Compliance Management, Government Regulations, Threat Management

Facebook argues for its right to track non-users with ‘datr’ cookie

Facebook will appeal a Belgian court's ruling that the social media giant must cease tracking the online behavior of non-Facebook users or pay fines of €250,000 ($269,000) per day.

Belgium's privacy agency, Commission de Protection de la Vie Privée (CPVP), sued Facebook in June when researchers hired by the commission discovered the ‘Datr' cookie, technology created by Facebook that tracks the browser activity of anyone who visits Facebook's website or clicks a ‘like' button. The cookie tracks users' online activity, whether they have a Facebook account, for a two-year period.

The Brussels court said Facebook can only use personal data “if the Internet user expressly gives their consent, as Belgian privacy law dictates.”

Facebook has argued that the 'datr' cookie is necessary to protect the security of its users. Facebook CSO Alex Stamo wrote in a blog post last month that the datr cookie helps “differentiate legitimate visits to our website from illegitimate ones.”

He wrote that Facebook does not set the datr cookie “when someone simply loads a page with a Like button” and claimed Facebook deletes logs generated by the cookie after 10 days. “People can delete the datr cookie and this associated information from their browser at any time,” he wrote.

Following the ruling, a Facebook spokesperson echoed this sentiment. “We've used the 'datr' cookie for more than five years to keep Facebook secure for 1.5 billion people around the world," a spokeswoman said. “We will appeal this decision and are working to minimise any disruption to people's access to Facebook in Belgium.”

However, the court said “even an ‘internet illiterate' understands that systematically collecting the datr cookie as such is insufficient to counter the attacks referred to by Facebook because criminals can very easily circumvent this cookie from being installed by means of software which blocks cookies being installed,” according to a CPVP statement.

The decision is a significant victory for data protection agencies in Europe concerned with Facebook's tracking policies. Regulators in France, Germany, the Netherlands and Spain are also looking into whether Facebook's privacy policies are in violation of their data protection rules, according to the New York Times.

And, the European Court of Justice declared Safe Harbour invalid last month. The court sided with Max Schrems, a law student in Austria who filed a complaint that his personal data was being unlawfully processed by Facebook in the US.

Courts in the U.S. have declined to pursued privacy cases as aggressively. Last week, the FCC declined to require "edge providers" like Facebook and Google to honor "Do Not Track" requests.

Facebook users have expressed concern with the company's practices around users' information. On Wednesday, the company released its report on government requests for user information. Facebook deputy general counsel Chris Sonderby noted “an increase in content restrictions and government requests for data globally,” in a blog post.

Government requests for account data increased globally by 18 percent over the second half of 2014, he wrote. In the U.S. alone, Facebook received 26,579 requests for user information from January 2015 to June 2015, and in 80% percent of the requests, turned over data to law enforcement agencies.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.