Age, location, preferences – anyone who reads online is also being read. SRF shows how big the data business is and which websites share particularly sensitive data.
They are the gatekeepers of the Internet: data protection declarations, also known as cookie banners. Anyone who visits Swiss websites and apps today encounters them almost everywhere. They point out that data can be collected and shared here – and with how many potential partners. And they ask visitors whether they accept these conditions. But what actually happens if, like most visitors, you click on “Accept all” on the cookie banner? SRF Data has conducted a data analysis of the 50 most relevant websites in Switzerland. The data reveals who else might be reading along while you surf – and what you can do with it.
These trackers are vital for the survival of technology companies. By being able to obtain information about us – such as how old we are or what topics we are interested in – they can offer advertisers precisely tailored personal profiles that they can reach with advertising on Google or Facebook. They do this so successfully that they now pocket a significant portion of the money for online advertising campaigns. But it goes even further. Many of the trackers are part of a digital advertising market, known as programmatic advertising.
The principle behind it, put simply, is as follows: Anyone who opens a website with advertising space will have their user profile auctioned off to the highest bidder on various digital marketplaces within milliseconds. This is a huge win for the advertising industry because it means that the target group of a product can be reached precisely and, for example, only dog owners can see advertisements for dog food. study estimates that in Switzerland, an auction based on each person’s profile takes place during every minute of Internet use – around 300 times a day.
But the system also has a huge disadvantage: Depending on which partners a website works with, our user data can be shared with hundreds of companies. This is because all participants in a digital advertising market receive the data of the user who is currently opening a website at every auction – regardless of whether they win the auction or not. It’s a bit like if we wanted to apply for a job at a certain company, we had to send our application dossier to all the companies in the industry. According to data protection law, such data may only be used for advertising purposes. But hardly anyone checks it. And so the digital advertising system is a gateway for anyone who is interested in the data: secret services, data traders, private snoopers or stalkers. Research by SRF Data shows how such data is traded on a shadow market and sold to anyone with the necessary cash.
Sensitive data to hundreds of partners
The fact that cookie banner pop-ups are popping up all over the internet is thanks to the new data protection law that was introduced in Switzerland last autumn. It stipulates that user data should be processed and shared proportionately. That visitors have the option to refuse tracking. And that it should be made transparent with whom the data is shared.
Not all websites are equally transparent about which partners they share data with. However, many of the websites examined are members of the industry association IAB, which focuses on transparency and offers standardized cookie banners. SRF has analyzed these. This allows the members to be compared with each other and for the first time to show who receives our data for what purpose – or at least who is given permission to extract it.
There are ways to limit the collection of your own data. For example, by installing so-called “ad blockers” in your browser. According to a new study, around a fifth of Swiss people use ad blockers to block banner ads, which are mostly used for programmatic advertising.
Another option is to manually deactivate the unnecessary cookies on each website. This option is mandatory under the new data protection law. While the European Union requires clear consent from users (opt-in), companies in Switzerland have previously assumed that they can share all data by default and that users themselves have to deactivate the cookies using a button (opt-out). However, according to the law, the principle of “privacy by default” now applies: the default settings when visiting a website should prioritize data protection wherever possible and only the absolutely necessary data should be processed. In other words: data collection should be proportionate and moderate.
But in practice, questions arise as to how well Swiss websites know their own cookie banners and partners. research of the online magazine “Republik” showed that Swiss media houses User data to Russia sent without them being aware of it.
Agreed is not the same as consent
According to the Federal Data Protection and Information Commissioner Adrian Lobsiger, many adjustments to the current legal situation are currently being made. There is often a difference between what a website states in its privacy policy and what it actually does. “In terms of data protection law, this is a breach of transparency,” says Lobsiger. It is the responsibility of the individual websites and apps to ensure that data is not used improperly. They can also block individual partners or restrict access to data.
For Lobsiger, profiling activities and the sharing of user data should only take place if the people concerned have been explicitly informed and subsequently give their consent. But that is often not the case, especially with cookie banners, which do not make the extent of the data sharing sufficiently clear: If you do not really understand what you are clicking on, the consent is ineffective and non-binding under data protection law. But then it is too late, says Lobsiger: “Once the data has been sucked up and forwarded, it is difficult to take it out of circulation again.”