When surfing on a website or using a connected object, people do not always realize the use that can be made of their personal data. Close-up on the issues related to the use of this data and on the necessary awareness of Internet users.

 

Internet users, mobile users, buyers of connected objects or any type of terminal connected to the Internet are now faced with an essential choice: to accept or refuse the use of their personal data by digital service providers. The solicitation of consumer consent is ubiquitous, from websites to mobile applications, including smart TVs, voice assistants, as well as watches, robots, cars, speakers and other connected toys.

As an example, connected television sets (smart TVs) can collect, if they are connected to the home computer network, several types of data, in particular the programs watched (whether traditional channels or video services on demand), the presence of other objects connected to the network (speakers, computers, game consoles, etc.), and the fact that such and such a person uses the television (in particular if the television or the service concerned offers a system of profiles). Certain personal data may also be collected such as usernames, e-mails, passwords, surnames, first names and dates of birth entered when registering online for services, as well as browsing histories.

Similarly, a simple connected robot can store, depending on the features offered, the consumer’s usage habits (cooking for a large family, for a couple, for a single person, etc.), eating habits (via the chosen recipes) and record a given person’s voice or surrounding conversations.

 

Cookies at the heart of very detailed consumer analyses

In all cases, the data accumulated by the manufacturers of connected objects or the suppliers of digital services can be used by them (them or their business partners) to analyze the consumption habits of users and to offer them targeted advertising according to their hobbies.

This analysis is done using cookies, small files stored by a server in a person’s terminal (computer, telephone, etc.). In the best case, these files are used to memorize display preferences or the contents of a shopping cart. These are so-called “essential” cookies for the proper functioning of the site or the connected object that do not require the user’s consent.

But most of the time, cookies are used to collect information about the Internet user in order to send them personalized campaigns, adapted to their tastes. And in this field, the field of possibilities is extremely vast.

Thanks in particular to “third-party cookies” (i.e. belonging to companies different from the one that manages the website or manufactures the connected object), it is possible to cross-check data with other treatments. If there is a possibility for any natural or legal person to identify a person by cross-checking several pieces of information or by using various technical means, the data is then considered to be personal data. And this data can turn into sensitive data when the collection of information about a person reveals their lifestyle, state of health, political opinions, sexual orientation, etc.

In addition, third-party cookies can allow the overall tracking of the navigation of a person using several applications or browsing different websites. This tracking is made possible thanks to the use of the same identifier across several sites (via, for example, cookies placed on a third-party domain loaded by several sites).

 

An impression of opacity remains among French Internet users

According to a survey carried out by the CNIL in June 2022 (2022 CNIL Survey in French), 95% of respondents say they know what cookies are and 52% of them know precisely the recent regulatory developments on the subject (compared to only 44% in November 2020). People are also well aware of the different uses of cookies: personalized advertising (81%), audience measurement (78%), geolocated advertising (78%) and display of external videos (64%).

However, despite these figures, French Internet users still have an impression of opacity: they overwhelmingly consider that information on companies in the advertising ecosystem is insufficient or non-existent (68%) and only 32% consider that it is sufficient (+ 8 points vs 2019).

To help Internet users and users of connected objects, the CNIL has developed Cookieviz  a visualization tool that measures the impact of cookies and other trackers during web browsing. This software was designed by the CNIL’s digital innovation laboratory (LINC). It allows you to view the cookies deposited from third-party domains. Its source code is freely accessible and can be enriched by developers. This initiative was rewarded in 2021 during the 43rd World Assembly on the protection of privacy hosted by the National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), the Mexican authority of data protection.

It bears witness to the growing interest of consumers, companies and supervisory authorities in the protection of personal data, in all its forms.