back to article German court rules cookie preference service that shared IP addresses with US firm should be halted

A German court has ruled that sharing IP addresses with US-based servers for the purpose of cookie consent is unlawful under EU data protection law and the EU Court of Justice Schrems II ruling. The university Hochschule RheinMain in Germany was this week prevented by Wiesbaden Administrative Court from using a cookie …

  1. b0llchit Silver badge
    Megaphone

    And the rest too, please

    When will they finally kill google ad/tag manager and the like? That is illegal too. You cannot prevent them from loading, unless you block it beforehand(*). The "opt-out" is post-factum, which means that google already has your data. That is bad, very bad. EU sites using any third party service (and specifically those outside EU) should be prohibited by default unless the user consents.

    (*) I do use NoScript, Greasemonkey and Privacy Badger. But the wwwnet is a tracking pain.

    1. Chris G Silver badge

      Re: And the rest too, please

      I am curious as to how long it takes after landing on a page for the site to set cookies and/or start to harvest data, particularly those sites that deliberately seem to have convoluted opt out pages, when under the current law as I understand it, they need to receive your consent.

      I also find the 'legitimate interests' that seem to always be set to on are for the most part not legal without specific consent even though it appears so because there is no explanation of what they are.

      Here from the ICO:

      "the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising."

      On most sites legitimate purpose or interest is used as a catch all to con the user into leaving a lot of undesirable data scraping live.

      1. anothercynic Silver badge

        Re: And the rest too, please

        All the third-party systems that people use, like TrustArc, do that. It's utterly irritating.

      2. eldakka Silver badge

        Re: And the rest too, please

        I am curious as to how long it takes after landing on a page for the site to set cookies and/or start to harvest data

        It's effectively instantaneous.

        Cookies are generated on the serverside, and the server instructs your browser to save the cookie.

        The moment you click on that link (or press enter after typing the address in the address bar), the HTTP request to that site includes any pre-existing cookies in that initial request, and when that request hits that server, it logs the identifying information, IP address, URL, useragent string, cookies etc., and reads and processes the cookies passed. Assuming those pre-existing cookies aren't some sort of opt-out cookies, and that the site chooses to honour it, then the webserver or backend application servers it sits in front of, generates any new cookies and return them back to you in the HTTP reply headers, and non-session cookies that are returned get saved by your browser while session cookies which are transient aren't saved. A well-behaved website won't set any persistent cookies on a first-time connection (i.e. no pre-existing cookies saved), and wait for any cookies banners to be processed ("this site uses cookies, blah blah blah"), however, that is controlled by the developer, not the browser, not the protocol, it is up to the writer of the webpage whether to do that or not, and even then, they'll still get standard logging information - IP address, timestamps, useragents and whatnot.

      3. katrinab Silver badge
        Black Helicopters

        Re: And the rest too, please

        “I am curious as to how long it takes after landing on a page for the site to set cookies and/or start to harvest data,“

        Less than 100ms, to harvest the data, cross-reference it with other sources, and act on it.

    2. Anonymous Coward
      Anonymous Coward

      Re: And the rest too, please

      "When will they finally kill google ad/tag manager and the like? That is illegal too. You cannot prevent them from loading, unless you block it beforehand(*)."

      The big issue I've seen is the number of websites using Google TagManager (GTM), allegedly, to ensure that data is not collected until consent is obtained (as GTM can be used to control the loading of additional page content/scripts if/once consent is obtained) where the webpage also has a HTML NoScript tag with a Google Analytics or GTM url. I suspect that Google's docs, in their examples, showed this use of NoScript and many people just cut-n-pasted it from there.

      As NoScript is only triggered whenever a browser either does not support JavaScript at all or (more likely) has something like NoScript enabled to (selectively) prevent JavaScript from running then those websites cannot possibly claim that the NoScript link is used for managing Consent (as no JavaScript can be invoked to do so) and instead this link is obviously soley being used for analytics collection in breach of PECR/GDPR (as not strictly necessary and as no consent obtained).

      I have highlighted this practice as part of at least one case I have raised with ICO but they have not currently commented on that aspect of the complaint.

      1. big_D Silver badge
        Facepalm

        Re: And the rest too, please

        I had GTM blocked at the DNS level (it couldn't be loaded). Our local newspaper app claimed that there was no internet connection, because it couldn't load GTM.

        1. Anonymous Coward
          Anonymous Coward

          Re: And the rest too, please

          [I'm the previous anonymous poster]

          "I had GTM blocked at the DNS level (it couldn't be loaded)."

          Yes I have GTM and Google Analytics (and some other DNS names) in my /etc/hosts file to block them.

          However some people may not know how to do this, or may have not have the access to do this (i.e. "not their personal laptop" so they can't make changes, or an Android phone/tablet where it is hard to modify /etc/hosts file, etc).

          My original point is that a GTM/Google Analytis url in a NoScript HTML tag is a tracker and falls foul of PECR/GDPR and yet lots of websites do this.

          Also I believe that, as part of Google trying to weedle out of Google being deemed Data Controller/Joint Controller for this stuff, Google require users of Google Analytics and (I think) GTM to make the end users aware that the website uses Google Analytics before its activated - now normally that is achieved by GTM not loading the GA script until "consent" is obtained but obviously with a NoScript tag this cannot happen.

          If a site is using such a NoScript url on all their pages then you can't actually read their Privacy Policy to become aware of GTM/GA until *after* any GTM/GA url has already been fetched - so by the time the Privacy Policy "informs" you it is too late...

          1. SImon Hobson Silver badge

            Re: And the rest too, please

            Yes, and "eventually" someone will raise a case and it'll be outlawed. Then the snake oil salespeople will adjust their pitch with the next great "totally legal and affordable" method.

          2. A.P. Veening Silver badge

            Re: And the rest too, please

            "I had GTM blocked at the DNS level (it couldn't be loaded)."

            Yes I have GTM and Google Analytics (and some other DNS names) in my /etc/hosts file to block them.

            However some people may not know how to do this, or may have not have the access to do this (i.e. "not their personal laptop" so they can't make changes, or an Android phone/tablet where it is hard to modify /etc/hosts file, etc).

            The easy solution is to use a Pi-Hole.

  2. Graham Cobb Silver badge

    Why would a cookie consent service use the IP address?

    I always decline consent for cookies. That is a clear statement that I do not want to be tracked or recorded in any way. Why would sending my IP address to the cookie consent tracking service be allowed even if it was not in the US? IP addresses are very important personal data.

    The obvious way to handle cookie consent is to place a cookie with just a UUID. When I visit again, send the UUID (only) to the consent service and get the answer. Sending the IP address is clearly not "necessary" and should be disallowed unless I consent.

    1. Anonymous Coward
      Anonymous Coward

      Dare I say?

      There should be NO tracking until consent is given, which is stored in a cookie. No consent cookie means do nothing until the opt-in button is clicked. If the user has DNT enabled then don't show the banner in the first place.

      I believe that advertisers have deliberately confused and conflated the mass collection and sharing of data between their servers, with the individual motes of data in our browsers. By pushing the cookie banner in all of our faces we forget about the huge databases that exist without permission. This is like producers of disposable plastics paying for anti-litter campaigns or oil companies promoting home insulation - important issues to be sure but it evades the bigger questions.

      1. Falmari Silver badge

        Re: Dare I say?

        @AC "There should be NO tracking until consent is given"

        That does not go far enough consent should not be an option. Tracking should never be allowed and can't be consented to. Consent can never requested or given.

        1. Anonymous Coward
          Anonymous Coward

          Re: Dare I say?

          Who are you to tell me what I can and cannot consent to?

    2. Anonymous Coward
      Anonymous Coward

      Re: Why would a cookie consent service use the IP address?

      I'm assuming this is where the cookie consent service is hosted by a 3rd party (such as TrustArc that someone else mentioned) and referenced by the website's content pages - so your browser is told to load the Javascript for the consent pop-up from the 3rd party company who are USA-based or USA-owned and, as *your* browser made a HTTP/HTTPS request to them of course they have your IP address.

      The obvious solution would be for the websites to host the consent "platform" themselves but that's unlikely to happen in the vast majority of cases.

      1. Graham Cobb Silver badge

        Re: Why would a cookie consent service use the IP address?

        Hmm. Maybe. But if that were the case I would expect that I would already have it blocked. I will check.

        ...After checking... I went to https://www.hs-rm.de/en/ and it does try to load https://consent.cookiebot.com/uc.js, which is indeed blocked by uBlock Origin. I see no cookie consent request for that site.

        However, I do see a lot of cookie consent requests from other sites - presumably those are hosted on the site concerned. I hope they are not providing anything except a UUID to their backend service.

    3. Ian Johnston Silver badge

      Re: Why would a cookie consent service use the IP address?

      I currently have a static IPv4 address from A&A, but it's used by my entire household, so hardly personal information. Before that I had a dynamic IPv4 address which changed every time my router connected. That's not very personal either. Finally, when I browse on the go I'm behind Three's NAT: whatever my actual IP address is (I see 10.x.x.x) it's being shared by many people.

      It all seems a little precious.

    4. Anonymous Coward
      Anonymous Coward

      Re: Why would a cookie consent service use the IP address?

      "I always decline consent for cookies. That is a clear statement that I do not want to be tracked or recorded in any way. Why would sending my IP address to the cookie consent tracking service be allowed even if it was not in the US? IP addresses are very important personal data."

      In the context of website using an external "cookie consent platform" (like Cookiebot and TrustArc) your browser is directed to the external "platform" by the website you visit.

      Your browser makes a HTTP/HTTPS connection to the external "platform" which, like all HTTP/HTTPS connections, involves your browser sending packets with your IP address as the source IP address - that is how the Internet (i.e. TCP/IP) works, packets contain source and dest IP addresses. Your browser cannot talk to a website (in this case the external "platform") without doing so.

      So "sending my IP address to the cookie consent tracking service" has to be (technically) allowed in order for a HTTP/HTTPS connection to be made to the cookie consent service.

      If you are instead complaining as to why the original website directs your browser to the external "platform" that is a completely different matter which I referred to in an earlier post about whether content sites should be hosting a "cookie consent" platform themselves.

  3. Norman Nescio

    'Legitimate purposes'

    A lot of sites are using the 'legitimate purposes' test of the six lawful grounds for allowable processing of personal data.

    https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/#what

    (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

    https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/

    The ICO's view is

    It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

    (More at the link)

    I'd love to see the use for profiling/advertising challenged. It really needs a test case.

    1. heyrick Silver badge

      Re: 'Legitimate purposes'

      If you're an advertiser, there's no such thing as "legitimate interests". You're a parasite, bugger off.

      (and notice how the many "legitimate interests" options are always enabled by default with no "disallow all" option, but there's always an "allow all pillaging" button, it's subtle psychological conditioning)

      1. John Brown (no body) Silver badge

        Re: 'Legitimate purposes'

        I've noticed more and more often, reputable UK and EU sites, if you got to their "customise" page, default all but essential cookies as off. Essential cookies, of course, can't be turned off (but can be blocked by you and I). To get there, of course, involves either clicking "Yes/OK" to everything, but at least if you choose the option, they are all off by default. On the down side, Yes is a simple click and the banner goes away while to turn them off is two clicks and an extra page load. But still miles better than some of those disgusting US sites with 120 tracking options, all on by default and must be clicked off one at a time.

        (or just block all of them locally)

        1. Chris G Silver badge

          Re: 'Legitimate purposes'

          " But still miles better than some of those disgusting US sites with 120 tracking options, all on by default and must be clicked off one at a time."

          There are plenty of UK and European sites that do the same, GDPR UK and European need to have a more easily accessible reporting system so that anyone can flag such sites, as things are, reporting a site to the Spanish DPA is difficult and I feel deliberately so to avoid the need to investigate what could be unmanageable levels of complaint.

        2. Anonymous Coward
          Anonymous Coward

          Re: 'Legitimate purposes'

          If you check under 'essential' there is often an option to 'track across multiple devices' which can't be turned off.

          Obviously that a good idea for sites like Netflix where they need to stop the whole world sharing one login, but for most other sites it's just data slurp

          Try tfl.gov.uk and click on 'manage cookies' on their popup. You get the normal everything off except 'essential cookies' Click 'mange how our partners use the data' and click 'reject all', but that's just 'purposes'... select the 'features' tab and there's more to 'reject all'... finally select the 'partners' tab and click 'reject all' once again.

          But, wait, there's more... scroll down the 'partners' and uncheck each and every 'legitimate interest' boxes... and there's hundreds of them!

          And this is a site that doesn't really have any ads

      2. Ian Johnston Silver badge

        Re: 'Legitimate purposes'

        If you're an advertiser, there's no such thing as "legitimate interests". You're a parasite, bugger off.

        If you are an advertiser you are paying for the site .That gives a very legitimate interest.

        1. tiggity Silver badge

          Re: 'Legitimate purposes'

          @Ian Johnston

          "If you are an advertiser you are paying for the site .That gives a very legitimate interest."

          No it does not.

          An advertiser does not need my personal data (be it IP address, browser profiling data, etc)

          The excuse of targeted ads is crap - targeted ads have always been absolutely useless, only ads I have ever been interested in were those relating to the content I was viewing (i.e. not an ad for an item unrelated to current page that I researched online & purchased 2 weeks ago).

          In the UK I often get a free newspaper (Metro) at the train station. This is paid for by advertising, but works fine with me being anonymous (no tracking info in dead tree publications... yet).

          Ad slingers may claim they need your details, but they don't.

          I can recommend ad nauseam for a bit of ad fun in your browser.

          1. Ian Johnston Silver badge

            Re: 'Legitimate purposes'

            Advertising technology has moved on a bit since 1st May 1704, which is when the first advert was printed in a newspaper. And anyway, you can still, for the moment, buy actual newspapers if you want that authentic eighteenth century experience.

        2. Jedit
          FAIL

          "If you are an advertiser you are paying for the site .That gives a very legitimate interest."

          Two points:

          1) If I have refused you consent to use my data, you cannot possibly have a legitimate interest because any legitimacy of your usage is entirely dependent on my consent.

          2) If you're asking for me to make an exception to my refusal of consent if your interest is legitimate, that is a de facto admission that your original request for my data was made because you want it for illegitimate purposes.

          Let's be blunt here, Ian - at the core what you're saying is that advertisers have a right to our data because they have already bought it from a third party that doesn't own or control it.

        3. heyrick Silver badge

          Re: 'Legitimate purposes'

          "That gives a very legitimate interest."

          Bullshit.

          What you are suggesting, in the real world, would be akin to having somebody follow me around to see what pages of a magazine I read "because an advert was put in it therefore watching you read this magazine (and anything else like what brand of tea you drink whilst reading) is our legitimate interest".

          As an advertiser, sure you paid to have the advert displayed. Who actually saw it, how long they saw it for, whether their mouse pointer lingered over it, and where they are geographically based (perhaps down to an individual house) is none of your fucking business. The only reason this sort of thing is happening at all is "because you can" and "because there are no laws saying don't".

          We've seen how much advertisers care to respect DNT. And now with the abuse of "legitimate interest", it's quite clear that they cannot be trusted to self regulate in any meaningful way.

        4. Claverhouse Silver badge
          FAIL

          Re: 'Legitimate purposes'

          Then they should wait until one refuses tracking/advertising/cookies and then blank the whole site to one. Fair enough --- I generally leave immediately if a site is insistent, with no hard feelings: I acknowledge their right to refuse service. Just as I would leave a pub instantly if a beer mug smashed on the door jamb as I entered.

          Their site, and nearly all sites, are not essential to my life. But an absence of advertising is.

          And I don't care if this is the end of the Free Web, or the collapse of their business. They should fund it on another model. There are many millions of sites, advertising funded, whose loss would be a blessing. Any business or news site has it's purpose in showing off it's wares, and should be funded from their profits. Any private site can be funded by the owner or well-wishers.

          .

          .

          Amusingly, some of the less capable news-sites in the U.S. are still panicked like crazed loons by GDPR, and still show 'We deeply value our European Visitors, but the content can not be shown at the moment' after all these years.

          Apart from the pathetic nature of relying on tracking --- to which many Americans also object --- one would think they could find a better solution by now. Unless they think GDPR and other such laws will magically disappear, as in sad old Spectator types' wet dreams, they are stuck with ignoring the entire world outside forever, which would disappoint their more curious cosmopolitan American readership eventually.

          1. heyrick Silver badge

            Re: 'Legitimate purposes'

            We deeply value our European Visitors, but the content can not be shown at the moment.

            They're not panicking. They stuck up that message when it became clear that they had to ask, and they don't give a half baked toss about their European visitors, which is why all these years later it's still the same idiotic message.

            I'm looking right at you, Tribune Publishing (Baltimore Sun).

    2. graeme leggett

      Re: 'Legitimate purposes'

      As I understood it, the point about "legitimate interest" is that if you have decided a legitimate interest is there, then you don't need consent.

      Which then prompts the question, why do those cookie permission interfaces have a on/off slider for legitimate interests?

  4. Missing Semicolon Silver badge

    Uncompliant

    A distressingly large number of UK sites have cookie dialogues with only an OK button. No opt-in or out available.

  5. Anonymous Coward
    Anonymous Coward

    The ONLY thing a cookie really needs....

    ...is to be there and have a random number.

    That's it. Covers all the session cookie requirements.

    Store everything else on the server end.

    ie a login cookie without the login.

  6. msobkow Silver badge

    The world is barking mad, you know.

    How else are you going to track that a particular user/browser and IP address has provided their consent except to record that consent?!?!?!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022