive information in accordance with the Data Protection Acts which—
(i) is both prominently displayed and easily accessible, and
(ii) includes, without limitation, the purposes of the processing of the information.

(4) For the purpose of paragraph (3), the methods of providing information and giving consent should be as user-friendly as possible. Where it is technically possible and effective, having regard to the relevant provisions of the Data Protection Acts, the user’s consent to the storing of information or to gaining access to information already stored may be given by the use of appropriate browser settings or other technological application by means of which the user can be considered to have given his or her consent.

(5) Paragraph (3) does not prevent any technical storage of, or access to, information for the sole purpose of carrying out the transmission of a communication over an electronic communications network or which is strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”

The above calls forth the requirement to obtain consent from the data subject for the processing activity of tracking. Where data is transferred directly from the terminal equipment of the device, the user must provide their consent and in compliance with Article 7 of the GDPR [“conditions for consent”] this must be achieved.

To add further injury, failure to comply with these consent requirements impacts the lawfulness principle under article 5(1) of the GDPR preventing any further processing of the personal data obtained from the device, because a breach of Article 5(1) puts a pause on your processing. In general, you need to ensure that consent is valid, unambiguous, and recorded.

You might remember the Planet 49 case and the judgement passed down from the Court of Justice of the European Union [“CJEU”], in particular where they highlighted Recital 32 of the GDPR. So, in essence, just because a subscriber consents to receiving a Newsletter, it does not necessarily mean they have consented to tracking and profiling, (multiple purposes), even if it’s alluded to in the Privacy Statement of the organisation.

Scratching the itch further, I ventured on and found an interesting opinion piece by Peter Schaar, Chairman of the Data Protection Working Party (WP)29, which was written in 2006, focusing on the privacy issues related to the provision of email screening services also known as “Did they read it”. Mr Schaar states the following, “In order to carry out the data processing activity consisting in retrieving from the recipient of an email where the recipient has read it and when and whether it has forwarded to third parties, unambiguous consent from the recipient of the email is necessary. No other legal grounds justify this processing. Therefore, the data processing that is performed secretly is contradictory to the data protection principles requiring unambiguously given consent, laid done by Article 7 of the Data Protection Directive”.

There has also been comprehensive guidance provided by the Data Protection Commission on Cookies and Tracking Technology, which is well worth reviewing again.

So, in summary, is Consent the only lawful purpose available for the use of CTR technology (“Did they Read it”) under data protection laws? The simple answer is yes, and as defined in the GDPR Article 4(11), it will be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Let’s just hope that providers of email services consider the above requirements and develop simplified tools which will enable the process of valid consent collection. It appears that the current options from the majority of these services is just to switch the trackers off. So maybe it’s worth checking with your marketing department to see if your company is sending communications with these trackers enabled. If yes, then you may want to check if consent has been obtained.

If you have any questions on the above article, or wish to share an opinion piece, please get in touch via the following Contact Form.

Back to top