Background on The 5th Cookie
The AdTech controversy is the most poignant example of the limitations of traditional approaches to data protection. These traditional approaches are premised on the notion that data use and data privacy are necessarily in conflict with one another.
The term “5th Cookie” is a metaphor that encapsulates the goal of leveraging GDPR compliant Pseudonymisation and Data Protection by Design and by Default to bridge “consent gaps.” These “consent gaps” appear when the type of processing is too broad or undefinable (such as by machine learning or AI programs), so that data subjects cannot give valid consent to authorise the desired processing in compliance with the GDPR requirements for consent. Pseudonymisation and Data Protection by Design and by Default can help to alleviate this issue. “Demonstrable accountability” leveraging auditable and documented technical safeguards allows data innovation to be balanced with the assurance of the full range of individual rights.
Under the GDPR, compliant Pseudonymisation requires that re-linking/re-identifying should not be possible without access to additional information that is kept separately and used only for authorised purposes (Article 4(5)). The combination of Pseudonymisation and Data Protection by Design and by Default enables the achievement of the principle known as “Aristotle’s Golden Mean.” “Aristotle’s Golden Mean” covers the idea that on a spectrum, an excess of behaviour sits at one end and a deficiency of behaviour sits at the other end. But somewhere in the middle is a perfectly balanced behaviour: the golden mean. To achieve this balance, GDPR-complaint Pseudonymisation can help to bridge the “consent gaps” so that both privacy and utility can both be fully maximised.
Under the GDPR, encryption is the state-of-the-art for protecting data when at rest and in transit (Article 32). Similarly, Pseudonymisation and Data Protection by Design and by Default—as newly defined in the GDPR—are the state-of-the-art for protecting data when in use (Article 25). GDPR-compliant technical and organisational safeguards in the form of digitally-enforced Pseudonymisation controls can be embedded in and flow with the data. This helps to enforce risk-based data protection policies, which resolves conflicts between maximising data value and protecting fundamental personal rights to privacy. Specifically, in the context of the GDPR, Pseudonymisation is cited as a way to:
- Recital (28): “…reduce the risks to the data subjects concerned and help controllers and processors to meet their data-protection obligations.”
- Recital (78): “…implement measures which meet in particular the principles of data protection by design and data protection by default.”
- Recital (156): Ensure “that appropriate safeguards exist” for “the rights and freedoms of data subjects” when “processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
- Article 6(4)(e): Show “the existence of appropriate safeguards” supporting compatible processing.
- Articles 25(1) and 89(1): “…implement appropriate technical and organisational measures…which are designed to implement data-protection principles, such as data minimisation…”
- Article 32(1): “…implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks” to “the rights and freedoms of natural persons…”
- Article 29 Working Party Opinion 06/2014: “tip[ping] the balance in favour of the controller” when conducting the Balancing of Interests test that is part of establishing Legitimate Interest as a lawful basis for processing.
IAB has proposed an approach that:
- (a) requires Third-party Cookies to continue to work as they currently do in the AdTech ecosystem; and
- (b) is dependent on contractual commitments among hundreds (thousands?) of market participants since the IAB proposal does not propose specific technical safeguards, making enforcement impracticable.
- NB: A Third-party Cookie is a cookie that is placed on a user’s computer by a domain other than the domain the user is currently on. For instance, if the user visits a fictitious website called privacy-site.com and the cookie set on their computer is from privacy-site.com, this is a First-party Cookie. A Third-party Cookie would be if the cookie was set on privacy-site.com from a fictitious website called free-ads-site.com. Third-party Cookies are often set by advertising networks to “remember” user information at other times, to display advertisements to users on other websites. Third-party Cookies are not privacy respectful because they reveal identifying data to hundreds (thousands?) of market participants without any technical means of control over subsequent use of the data.
The 5th Cookie approach represents a significant improvement over the IAB approach because:
- The 5th Cookie approach does NOT rely on Third-party Cookies. Rather, it allocates a restricted number of First-party Cookies:
- A First-party Cookie is a cookie stored in the user’s computer that is created by the same domain as the website that the user is visiting (like in our example above with the privacy.com domain and the privacy.com cookie) . First-party Cookies are essential to websites to enable them to keep track of a user’s activity as they move from page to page.
- The 5th Cookie approach allocates a restricted number of First-party Cookies that are under the control of the website publisher and used in coordination with a limited number of trusted partners (in a hypothetical example: (1) Facebook, (2) Apple, (3) Amazon, and (4) Google, plus – (5) an additional one or more cookies allocated for use by a “democratic cooperative” that leverages adequate safeguards – hence the term “5th Cookie.”
- The 5th Cookie approach leverages GDPR statutorily-recognized Pseudonymisation in the form of technical and organizational safeguards to help enable Legitimate Interest processing. This Legitimate Interest processing helps to balance the interests of data subjects and data controllers.
Brave—a competitive web browser—highlights the shortcomings of both the Google and the IAB proposals at https://brave.com/google-iab-reform/:
- The Google proposal eliminates Third-party Cookies but “has no controls in place to protect [Real-Time-Bidding] RTB data after it broadcasts it to 2,000+ companies. The companies are merely told to ‘notify Google in writing’ if they intend to misuse it.” Essentially, Google replaces Third-party Cookies with its “Privacy Sandbox” and then sends identifying data to parties in its ecosystem.
- The primary weakness of the IAB approach is that it “merely sends ‘please do not use’ requests to the many companies receiving RTB broadcasts in the IAB system. It is not able to control what happens to the data.”
The 5th Cookie metaphor provides strong support that Legitimate Interest based AdTech processing is possible. As a result, everyone committed to ethical data stewardship, from the smallest players to the largest brands, can participate in digital marketing. Data subjects could be reached by advertisers as members of small, dynamically changing and privacy-respectful groups called micro-segments. Each micro-segment would represent the individuals included within the group, and based on individual characteristics, data subjects could be included in multiple micro-segments. The composition of micro-segments would change dynamically to reflect the individuals, corresponding to the specified characteristics associated with the micro-segment.
Advertisers could reach groups of people represented in the advertising micro-segments in which they are interested. In this way, data subjects would be approached as members of groups and not as individuals. It would be up to each individual data subject to ‘raise their hand’ and identify themselves if they want to respond to an advertisement. Crucially, at any time, data subjects could opt out of being included in further micro-segment based marketing and outreach.
Three Steps of "The 5th Cookie" Metaphor for Ethical AdTech
You must have adequate technical and organizational safeguards in place to demonstrate ethical processing, accountability and transparency for each of these three steps:
Three Steps or Stages:
The first step is consent to Data Collection. There are three different categories of data that a data subject can consent to the processing of:
- Provided data
- Inferred data
- Observed data
The second step involves the processing of data using Legitimate Interest-based processing leveraging GDPR Pseudonymisation and Data Protection by Design and by Default to create dynamically allocated micro-segments.
The third step involves reaching out to consumers as members of micro segments.