Cookie-Less Attribution Conflicts in DENMARK

1. What “cookie-less attribution” actually means (legally relevant forms)

Cookie-less attribution is not truly “tracking-free.” It typically uses:

  • Device fingerprinting (browser + hardware signals)
  • Server-side tracking (events sent from backend instead of browser cookies)
  • First-party IDs (hashed emails, login IDs)
  • Probabilistic attribution models (AI/ML inference)
  • Cross-device identity graphs

Under EU law, these are generally still personal data processing if they can identify or single out a user.

This is why cookie-less systems often collide with GDPR principles even when cookies are removed.

2. Key legal conflict points in Denmark

In Danish enforcement practice (via Datatilsynet), cookie-less attribution typically triggers four recurring conflicts:

  1. Lack of valid consent
    Users are still tracked, but consent banners are bypassed or weakened via server-side setups.
  2. Hidden processing (transparency failure)
    Server-side attribution is harder to disclose clearly in privacy notices.
  3. Re-identification risk
    Hashing emails or device IDs is still considered personal data if reversible or linkable.
  4. Cross-border data transfers (especially to the US)
    Attribution tools often send data to US-based analytics/ad platforms.

3. Major EU case law shaping cookie-less attribution legality

(1) Planet49 (C-673/17)

The CJEU held that pre-ticked boxes are invalid consent for cookies and tracking technologies.

Relevance to cookie-less attribution:
Even if cookies are removed, consent must still be:

  • Explicit
  • Informed
  • Freely given

This case is often used to argue that fingerprinting or server-side tracking still requires opt-in consent if it serves attribution or advertising profiling.

(2) Fashion ID (C-40/17)

The Court ruled that website operators embedding third-party tracking tools (like social plugins) are joint controllers.

Relevance:
Cookie-less attribution often relies on embedded scripts or server integrations with ad platforms. This means:

  • The advertiser and platform may both be responsible
  • Liability cannot be shifted to “analytics providers”

This is especially relevant for Danish e-commerce and SaaS companies using Meta or Google tracking stacks.

(3) Wirtschaftsakademie Schleswig-Holstein (C-210/16)

The Court found that a Facebook Page administrator is jointly responsible for processing via Facebook Insights.

Relevance:
Even indirect participation in analytics systems creates responsibility.

Cookie-less attribution systems that rely on platform analytics dashboards still make businesses data controllers, not passive users.

(4) Schrems II (C-311/18)

The Court invalidated Privacy Shield and imposed strict rules on US data transfers.

Relevance to attribution:
Most server-side and cookie-less attribution tools involve:

  • US cloud infrastructure
  • US-based analytics vendors

Therefore, attribution data flows often become unlawful unless:

  • Standard Contractual Clauses + supplementary measures are sufficient
  • Or data is fully localized within the EU

This is one of the biggest practical blockers in Denmark.

(5) Orange România (C-61/19)

The Court ruled that consent must be active and cannot be bundled into service contracts.

Relevance:
Cookie-less attribution often hides consent inside terms of service or “legitimate interest” claims.

This case confirms:

  • Consent must be granular
  • Bundled consent for tracking is invalid

(6) Meta Platforms Ireland v Bundeskartellamt (C-252/21)

The Court held that competition authorities can consider GDPR violations when assessing abusive data practices, and emphasized limits on combining personal data across services without proper legal basis.

Relevance:
This is crucial for cookie-less attribution systems that:

  • Combine data across apps, websites, and devices
  • Build unified identity graphs

It reinforces that data combination for advertising attribution requires a strict legal basis, not just business interest.

4. Denmark-specific enforcement context

While Denmark does not yet have a single landmark “cookie-less attribution” judgment, enforcement by Datatilsynet has focused heavily on:

  • Use of Google Analytics without adequate safeguards (post-Schrems II)
  • Improper third-party tracking on public and private websites
  • Lack of valid consent for marketing tracking tools

In practice, Danish regulators treat:

“cookie-less tracking” = still tracking

This means server-side attribution or fingerprinting is not seen as a loophole, but as potentially higher-risk processing because it is less transparent to users.

5. Core “conflict architecture” in cookie-less attribution

Cookie-less attribution in Denmark typically fails in three legal layers:

A. Legal basis conflict

  • Companies claim “legitimate interest”
  • Regulators often require explicit consent for marketing attribution

B. Transparency conflict

  • Server-side tracking is not visible in browser tools
  • Users cannot meaningfully understand tracking scope

C. Transfer conflict

  • Attribution stacks send data outside EU
  • Post-Schrems II compliance is difficult

6. Practical legal conclusion

In Denmark and under EU law:

  • Removing cookies does not remove GDPR obligations
  • Cookie-less attribution is often legally equivalent (or more complex) than cookie-based tracking
  • The biggest legal risks are:
    • hidden profiling
    • cross-border data transfer violations
    • lack of valid consent

RELATED Blog

Cyber Law and Fake News during COVID-19

Using Cyberspace To Vent Out Anger By Travestying ...

Internet Censorship

Reasonable security practices and procedures and s...

Cyber Fraud in Banking industry

Supreme Court Upholds Right to Internet as a Funda...

Supreme Court Issues Landmark Guidelines on Live S...

European Union Introduces Tougher Data Privacy Law...

United States Supreme Court to Decide on Whether A...

Cyber Law at Afghanistan

LEAVE A COMMENT

comments

Load more comments

Copyright © 2024 Law Gratis. Design by Digiinterface