How to meet legal obligations when site owners have 3rd parties on their sites?
- Until recently, many site owners believed that 3rd parties on websites count as data processors only, which, if correct, would trigger legal obligations regarding data processors only.
- A recent GA Opinion (Fashion ID Case) says that when a 3rd party embedded on a website receives site visitors' personal data (e.g. IP address, browser string),
- that 3rd party acts as a controller
- the site owner is towards its site visitors responsible for
- informing about the 3rd party
- requesting consent for using the 3rd party before processing
- that 3rd party and the site owner are jointly responsible for the collection and transmission of personal data to the 3rd party.
- Watch this space for more on this topic.
The Fashion ID case concerns a third-party plugin that a website operator voluntarily has embedded on her site.
What if the website operator voluntarily has embedded a third-party plugin on her site and that third-party pulls in another a third-party on the site without the authorisation of the website operator?
In such cases, the website operator DID NOT voluntarily embed the third-party of the third-party ... but the first embedded third-party did ...
Consequently, the website operator DID NOT set the parameters of the personal data to be collected by the third-party that was pulled in by the first embedded third-party ... but the first embedded third-party did ...
... unless one says that if the website operator does not block the access to her site for third-parties that the website operator does not herself embed, then the website operator is considered to have granted access to her site to any third-party that the first embedded third-party pulls in on the site.
Please send me your views ... and please argue against me!
Is an embedded third-party that pulls in another third party on a website (not) a joint controller with that other third party ... ?
... by the same reasoning as in the Fashion ID Case?
In cases when Consent is proper legal basis
for collecting and transmitting personal data
for e.g. advertising optimisation,
who is obliged to request and receive user's consent? ...
... the website owner? ... or
... the 3rd party? ... or
... the 3rd party of the 3rd party that the website operator embedded?
... all three?
How does one solve to request consent to collect and transmit user data to multiple 3rd parties for their various purposes?
Let´s first use Signatu Trackerdetect to analyse the homepage of a few popular newspaper websites in Europe ... to see what ´s going on.
Signatu Trackerdetect is a paid service that companies can sign up to and use to take steps to control their website and get user consent for using 3rd parties on their sites.
A French newspaper
Signatu Trackerdetect´s analysis of the homepage of a much read French newspaper website carried out on April 5, 2019 2:53 PM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
A British newspaper
Signatu Trackerdetect´s analysis of the homepage of a much read and well respected British newspaper website carried out on April 6, 2019 8:28 AM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
A Swiss newspaper
Signatu Trackerdetect´s analysis of the homepage of a popular Swiss newspaper website carried out on April 6, 2019 9:26 AM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
A Swedish newspaper
Signatu Trackerdetect´s analysis of the homepage of a well liked Swedish newspaper website carried out on April 6, 2019 7:05 PM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
A Danish newspaper
Signatu Trackerdetect´s analysis of the homepage of a well liked Danish newspaper website carried out on April 6, 2019 7:52 PM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
A German newspaper
Signatu Trackerdetect´s analysis of the homepage of a well liked German newspaper website carried out on April 6, 2019 7:53 PM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
An Italian newspaper
Signatu Trackerdetect´s analysis of the homepage of a well liked Italian newspaper website carried out on April 6, 2019 8:17 PM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users:
A Spanish newspaper
Signatu Trackerdetect´s analysis of the homepage of a well liked Spanish newspaper website carried out on April 6, 2019 8:17 PM shows the following graph of 3rd parties on the homepage:
Also, the analysis shows the following information about the detected 3rd parties on the homepage (where many of the cookies are set by the 3rd parties ...), for which the home page does not request the consent its users: