Introduction

The GDPR applies to any processing of personal data that falls within its scope, regardless of the technology or method used, and requires a lawful basis, such as consent, for such processing.The ePrivacy Directive complements the GDPR by providing specific rules for the use of electronic communications data, such as cookies and other tracking technologies, and requires prior informed consent from users, unless the use is strictly necessary for the provision of the service requested by the user or for certain limited exceptions.

However, some website operators and online service providers may seek to avoid or minimize the application of these legal frameworks by using anonymized cookies and other tracking technologies, which are supposed to remove or obscure any identifiers or attributes that could link the data to a specific individual. By doing so, a claim could be made that the data is no longer personal data and therefore not subject to the GDPR. Alternatively, features such as Google consent mode could be used. Said feature allows users to adjust how Google services use cookies and other tracking technologies based on the consent status of users, and to use anonymized or aggregated data for certain purposes, such as measurement and optimization. Nevertheless, are these approaches effective and compliant with the current EU legal framework? How anonymous are anonymized cookies and other tracking technologies, and what are the risks and challenges of using them? And what are the best practices for ensuring that data is fully anonymized and not subject to re-identification?

These are some of the questions that this article will briefly explore in the following sections.

Anonymized cookies and tracking technologies: how anonymous are they?

Anonymization is the process of irreversibly transforming personal data in such a way that the data subject is no longer identifiable, directly or indirectly, by anyone, including the data controller or processor, or by using additional information. Anonymization is not a binary concept, but rather a continuum that depends on the context, the techniques, and the safeguards applied. Anonymization can be achieved by various methods, such as encryption, hashing, aggregation, generalization, perturbation, or deletion¹. However, anonymization is not a simple or straightforward task, and it faces several technical and legal challenges.

First, anonymization techniques may not be sufficiently robust or effective to prevent re-identification, especially in the context of online tracking, where multiple sources and types of data can be combined, correlated, or inferred to reveal the identity or characteristics of individuals. For example, encryption or hashing may be reversible if the key or the algorithm is compromised or guessed, and aggregation or generalization may not eliminate unique or rare patterns or outliers. Moreover, anonymization techniques may not be future-proof, as new technologies, methods, or data sources may emerge that could enable re-identification.

Second, anonymization may not be consistent or compatible with the legal definitions and interpretations of personal data and anonymization under the GDPR and the ePrivacy Directive. According to the GDPR, personal data is any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. The GDPR also states that the possibility of identification should be assessed by taking into account all the means reasonably likely to be used, such as singling out, either by the controller or by another person, to identify the natural person directly or indirectly. Therefore, the GDPR adopts a broad and dynamic concept of personal data and identification, which may include anonymized data if there is a reasonable likelihood of re-identification.

Similarly, the ePrivacy Directive defines electronic communications data as any data processed in an electronic communications network or service, such as traffic data, location data, or content data. The ePrivacy Directive also requires consent for the use of any information stored in or accessed from the terminal equipment of users, such as cookies and other tracking technologies, unless the use is strictly necessary for the provision of the service requested by the user or for certain limited exceptions. Therefore, the ePrivacy Directive applies to any information, regardless of whether it is personal data or not, that is used for tracking purposes, such as anonymized cookies and other tracking technologies.

Third, anonymization may not be aligned or compatible with the purposes and expectations of the data subjects and the data controllers or processors. Anonymization may not reflect the genuine choice or consent of the data subjects, who may not be fully informed or aware of the implications and consequences of anonymization, such as the loss of control, access, or rights over their data, or the potential for re-identification. Anonymization may also not reflect the legitimate interests or obligations of the data controllers or processors, who may have legal, contractual, or ethical reasons to retain, access, or use the personal data of the data subjects, such as for compliance, accountability, or quality purposes.

Therefore, anonymization is not a silver bullet or a one-size-fits-all solution for the privacy and data protection challenges posed by cookies and other tracking technologies. Anonymization requires a careful and contextual assessment of the risks and benefits, the techniques and safeguards, and the legal and ethical implications of the process, and it may not always be feasible, effective, or compliant with the EU privacy and data protection rules.

Last but not least, it should be noted that anonymization constitutes in itself a processing of personal data and is therefore subject to the rules of the GDPR. Specifically, before anonymizing data, a data controller should ensure that they have duly complied with the relevant set of obligations. These obligations include but are not limited to, having a legal basis for processing, informing the data subjects, and ensuring compliance with data protection principles and rights.

Where do we go from here?

Given the limitations and challenges of anonymization, what are the alternatives and best practices for the use of cookies and other tracking technologies in a privacy-friendly and compliant manner?

Here are some possible recommendations:

• Respect the choice and consent of the users. The use of cookies and other tracking technologies should be based on the prior informed consent of the users unless the use is strictly necessary for the provision of the service requested by the user or for certain limited exceptions. The consent should be freely given, specific, informed, and unambiguous, and the users should be able to withdraw or modify their consent at any time.
• Minimize the data collection and processing. The use of cookies and other tracking technologies should be limited to the minimum necessary for the intended purposes, and the data collected and processed should be relevant, adequate, and not excessive. The data should also be kept for the shortest possible period and deleted or anonymized when no longer needed.
• Implement data protection by design and by default. The use of cookies and other tracking technologies should be designed and implemented in a way that ensures the highest level of privacy and data protection for the users, and that complies with the principles and obligations of the GDPR and the ePrivacy Directive.
• Monitor and review the data collection and processing. The use of cookies and other tracking technologies should be subject to regular and effective monitoring and review, to ensure that the data collection and processing is consistent and compliant with the purposes and the consent of the users and that the data is accurate, secure, and up to date.

In summary, it is evident that anonymized cookies and other tracking technologies do not serve as a universal solution or circumvention tactic for the privacy and data protection concerns inherent in online tracking. The process of anonymization is multifaceted and contingent upon various factors, rendering it potentially impractical, inadequate, or non-compliant within the framework of EU regulations. Consequently, the deployment of anonymized cookies and similar tracking mechanisms necessitates a meticulous and contextual evaluation encompassing risk-benefit analyses, implementation methodologies, protective measures, and adherence to pertinent legal stipulations.

Pedro Marques Gaspar Manager (Digital Regulation)
[email protected]
PwC Spain, Madrid

1. A reference should be made to the Guide to Basic Anonymization issued by the Personal Data Protection Commission of Singapore, which was subsequently also published by the Spanish Data Protection Authority.