In October 2021, Poland’s data protection authority, the Urząd Ochrony Danych Osobowych, issued its first-ever view related to cookies in a decision (reference number ZSPR.440.331.2019. PR PAM) following a complaint from a data subject. Before this, neither rulings nor guidelines were published on the matter. Thus, every decision concerning this issue is eagerly anticipated in Poland.
The UODO stated the use of cookies involves the processing of personal data and ordered online media company Interia Group (the company name was disclosed in the Panoptykon Foundation article), which is one of the leading actors on the Polish internet media market — to duly explain to the data subject how cookies work on their website in the personal data context, and in particular describe how they are used to create a behavioral profile for marketing purposes. The reader who filed the complaint belongs to the Panoptykon Foundation, a Polish non-governmental organization focused on privacy issues. The complaint was made in the wider context of unlawful profiling practices on the internet.
While the decision was not published publicly by the UODO, we requested an access to its content based on the freedom of information act. It is available here (Polish only).
The background
In mid-2018, the data subject browsed Interia’s website. Her personal data was stored automatically in cookies for the purposes of enabling access to the website, fraud prevention, analytics and marketing.
In July 2018 the complainant requested a copy of her personal data and information on the data processing (i.e., to fulfil the information obligation) from the company. In particular, she requested information about profiling and automated decision-making after noticing advertisements based on information supposedly collected by Interia. From the complainant's perspective, the most significant information she was seeking was what marketing categories (behavioral profile) were assigned to her using cookies and what other information about her was combined with the processed data.
In response to her request, after confirming the data subject identity, receiving the declaration that she has not interfered with cookies and obtaining the information that she did not use any ad blocking software, Interia sent a variety of information regarding the processing. The response did not satisfy the complainant. Among other things, it did not include information about the behavioral profile and what was being done specifically with her personal data. The complainant repeated her request, but Interia’s second reply did not satisfy her either as it did not provide a complete answer. Thus, in January 2019, the reader complained to the DPA arguing that Interia did not provide her with all the requested data.
The DPA's reflections on the nature of a behavioral profile
After investigating the case from around mid-2019 until October 2021 and defining the problem, the UODO pointed out in its final decision that a behavioral profile is created by using the reader’s online behavior to tailor ads toward detected interests. The UODO explicitly stated that such collection of information about the user is “inextricably linked” to profiling, which is intended to tailor relevant ads to a specific person based on inferences made about that person.
The company has not fulfilled its obligation
The UODO shared the complainant's view that she had not been provided with a response that met the conditions of the EU General Data Protection Regulation. The DPA found that “the lack of a uniform, transparent and reliable position of the company as to the content of the personal data processed, in particular which marketing categories (behavioral profile) have been assigned on the basis of cookies and with which other information about a specific person the information resulting from these cookies has been combined, creates (…) uncertainty.” The UODO referred to the Court of Justice of the European Union’s judgment in Case C-673/17, which stated the information must be clear, understandable and sufficiently precise to allow an understanding of the cookies’ functions.
In particular, the UODO held it was the company's obligation to provide information on the marketing categories (behavioral profile) assigned to the complainant through cookies and what other data was combined with that information.
Conflicting testimonies
The UODO noted Interia explained during proceedings that it processes personal data in order to tailor the display of online ads. This is inconsistent with its claims that, at the same time, the cookies provided by the data subject (which she sent to prove Interia’s processing) do not indicate that Interia performs targeting activities with respect to the complainant. Interia seemed not to understand the details of the processing conducted through the website and finally took the position that it did not create a behavioral profile of the reader or qualify her for any segments, despite stating otherwise in its policy and in its responses to the complainant and the DPA.
The UODO saw a contradiction in the Interia’s statements. In the DPA’s view, the company's explanations that the personal data is used to create a behavioral profile to personalize ads obliges Interia to recognize that the processing of personal data alleged by the complainant exists, but Interia simply cannot “identify it unambiguously” (in other words, Interia itself has a problem reconstructing the process and compiling the information coherently). However, this does not release it from the obligation to provide information.
What information to provide and what it should clarify
Interia was therefore obliged to provide the complainant with information concerning the marketing categories (behavioral profile) assigned to her by using collected cookies. It was also required to provide what other information about her was combined with the information resulting from these cookies.
The UODO also described the standards that Interia’s explanation should meet: the information should accurately describe the behavioral profile created by Interia based on the data subject's online activity, specifically indicating the marketing categories assigned to her based on the cookies.
Moreover, the UODO stated that if Interia does not process personal data for the purpose of creating a behavioral profile, it should clearly inform the complainant of this fact. It should also indicate how the complainant's personal data — collected in the form of identifiers stored in the cookie technology — is processed in this case and what the processing of personal data for online advertising consists of.
What about other companies' cookies?
The UODO also noted that on Interia’s website, other organizations included their scripts in the website code. Since Interia allowed this to happen, it should point out the possibility of behavioral profiles being created by those entities. In other words, if the company allowed scripts that could be used to create behavioral profiles to be posted by other entities, it should explain to data subjects how this process works.
Conclusion
Data controllers should precisely and clearly explain every issue concerning technological matters. At the same time, according to the UODO, creating a behavioral profile of an internet user by collecting information about them inextricably involves the processing of personal data. The UODO’s decision confirmed information about "marketing categories" attributed on the basis of cookies, as well as information combined with data resulting from cookies, usually constitutes personal data and is subject to disclosure under Article 15 of the GDPR. This view aligns with the approach presented by other DPAs in Europe.
Photo by Clem Onojeghuo on Unsplash