Web trackers, sophisticated pieces of code embedded within websites, diligently monitor and record our online activities. They track clicks, analyze browsing patterns and compile vast amounts of data on personal preferences and interests. These intricate mechanisms silently observe our every move on the internet, collecting valuable data for website owners. Think of them as digital detectives, quietly piecing together a puzzle of valuable insights.
The popularity and necessity of web trackers for website owners cannot be denied. They provide invaluable information about user behavior, demographics and popularity of specific pages. This data helps optimize website performance and tailor content to enhance user experience. However, concerns over privacy rights loom large in this landscape.
To address these concerns, various countries have enacted data privacy laws.
-The Digital Personal Data Protection Act 2023 is India’s first comprehensive data protection law which mandates that personal data can be processed only based on the customer’s Consent. This Consent must be clear, explicit and specific, with local language options. And if the consent is withdrawn, Personal data cannot be processed.
-The General Data Protection Regulation (GDPR), implemented by the European Union, is one of the most comprehensive regulations worldwide. It imposes strict rules on user consent, data processing and transparency. Website owners must obtain explicit consent before deploying web trackers and individuals have the right to access and control their personal data.
-In the United States, the California Consumer Privacy Act (CCPA) grants specific rights to California residents regarding their personal information. It requires businesses to disclose the categories of personal data collected and gives individuals the right to opt-out of its sale. Compliance with these regulations is crucial for website owners utilizing web trackers.
Enforcement actions by regulatory bodies highlight the seriousness of non-compliance. The Federal Trade Commission (FTC) has recently taken action against telehealth firms for their use of web trackers, citing violations of the FTC Act and potentially the FTC Health Breach Notification Rule. The FTC’s Health Breach Notification Rule further emphasizes the importance of adhering to web tracker regulations.
The Department of Health and Human Services Office for Civil Rights (HHS OCR) is also investigating web tracker cases for potential violations of the Health Insurance Portability and Accountability Act (HIPAA). This demonstrates a focus on protecting the privacy and security of personal health information in the context of web tracking practices.
While web trackers are not explicitly banned in any country, their usage and regulations differ. Stricter laws in some countries aim to protect user privacy, while others may have more relaxed approaches. Telehealth firms and other entities must navigate these legal norms to ensure compliance.
The penalties for non-compliance can be significant. Under the DPDP Act the penalty for non-compliance is up to 50 crore for each. Under the GDPR, regulatory authorities can impose fines of up to €20 million or 4% of global annual turnover for violations. The CCPA allows individuals to bring private lawsuits, with penalties ranging from $100 to $750 per consumer, per incident.
Recently the French data privacy regulator CNIL imposed record fines of €150 million on Google and €60 million on Facebook for making it overly difficult for internet users in France to reject cookies. Cookies are small text files used to track online activity for advertising purposes.
Under EU data protection rules, internet users must give prior consent before cookies can be dropped on their devices. CNIL said Google, Facebook, and YouTube’s systems make accepting cookies simpler than rejecting them.
As CNIL’s head of data protection Karin Kiefer stated, “When you accept cookies, it’s done in just one click. Rejecting cookies should be as easy as accepting them.” On the facebook.com, google.fr and youtube.com websites, several more clicks are required to refuse all cookies versus a single click to accept them.
Obtaining proper consent for cookies is a top priority for CNIL in enforcing privacy rights. The fines on Google and Facebook represent the regulator’s strictest action yet to ensure internet users can easily control cookie tracking.
In this intricate web of web trackers, navigating the legal landscape is paramount. Awareness of data privacy laws and compliance with web tracker regulations are essential for businesses and individuals alike. As the digital realm evolves, it is crucial to stay informed and adapt to the changing requirements to safeguard privacy rights and protect personal data.
Khushbu Jain is a practicing advocate in the Supreme Court and founding partner of the law firm, Ark Legal.