Wednesday, December 7, 2022
HomeBelgiumBelgian Data Protection Authority: The Data Breach that Started with a Cookie

Belgian Data Protection Authority: The Data Breach that Started with a Cookie

Did you just click “no” on the “accept all cookies” pop-up that appears as soon as you enter a website? The Belgian Data Protection Authority found out that the rejection of cookies by individuals may not always be implemented, as what happened in a recent case.

What may come to mind when someone mentions cookies is the delicious traditional dessert from Antwerp. But in this case, it refers to the cookies on the website. These are the files that are created whenever a user visits a website. Just as traditional cookies leave crumbs, the same thing happens when someone uses the internet. With every cookie left on a website, information about the user is stored. This means that whatever users look at, click, or add to their shopping carts, and practically everything else done online can be tracked. It creates a profile of the consumer, which advertisers can use to improve their strategies.   

So, don’t be surprised if your feed is instantly filled with the product you just searched for.

Users do not necessarily need to accept all cookies when visiting websites, and some do just that. However, their decision to reject the cookies did not seem to have any bearing on their use. What they did not consent to was still happening.

Going Against Data Breach Started with a Complaint Filed in 2018 

Johnny Ryan shares that, “information about what everyone is watching, reading, listening to and where we are is being sent to thousands of companies without us having any control over what happens to that data. What they did as an industry was completely illegal, but they tried to hide it under cookie banners.” 

Ryan previously worked in the online advertising industry, but when he “saw the biggest data leak ever,” he had to put down his foot. He filed a complaint in 2018 regarding the unlawful practice of sending personal information of users to different businesses.

Dr. Johnny Ryan is now a senior fellow at the Irish Council for Civil Liberties.

His efforts were not put to naught as the Belgian Data Protection Authority recently released their decision regarding the case against the Interactive Advertising Bureau Europe (IAB Europe).  

The Belgian Data Protection Authority Finds IAB Europe Guilty of Breaking the Law

Because of what Ryan stood up against in 2018, a series of complaints against IAB Europe were collated and taken as one whole case by the Belgian Data Protection Authority. These complaints have been initiated as far back as 2019.

An investigation was started and, upon doing so, the Belgian Data Protection Authority found that some companies had installed cookies even if the users had not given their consent. 

How Did Companies Collect Personal Information?

The Transparency and Consent Framework (TCF) created by IAB Europe was established in 2018. The TCF was intended for anyone with a website who needed a “consent solution” that supposedly complies with regulations in Europe. A pop-up will automatically appear on the website to obtain consent from the users. Upon choosing what to consent to, a coded character string is created. Then, together with the information of the user, it will be sent to advertising technology companies. 

the Belgian Data Protection Authority has decided that the TCF is unlawful

However, the Belgian Data Protection Authority later determined that the TCF failed to comply with many of the articles stipulated in the EU General Data Protection Regulation (GDPR).

Because of this, the Belgian Data Protection Authority has decided to subject IAB Europe to a fine of €250,000. At the same time, the bureau was required to create an action plan. This should include revisions to their activities to ensure that they comply with the GDPR. Any improvements to the current framework must be implemented in the next two months. After that, another six months will be given so that websites can be changed in accordance with the law.

Additionally, any data that was collected through illegal means should be destroyed. This applies to information gathered since 2018 because that was the year that the EU GDPR went into effect.

Hielke Hijmans, the chair of the Belgian Data Protection Authority Disputes Committee, said that “this is an incredibly complex file that we had to investigate both technically and legally and we’ve received various analyses from different experts.”

As of the latest, IAB Europe plans to file an appeal of the decision made by the Belgian Data Protection Authority to the Belgian Market Court.

Given this situation, it might be a good question to ask if cookies should be accepted. There are both disadvantages and advantages to doing so. 

Why Should Individuals Accept Cookies?

Although it is not always the case, accepting cookies allows users to access the website. There are some websites that make accepting cookies a prerequisite for entering the page. 

Cookies can also provide a better experience for users since surfing the internet will become more personalized. This is because the content presented to a user will be more in line with what they’re interested in.

It may also offer convenience for users since information for log-ins, such as usernames and passwords, is stored. As such, they do not need to input this information over and over again on websites that they most commonly go to.

When Should Individuals Not Accept Cookies?

First, do not accept cookies if you visit an unencrypted website. Entering such websites means that your data is not protected. As a consequence, your personal information could be compromised since it makes it easier for hackers to access your cookies. They could then use your information to conduct fraudulent transactions or any of the like. 

To know if the website is secure, check the website’s uniform resource locator (URL), which should start with “https” instead of “http.” At the same time, there should also be a lock icon beside the URL. Having these features means that the data is encrypted. 

Look for these features on a website for your security.

Second, do not accept third-party cookies. These cookies are placed by domains different from the website you’re on. This means that your data can be accessed by any institution outside of the website that you’re visiting. Users have no control over who can gather their information since they can’t choose the third parties themselves in the first place.

Third, if your device is slowing down, it would be better to decline cookies. These cookies get stored in the browser and take up space on the device itself, which can affect its performance.

Fourth, do not accept cookies that are tagged as suspicious by antivirus software. The warning was most probably placed there for a reason. So, it would be prudent not to ignore it.                                                                                            

Lastly, do not accept cookies on websites where you have to input personally identifiable information. These pieces of information can fall into the wrong hands, which could put you at risk of losing much of your hard-earned money or even pose a danger to your safety as well.

Ultimately, it is up to the users to decide whether they should reject or accept cookies. But, make sure that you’re informed of what choosing either entails.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments