Publication date: February 17, 2025
Tracking users online is a complex process of collecting and analyzing data about Internet users’ online activities. This includes monitoring websites visited, interactions with content, search terms, and other actions taken online. The main goal of this process is to create detailed user profiles that allow for content personalization, precise advertising targeting, and in-depth analysis of consumer behavior. Online tracking methods are based on many techniques, such as:
a/ Cookies: These are small text files saved on users’ devices by visiting a website. They enable remembering preferences and tracking movement between websites. Using this type of file allows maintaining the user’s session of the website after logging in, so that the user does not have to re-enter their login and password on each subpage. The types of cookies currently used are temporary files and permanent files. Temporary files are stored until the page is closed, and permanent files are stored for a specified period of time specified by the parameter contained in the “cookie” file. Currently, web browsers include an option that allows the user to clear cookies.
b/ Browser fingerprinting: This is a technique that involves collecting detailed information about the configuration of the user’s browser and device in order to identify it. This data includes, among others, the browser version, operating system, installed plug-ins, language settings, screen resolution and time zone. Based on this information, a “browser fingerprint” is created, which allows tracking the user’s activity on the network without using cookies. This technique is mainly used for marketing purposes, but it is controversial because it allows tracking users without their consent and knowledge. Some web browsers have built-in mechanisms to protect against this type of tracking.
c/ Tracking pixels: a small image or piece of code, invisible to the user, embedded in the content of a visited page or email, which, when loaded, sends information about user activity to an external server.
d/ Third-Party Scripts: Code snippets embedded in web pages from third-party service providers, such as ad networks. These scripts may collect user behavior data and send it to third parties.
Nowadays, browsing websites involves constant contact with tracking mechanisms. The modern internet is saturated with tools that allow for precise analysis and tracking of users and recording of their activity by various entities, including advertising networks, analytical service providers and website owners. This tracking is carried out on a large scale, covering both traditional web browsers and mobile applications. In practice, this means that almost every user interaction with the network is monitored and analyzed. Thanks to advanced monitoring techniques, entities performing such actions gain benefits such as personalizing content and matching offers directed to users. However, these practices raise important questions regarding privacy and protection of personal data.
Legal issues related to the issue of tracking users on the web
User tracking has attracted the attention of EU and national legislators due to its controversial nature. In the European Union and Poland, a number of legal regulations have been created to ensure appropriate standards for the processing of personal data and to protect users from unauthorized monitoring of their online activity. This action is aimed at protecting privacy and protecting consumers in the European community. An important act in the context of the above-mentioned criteria is the Regulation of the European Parliament and of the Council EU 2016/679 (GDPR), which is a key act in the field of personal data protection. In the context of user tracking, this act defines in Article 4 what personal data are, including online identifiers such as IP addresses or cookies. The Act also specifies the conditions for the legality of data processing, for which the user’s consent is necessary (Article 6). This consent must be expressed voluntarily, consciously and unambiguously (Article 7). The user also has the right to object to the processing of their data for marketing and profiling purposes (Article 21). Under the regulation, data controllers are required to apply technical and organizational measures in such a way as to limit data collection to the necessary minimum and to protect user data from unauthorized access. The safeguards are listed in Article 32 of the regulation and include: pseudonymization and encryption of personal data, the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services, the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident, regular testing, measuring and assessing the effectiveness of technical and organizational measures to ensure the security of processing. In the event of a breach of the provisions on the processing of personal data, a fine of up to EUR 20 million or 4% of the annual turnover is foreseen for a breach of the provisions on the processing of personal data. The issue of user data protection in the telecommunications sector is regulated in Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Its key provisions are Article 6, which states that data on the network may only be processed with the user’s consent or when it is necessary to provide the service, and Article 13, which states that sending profiled advertising without the user’s prior consent is prohibited. The Digital Services Act (DSA, (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on the single market for digital services and amending Directive 2000/31/EC) introduces additional obligations for online platforms, such as the obligation to inform the user why they see certain advertisements and the prohibition of profiling and the use of profiling-based advertising in the case of minor users. The Digital Markets Act (Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828) in Article 5 specifies the obligations of gatekeepers, i.e. entities providing an essential platform service that is an important entry point through which business users reach end users, has a significant impact on the internal market. These criteria are set out in the Regulation. The category of “gatekeepers” entities such as Google are eligible. The obligations that the access guard must fulfill in the context of administering user data include a ban on using users’ personal data for online advertising if these users use the services of external companies operating on the platform. The access guard also cannot combine the personal data of users using different services provided by one access guard, use personal data from one service in another service provided by the same access guard, and can automatically log users into its other services in order to combine their data. However, the platform providing the service may take the above actions if the user consents. In the Polish legal system, unauthorized collection of data is subject to criminal sanctions specified in the Polish Penal Code of 1997. For gaining access to someone else’s information, including interception of communication and tracking online activity, a penalty in the form of a fine, restriction of liberty or imprisonment for up to 2 years is also punishable. Using someone else’s data in a manner contrary to the law to obtain benefits is also penalized.
The above provisions indicate that entrepreneurs and digital service providers are required to comply with strict rules regarding the collection and processing of data, which is required of them by EU and national legislation. Users, in turn, have the right to protect their privacy and oppose actions that violate their rights.
EDPB Guidelines on User Tracking
The European Data Protection Board (EDPB) plays a key role in shaping the standards of privacy protection for network users in the European Union. In response to the dynamic development of this technology, the EDPB has developed a series of guidelines to ensure compliance with applicable regulations and to protect the rights of individuals using the network. In November 2023, the EDPB adopted guidelines on the technical scope of Article 5(3) of the e-Privacy Directive. The purpose of these guidelines is to clarify which technical operations, and in particular tracking techniques, are subject to the provisions of the directive. This action aims to increase legal certainty for both data controllers and individuals who are internet users , by precisely defining the scope of application of privacy rules in the context of tracking technologies.
Tracking techniques covered by the guidelines include:
In 2020, the EDPB also published guidelines on targeting social media users. This study was published in response to growing concerns about the use of personal data of social media users for marketing and profiling purposes. In an era of widespread use of advertising targeting mechanisms and content personalization, the guidelines were created to clarify the roles and responsibilities of social platform providers and entities using their services. One of the key aspects of the guidelines is to clarify that both social platform operators and advertisers can be considered joint controllers of personal data within the meaning of the GDPR, which means that they are responsible for the lawfulness of the processing of user data. The EDPB guidelines also emphasize that all activities related to targeting social media users should be based on transparent principles, which means that users must receive clear and easily accessible information on the use of their data, such as the methods of analysis and profiling or the type of data collected. The guidelines also draw attention to the need to limit illegal forms of user profiling, especially those that may lead to a breach of privacy. In particular, they indicate a prohibition on the use of data from the category of sensitive data and the prohibition of using manipulation techniques.
The EDPB guidelines are an important document that regulates the rules for targeting users in social media. They emphasize the need to comply with the principles of transparency, obtaining unambiguous consent and the division of responsibility between social platforms and advertisers. As a result, these guidelines aim to limit the excessive use of users’ personal data and increase their control over how their information is processed and used for advertising purposes.
Summary
Nowadays, tracking users on the web is a constantly developing issue. Entities providing access to websites use this tool for various purposes, mainly profiling users for marketing purposes. In order to prevent abuse in this field, a number of legal regulations have been introduced to protect the interests of users in the context of protecting their data. The European Data Protection Board has developed this issue by also issuing guidelines on tracking users and targeting them in terms of using data for marketing purposes, which aimed to specify certain legal issues in the field of personal data protection and their use.