Cookies Archives - IPOsgoode /osgoode/iposgoode/tag/cookies/ An Authoritive Leader in IP Mon, 13 Mar 2023 16:00:00 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 How Much is Your Personal Information Worth? And What Will It Be Worth in the Future? /osgoode/iposgoode/2023/03/13/how-much-is-your-personal-information-worth-and-what-will-it-be-worth-in-the-future/ Mon, 13 Mar 2023 16:00:00 +0000 https://www.iposgoode.ca/?p=40664 The post How Much is Your Personal Information Worth? And What Will It Be Worth in the Future? appeared first on IPOsgoode.

]]>

Nikita Munjal is a 3L JD/MBA Candidate at Osgoode Hall Law School. This article was written as a requirement for Prof. Pina D’Agostino’s IP Intensive Program.


Using the Internet inevitably requires consenting to have your personal information used, collected, and disclosed by the websites you visit. A common reason for individuals, corporations, and non-profit organizations to collect your personal information is to influence your behaviour online, from your to your . One of the most effective ways to influence consumer behaviour online is through targeted advertising.

Value for Advertisers

Access to personal information has become necessary for advertisers to convert potential leads into customers. Think back to 2012, for example, when a suggested that a statistician working at Target predicted a teenage girl’s pregnancy based on her shopping habits. What did Target do with this information? It mailed her coupons for baby clothes and cribs.

that the value of your personal information to advertisers depends on various factors. Factors influencing value include your gender, race, and sensitivity of the information (that is, cost more than ). If, for example, the target audience for a new sneaker launch is young males of middle eastern origin, the spent to acquire your personal information is a minor investment to incur to influence you to purchase $180 sneakers.

Value for Users

Traditionally, users have valued the ability to share their personal information while using online services, like search engines or social media platforms, citing their .

However, increasingly, . This trend has mobilized startups in Silicon Valley to appeal to privacy-conscious users by providing them an incentive to share their personal information. Known as paid-to-surf models, companies in this space require their users to install browser extensions to track their browsing.

What monetary value do some privacy-conscious users demand to share their personal information? $20 a month for users of . Others are . While these paid-to-surf models have the potential to be disruptive, they are not yet a viable alternative, as users must surf a certain amount before they can cash out.

Value Going Forward

The tech industry has built empires based on collecting, using, and selling its users’ personal information to third-party advertisers. Surprisingly, some factions of the tech industry are modifying their business models to limit the tracking of personal information. Apple, for example, introduced a new iOS in 2021, s. Similarly, on its Chrome browser is estimated to impact millions of advertisers.

Apple and Google argue that these changes are necessary to respond to increasing and customer sensitivity to sharing personal information (the IPilogue has documented increased regulation in the and ). However, , including , lament that the changes are veiled anti-competitive practices.

Interestingly, increasing barriers to the online advertising ecosystem may benefit users. If access to personal information becomes impeded, interested parties may need to incentivize users to share their personal information, increasing users’ bargaining power. Although it is unclear what effect Apple and Google’s changes will have on the ecosystem, I am hopeful that users can leverage more control over their personal information for fair compensation by technology companies or advertisers for their valuable commodity.

The post How Much is Your Personal Information Worth? And What Will It Be Worth in the Future? appeared first on IPOsgoode.

]]>
Guidelines for the Implementation of GDPR-Compliant Cookie Notices /osgoode/iposgoode/2021/02/26/guidelines-for-the-implementation-of-gdpr-compliant-cookie-notices/ Fri, 26 Feb 2021 17:00:42 +0000 https://www.iposgoode.ca/?p=36655 The post Guidelines for the Implementation of GDPR-Compliant Cookie Notices appeared first on IPOsgoode.

]]>
This comment investigates how legal requirements for consent are implicated in the deployment of internet browser cookies, with a focus on the European Union’s (EU) (GDPR). Non-EU companies should also take note, not only because the GDPR protects EU citizen data regardless of whether or not the processing takes place in the EU (art 3(1), but because the GDPR’s rules for consent and other data privacy issues will .

CONSENT LAWS

Consent is an integral part of the EU’s approach to data privacy. The concept was codified in the GDPR to mean “”(art 4(11)).

The application of GDPR consent requirements to online cookie notices has been nebulous since the law came into force. A found that the overwhelming majority of cookie notices in the EU are not GDPR-compliant. As enforcement ramps up, companies risk steep fines for non-compliance: is the imposition of a fine of “1% of annual turnover” for a company that failed to satisfy the Belgian Data Protection Authority’s cookie rules.

Guidance on the interpretation of cookie consent rules was provided by the Court of Justice of the European Union (CJEU) in the case, which involved the collection of personal information, through cookies, by an online lottery provider. The CJEU answered several questions (covered in Section III) while among member states (this was so advocated due to the issues created by divergent transposition and implementation of pre-GDPR Directives across the EU).

The European Data Protection Board (EDPB) recently incorporated the Planet49 ruling into a . The key requirements for valid consent, as they relate to cookie notices, are the subject of the next section.

PRACTICAL RECOMMENDATIONS

In light of the GDPR, the Planet49 decision, and the recent guideline, the following consent acquisition practices should be adopted for data controllers employing cookie notices. Consent should be:

a) Freely given

A user’s access to services and functionalities on the user’s consent to information storage or access on their terminal equipment (at para 39). In other words, “cookie walls” are an invalid form of consent. While it is acceptable to restrict certain functionalities if the user does not consent, to the site must not be made conditional on cookie acceptance.

b) Specific

Data controllers should provide information about each cookie type (e.g., “marketing” or “statistics”) and allow subjects to choose which cookies to accept. Apart from essential cookies, without which provision of “general access” to the site is impossible, subjects should be allowed to reject other categories of cookies (arts 5(1)(b), 6(1)(a).

c) Informed

The data subject should be given, at a minimum, the : the controller’s identity; the purposes of each of the processing operations for which consent is being sought; the type of data that will be collected; and the existence of the right to withdraw consent (arts 5, 7(2)). This information should be provided in to facilitate comprehension by laypeople (at para 67). It is insufficient to embed a consent request within a paragraph of the website’s terms of service (i.e., the consent request must be clearly distinguishable from other matters) (at para 71).

d) Unambiguous

are insufficient for showing consent, as are the mere acts of scrolling or swiping on a webpage (at paras 79, 81). to cookie use can only be shown through the provision of an unticked box that the user must actively select (art 4(11)).

e) Revocable

must be as easy to withdraw as it is to give. Data controllers could include a withdrawal option, either on a separate webpage or embedded within the site’s privacy policy. This function could also display the user’s current status (e.g., “allow only essential cookies” or “block all cookies”) (art 7(3).

f) Demonstrable

The burden of proof is on the data controller to show that valid consent was obtained. It is recommended that data controllers store and log all consents in the form of information on the browsing session in which consent was obtained along with a copy of the information presented to the data subject at the time of consent (art 7(1)).

g) Obtained prior to data processing

The words “has given” in of the GDPR imply that prior consent is a prerequisite to the lawful processing of personal data. Therefore, all non-essential cookies should be blocked until the user consents to their deployment.

Written by Daniel Joseph, Osgoode JD Candidate, enrolled in Professors D’Agostino and Vaver 2020/2021 IP & Technology Law Intensive Program at Osgoode Hall Law School. As part of the course requirements, students were asked to write a blog on a topic of their choice.

The post Guidelines for the Implementation of GDPR-Compliant Cookie Notices appeared first on IPOsgoode.

]]>