What is tracking? Definition and data protection rules

Tracking or web tracking is a term that is not defined in more detail. The legal definition can be derived from the current legal situation and supported by the technical definition. My definition is aimed at the obligation to obtain consent.

At the concept of Tracking, it is essentially about whether a consent obligation exists.

A commonly used technical definition of the term Web Tracking is:

Web Tracking is the Identifying and tracking of users in networks, with the goal of exploiting user data outside a legitimate interest.

Definition of tracking from a technical perspective.

From a legal perspective, a definition can be derived from the following questions according to the current state of law, which I consider to be well-established:

1. Are cookies that are not technically necessary used by the service or is the service not functionally necessary?
2. Is personal data transferred to third parties without a legitimate interest and without any other legal basis?
3. Is personal data transferred to insecure third countries such as the USA?

The first question is underpinned by Art. 5 Sec. 3 of the ePrivacy Directive. It states that consent must be given as soon as access to information stored in the user's end device occurs. This only applies if the process is not technically necessary, as the directive further explains. Since December 2021, § 25 TTDSG has applied to Germany. Until then, § 15 Sec. 3 TMG (in accordance with the BGH ruling on Planet49 to be interpreted like ePrivacy) was applicable. By mid-2024, the TTDSG had been incorporated into the TDDDG. ([1])

The second question is underpinned by Art. 5 GDPR (data minimisation), Art. 25 GDPR (data protection through technological design), Art. 32 GDPR (processing security) as well as Art. 6 GDPR (legal bases). A third party is any other entity with which no DPA or similar has been concluded. When visiting a website, personal data are always processed because the IP address (network address) is a personal datum. If a website embeds a service of a third party, such as a YouTube video player, the network address of the user is forwarded to the third party in this process. Reference can also be made to § 15 Abs. 3 TMG. There, the formation of user profiles is discussed. User profile data are personalisable, so personal. As an alternative, the Device Fingerprint could be used as a personalisable information.

The third question is underpinned by Art. 44 (Principles of data transmission).

On this basis, I consider the following legal definition of tracking to be useful (formulated linguistically as a computer scientist):

Tracking in the internet is a data transfer, which must be embedded with consent, because it either accesses information on the user's end device without a legitimate interest (and certainly not without further legal basis), or because it is unnecessary or avoidable, or because the recipient cannot provide sufficient guarantees to comply with the GDPR.

Definition of tracking from a legal perspective.

While the technical definition of tracking focuses on data processing, the legal definition already considers the transfer of data relevant. This results in a gap that I examine in another article . In the definition, user profiling does not play a direct role, but is indirectly dealt with through unnecessary or avoidable data transfers, because the IP address is already a personal data item, which covers the extended data transfer during user profiling almost entirely.

Web Tracking, regardless of whether with or without Cookies, is unlawful without consent. Consent is often (unfortunately) requested using a consent tool that I consider useless.

The Google Terms of Service demand consent before embedding YouTube Videos. Because according to these terms, consent must be requested prior to data collection for advertising purposes. Unfortunately, the YouTube Script always loads the ad tracker DoubleClick (as of 30.12.2020).

For Google reCAPTCHA it is mentioned in the Terms of Service that the EU User Consent Directive must be complied with. ([1])

The Google Tag Manager and other services like Google Maps are assigned by Google to the Google Marketing Platform (see for example here). ([1])

Thesen

The integration of multiple tools for statistical user analysis is to be valued as tracking.

Cookie-based consent solutions are mostly legally invalid in their nature and technically do not work without a deep adaptation of the using website, as I have shown with the help of an exhaustive investigation and established objective as well as practical reasons for this.

Opt-Out Cookies_, which cause third-party analysis tools to be loaded anyway in order to prevent data collection based on such cookies (hopefully), are impermissible_

The use of services whose provider is unknown, or offers no or an opaque data protection policy and provides no guarantees is unlawful and even with consent is burdened with legal uncertainties.

The integration of any third-party files on websites without verifiable guarantee that these third parties handle the personal connection data received in accordance with the GDPR (i.e., no tracking is performed), is not compatible with the GDPR.

Popular tracking tools

Depending on how one defines tracking, services fall into this category or not. Below are several categories of tracking tools named. Commonly, under Tracking is understood the tracking of users in order to get to know them better for increasing conversion rates.

Here is a selection of widely used tracking tools intended for user tracking:

• Google Analytics
• Facebook Pixel
• _DoubleClick, DoubleClick Remarketing for Google Analytics…; DoubleClick is used e.g. by YouTube Videos Player
• Google Ads Conversion Tracking
• Social Media Plugins from Facebook, Twitter etc.
• Google +1 (without function for the website operator)
• Omniture Analytics (Adobe Analytics)
• Salesviewer
• Xiti Monitoring Traffic (AT Internet)
• Matomo (in certain configurations and for cloud operation rather than local installation)

Hidden tracking tools

I designate them here as such because the core function is not supposed to be Tracking, but the respective tool providers provide these tools in reality (also) for this reason, in order to engage in Tracking.

• Google Maps: Uses, among other things, the NID cookie which is set when logging in with a Google account. Loads Google Fonts ([1])
• YouTube Video Script: Lädt DoubleClick nach
• Google reCAPTCHA: Siehe Google Maps
• Microsoft Forms: Loads script from Bing (also owned by Microsoft, but apparently unnecessary for Forms)

Tracking durch Google Tools

I assume that the Google group of companies evaluates connection data that is generated when using the following services, among others, for its own purposes or makes it available to third parties:

• Google Tag Manager*: Google uses retained user data for its own purposes, including optimizing advertising: Google uses retained user data for its own purposes, including optimizing advertising*
• Google Web Fonts: see Google Tag Manager ([1])
• Any other file that is retrieved from a Google Server ([1]) ([2])
• Google DNS Server (8.8.8.8 = Google Public DNS Server). This is an assumption without deep evidence. Who can provide solid evidence will receive a reward from me! Anyway confirms that Google only uses person-related data gained through the DNS server not for targeted advertising. Thus, it is possible to track users and pass on this information to third parties who optimize their ads based on this (self-responsible).

Google even admits to using data collected elsewhere. Here are two Google sources:

Operators of websites and apps therefore pass on data to Google so that Google can display personalized advertising on its own and third-party websites. Personalized advertising requires that a person is identified or can be linked to a person.

In my opinion, Google and also operators of websites that use Google services without consent are acting unlawfully here, because the path appears to me to be as follows:

1. A user A visits any website X
2. Google services are integrated on website X
3. Google thus receives data about user A from website X
4. If user A has consented to the use of his data in a completely different place than on website X, namely on Google (see screenshots), Google uses the data obtained about user A via website X for other purposes that do not necessarily correspond to those of website X
5. Website X has (usually) not obtained consent for this or I have not noticed anywhere that the integration of Google Maps or Google Fonts on websites is explained by the fact that data is passed on to Google to be used for personalized advertising.
6. At the very least, the operator of website X is responsible, as it passes on personal data of user A. Google is probably also responsible. Google Signals, for example, combines data from various sources to create user profiles.

Consent obligation due to data transfer

It is possible that the following tools (examples given) are not used for tracking. However, the transfer of data to unsafe third countries such as the USA appears to require consent (and in my opinion it clearly does):

• Font Awesome fonts
• Fast Fonts (Fonts.com): Use of a tracking pixel primarily for billing purposes (usage quota)
• MailChimp
• MyFonts
• MapBox (uses OpenStreetMap)
• SoundCloud Audio Player
• CloudFlare (content delivery network for files)

In case of doubt, the person responsible for data collection must provide proof of legality. The operator of a website is usually responsible, unless they have successfully passed on their responsibility to another party. When operating globally, responsibility is often shifted to a company with suitable headquarters.

It is also not possible without risk to load an image from an external server of a third party instead of embedding the image directly. As a rule, the third party will not perform any user analysis based on the traffic data received, but could do so.