Nos données personnelles ont de la valeur
How does an organisation or company make money through its website?
Only a third of French people claim to know how the Internet is financed, according to a study carried out by the market research institute Appinio in April 2020 for The Trade Desk.
Internet business models are based mainly on one of the following five types of monetisation:
- Merchant: a site that sells products, services or content online
- Advertising: monetising the audience through advertising
- Freemium: (free + premium) a basic service that is free of charge, with paid options available
- Marketplace: a commission is charged on transactions organised by the site
- Donation: Wikipedia is the best-known example, with its regular fundraising campaigns
Almost two out of three French people do not realise that advertising is a source of income on the Internet. However, according to Magna Global (IPG Mediabrands), by 2021 in France digital should account for 60% of advertising revenue (gross: before negotiated price) across all media, far ahead of television.
Well-targeted advertising brings in more than poorly targeted advertising, as the latter is aimed at a partially inappropriate population. It is therefore necessary for a site to know the profile of its visitors as well as possible. The use of visitors’ personal data, which will enable targeted advertising to be displayed, is therefore a major element in the financing of a site or application.
For many years, customers in shops have been used to being approached with targeted adverts based on information from their loyalty cards or the analysis of their receipts, resulting in personalised promotional offers. Our personal data is a quid pro quo for a benefit or a service. This model has therefore simply been transposed to the internet.
Numerous players are involved in this virtual economy, often referred to as ad tech (advertising technologies). This economy is legal and is possible under certain conditions governed by the Consumer Code and the rules relating to data protection (in France, the GDPR and the Data Protection Act). The purpose of these rules is to guarantee that individuals have control over their data and are informed of how it is used following their agreement.
Age, sex, place of residence, interests, consumption habits, etc. A great deal of information is therefore collected directly or indirectly, very often completely legally, by the websites we visit.
How is our personal data collected on the Internet?
When we connect to a website, a cookie is usually placed on our computer or phone.
This cookie, when it is only used by the site that placed it, is called a native cookie. This cookie is used to recognise the visitor on future visits.
The purpose of native cookies is to:
- Facilitate browsing: for example, by recognising the choice of language
- Improve the services offered by analysing visitor browsing
- Offer targeted advertising
Our information collected by cookies may also have purposes other than uses solely related to the site. They can be used for prospecting other sites through third-party cookies.
Unlike a native cookie, a third-party cookie is not integrated by the website that has been visited. It is often generated and used by a partner of the site. The information collected and stored in the cookie no longer relates to the website visited, but to the behaviour of the internet user: their habits, links clicked on, paths taken, etc.
The simplest illustration, which we have all surely already come across, is the display on a site of banners offering articles that we have previously consulted on another site.
The more third-party cookies there are on a website, the more effective they are. This is why advertisers generally establish partnerships with a number of websites. Once this data has been collected, the advertiser can find out the profile of its visitors, a profile that it will enhance with each new visit to achieve more relevant commercial targeting.
Third-party cookies are understandably very common on commercial websites and social networks.
Since 31 March 2021, browsing websites in France has required visitors to take action regarding cookies.
This change is a result of the rules on cookies published by the CNIL in October 2020, with sanctions from April 2021, on the obligation for users of cookies and tracking tools to clearly inform visitors about the purposes and consequences of accepting or refusing cookies. Acceptance and refusal must be possible in a way that is as simple as each other. If there is a choice to ‘accept all’, there must also be a choice to ‘refuse all’. The vast majority of sites have complied with these rules, with one exception: the ‘Accept’ choice is visually more prominent than the ‘Refuse’ choice. This technique, the aim of which is to influence the choice of users, is an example of dark patterns (or misleading design) and does not comply with European regulations.
In addition, the CNIL recommends that consent be kept for a certain period of time, to be adapted according to the type of site and its audience, and that the request be renewed regularly. Except in special cases, 6 months of storage of choices seems to be good practice.
Visitors must therefore have the option to refuse some or even all cookies. As these cookies make a significant contribution to the financing of websites, a number of sites have responded by implementing a cookie wall.
This term refers to the practice of making access to the content of a website’s pages conditional on the visitor’s consent to the placement of cookies and their use for commercial purposes. If the visitor refuses, he is denied access to the content of the site, the page of which is largely obscured by the consent window.
If the visitor refuses cookies, he can sometimes pay directly for access to the site or create an account where he must accept the General Terms and Conditions of Use, in which case we refer to a login wall.
a voir
For the CNIL, access to a website should never be conditional on the acceptance of cookies or other trackers. From the first appearances of cookie walls, the French independent administrative authority was therefore hostile to them and, more generally, their legality very quickly came under scrutiny.
However, in its decision of 19 June 2020, the Council of State ruled that the CNIL did not have the authority to categorically ban these walls.
Following this decision, the CNIL stated that ‘the lawfulness of using a cookie wall must be assessed on a case-by-case basis’. The commission therefore encourages websites to explicitly notify users of consequences such as ‘the impossibility of accessing content or services without consent’. The authority also writes that ‘it will, in this context, pay close attention to the existence of real and sufficient alternatives, particularly those provided by the same publisher, when the refusal of unnecessary trackers blocks access to the proposed service’.
There is therefore currently a period of uncertainty regarding the legality of cookie walls. This uncertainty is heightened by the fact that the decision handed down by the Council of State was made ‘without ruling on the merits of the case’. This case cannot therefore be considered closed. This feeling is reinforced by the fact that the EDPS, the European Data Protection Supervisor, of which the CNIL is a member, is in favour of an explicit ban on cookie walls in the future ePrivacy Regulation planned for this year. Some websites therefore seem to be able to take advantage of this period of procrastination for a little while longer.
Google is reshuffling the third-party cookie deck!
By the end of 2023, Google will no longer use third-party cookies via Chrome, its internet browser. This development, which is part of a context of strengthening measures to protect individual data, is an important decision by the Alphabet subsidiary in its choice to develop the AdTech sector in the direction of consent and in its communication on the balance between online advertising and data protection.
The announcement by the American giant comes at a time when the effectiveness of third-party cookies has been called into question for several years. First-party data makes it possible to target visitors who are also customers more precisely. This refers to proprietary data from CRM databases, which can be enriched with information on access to content, services and online purchases, as well as browsing data collected by the site. This enriched data is used to create profiles and then target personalised marketing campaigns.
In parallel with its announcement on third-party cookies, Google is working on alternative solutions! This is through its Privacy Sandbox initiative.
One of the ideas behind this initiative is to replace individual targeting with collective targeting via the FLoC API and its Federated Learning of Cohorts. It works by assigning new attributes to websites, assigning them to various categories that will be used to profile visitors. The aim is to provide advertisers with cohorts aggregating thousands of visitors. The target is therefore no longer a user but segments of the population. Advertisers will therefore only receive segments and no longer individuals. Is FLoC compatible with the GDPR? The question remains open, especially since Google has not included any European countries in its test, which is currently in its final phase.
Another idea, complementary to the previous one, to enable advertisers to continue to retarget advertising by exploiting their first-party databases and without using third-party cookies, is FLEDGE. This solution introduces a trusted third-party server into the process to store information about a campaign’s bids and budgets.
At a time when data confidentiality has become a central issue, the American firm is therefore working on the issue of compliance with the new regulations, while not losing sight of the needs of publishers and advertisers. The disappearance of third-party cookies should reshape the online advertising market, but certainly not spell its demise.
If my personal data is so valuable, can I sell it?
If our personal data is so valuable, some people may be tempted to sell it or licence it to companies, either directly or via intermediaries, in order to make a profit. This is called data monetisation.
But for the CNIL this ‘is contrary to current law and to the concept of personal data protection as a right attached to the individual, which extends the right to respect for private life’.
Nevertheless, the impossibility of monetising one’s personal data does not in any way exclude the possibility of compensation for certain processing operations. However, this compensation cannot be considered as ‘an intangible asset, appropriable by third parties and capable of independent trade’. In France, as in other European countries, some court decisions or regulatory authorities recognise the provision of personal data as compensation for a service, for example:
- The Paris Tribunal de Grande Instance, which ruled that the data collected free of charge by Twitter constitutes the contractual consideration for the service offered by the social network
- The competition authority ruled that Facebook could not present its service as free of charge. The term ‘free of charge’ was misleading because, since the company uses its users’ data for commercial purposes, its service does have a financial purpose
Today in France, the GDPR and the Data Protection Act allow individuals to control the use and rectification of their personal data. It is currently impossible to sell this personal data because this would mean giving up the associated rights. As the CNIL, the French data protection authority, states, ‘the rights of data controllers over the personal data they possess are therefore neither absolute nor exclusive’.
Ethical and legal issues are therefore constantly at the centre of how the Internet operates for users and all those involved in the Data professions.
Référence : www.cnil.fr
And what is the status of your cookies?
Download the Cookievi2 software for free from the CNIL’s Github account to analyse the interactions between your computer, your browser and remote sites and servers. By installing it, you will be able to find out to which other actors the site you are visiting sends information.
Cookieviz, a real-time data visualisation of your browsing tracking | LINC (cnil.fr)
Mes données personnelles ont de valeur. Puis-je les vendre ?
Si nos données personnelles ont tant de valeur, certaines personnes peuvent être tentées de vouloir les vendre ou les licencier à des entreprises, de façon directe ou via des intermédiaires, pour en tirer profits. Cela s’appelle de la monétisation des données.
Mais pour la CNIL cela « est contraire au droit actuel et à la conception de la protection des données personnelles comme un droit attaché à la personne, qui prolonge le droit au respect de la vie privée ».
Néanmoins, l‘impossibilité de monétiser ses données personnelles n’exclut en rien pour certains traitements la possibilité de contreparties. Mais ces contreparties ne peuvent être assimilées à « un bien immatériel, appropriable par des tiers et susceptible d’un commerce autonome ». En France comme dans d’autres pays en Europe, certaines décisions de justice ou des autorités de régulation reconnaissent bien la fourniture de données personnelles comme contrepartie à un service, on peut citer par exemple :
- Le tribunal de grande instance de Paris qui a jugé que les données collectées gratuitement par Twitter constituent la contrepartie contractuelle au service que le réseau social propose
- L’autorité de la concurrence a estimé que Facebook ne pouvait pas présenter son service comme gratuit. La gratuité était une mention trompeuse car dès lors que, l’entreprise utilise les données de ses utilisateurs à des fins commerciales, son service a bien une finalité financière
Aujourd’hui en France, le RGPD et la loi Informatique et Libertés permettent pour les données personnelles de contrôler leurs utilisations et leurs rectifications. Vendre ces données personnelles est impossible actuellement car cela suppose de renoncer aux droits y afférents. Comme le précise la CNIL, « les droits des responsables de traitement sur les données personnelles qu’ils possèdent ne sont ainsi ni absolus, ni exclusifs ».
Des questions éthiques et juridiques sont donc continuellement au centre du fonctionnement d’Internet pour les utilisateurs et l’ensemble des acteurs dont font partie les métiers de la Data.
Référence : www.cnil.fr
Et avec vos cookies, où en êtes-vous ?
Télécharger gratuitement depuis le compte Github de la CNIL, Le logiciel Cookievi2 pour analyser les interactions entre votre ordinateur, votre navigateur et des sites et serveurs distants. En l’installant vous pourrez savoir à quels autres acteurs le site que vous visitez envoie des informations.
Cookieviz, une dataviz en temps réel du tracking de votre navigation | LINC (cnil.fr)
À lire aussi
A new agile ritual : “The 4 amigos »
Consort Group present the promising directions taken by our recent pilot project to deploy an agentic architecture, combining technological expertise, agile methodologies & eco-responsibility, introducing AI as a central player in the design of functional and non-functional test cases.
GreenIT-Analysis 2
Discover GreenIT-Analysis, an easy-to-implement tool for measuring the environmental impact of a web page, based on EcoIndex and Ecometer-based best practice feedback.
Digital Inclusion - Did you know ?
Talking about inclusion means talking about our actions, our results, the way we approach our jobs and digital technology in general as levers for equal opportunities.