Introducing cookies and their real-world implications
This series is all about helping you understand, the Data Privacy Basics – key concepts that we should all know around our personal data, regulations that are in place to protect that data, and what Data Privacy means for us. In this insight, introduce you to the meaning and functions of so-called 'cookies' and what their real-world implications are for individuals.
How many times have you been on a website that has informed you a ‘better, more personalised experience’ will be had if you agree to cookies? Or even worse a pop-up covering your entire laptop screen preventing you from accessing information without agreeing to the cookie? These experiences online have become the norm with users mentioning the fear of unknown consequences if they do decide to opt-in of a website’s cookies outweighing the need to protect their online privacy. Often, participants felt they were forced to accept cookies to attain their primary goal of accessing a service in the first place. This is because pop-ups can lead to frustration, consent fatigue and the misuse of data.
What are cookies and why are they bad?
Cookies are text files which identify your computer as you use a computer network. At its commencement, the Internet was a static place. Now, cookies have contributed to the more personalised and collaborative approach seen on the Internet today. The fact of being able to target specific consumers for certain adverts helps businesses and consumers alike in being able to build a mutually beneficial relationship. This type of identification is not always a bad thing. It is convenient for a user to have their username and password remembered if they use a website frequently. Internet cookies are also very helpful in building a user’s shopping cart whilst they explore different areas of a website. Cookies have thus become essential to our experience on the Internet but may also leave us vulnerable to our data being misused or even privacy breaches.
Surprisingly, clicking ‘I agree’ recklessly and without regard to consequences does not fall under the definition of consent in the GDPR. The stark fact that many cookie walls are illegal might shock you. However, this is because the definition of consent means it must be ‘freely given, specific, informed and unambiguous’. Some consider this to be high. Additional to this is the fact that the data subject must be able to easily identify the consequences of any consent they have given and where a user has given consent for the placing of a cookie, this does not imply consent for data processing. Yet, many companies do and still get away without upholding these requirements.
The same can be said for transparency. Under the GDPR, the data must be processed in a lawfully fair and transparent manner, this entails that the use must be easily accessible and easy to understand. The main issue with cookies is that information to do with how data is being processed often lacks clarity and does not give individuals an appropriate picture of what happens to their data. Potentially, even if there was a clause which asserted that some information would be shared with advertising networks- this would probably not fit in and fulfil the aims of the transparency aims of the GDPR.
The use of cookies is a cross-border issue and so any ruling internationally is important in the data privacy conversation. Google Analytics has recently come under scrutinization in Munich and Denmark with regards to whether it has a legitimate interest in gaining a better understanding of the visitors’ behaviour on the website. It was contended by the Danish Protection Agency that this so-called ‘legitimate interest’ was inadequate to overrule the interest that the website visitors cannot reasonably expect that their information will be passed onto Google’s wider servers in America. The decision has been strengthened by the presence of many countries upholding the Google Analytics decision and applying it to further question its use of personal data. For example, Inter-Hop issued a referral to the French CNIL to understand the use of Google Analytics in the context of e-health. Internationally, therefore, the legal reaction to the use of cookies shows a clear protection of the user in comparison to the Big Tech companies.
There is the further issue of questioning who is to be held liable for the use of such cookies. For data subjects, we need to know who is controlling our data as this has marked consequences for how our data is being processed. This is because it can have implications for the processing of personal demographic data such as age, sex, relationship and occupation. A landmark case Wirtschaftsakademie involved a conflict between an administrator of a fan page hosted by Facebook and Facebook. Importantly, Facebook had the opportunity to place cookies on the computer or device of the person visiting the fan page independent of whether they had an account contributes to the processing of the personal data. Without being too technical, the meaning of ‘controller’ can thus be taken to be broad in these circumstances and means that any user visiting the fan page even without a specific Facebook account, is having its personal data processed by this social media website. Cookies pervade our online use even in situations we might not even consider.
Going Cookieless: Apple
To put it starkly, the use of cookies on websites is rarely lawful and consumers are now rightly asking for more control over their data. For years, companies like Google and Apple capitalised on the use of our data for sometimes convenient or sometimes nefarious purposes. As is well known, not paying for social media applications means we are paying in our data usage.
Are companies finally listening? Well, one of the newest developments in the tech space is the adoption of ‘cookieless’ browsers. For our purposes, going ‘cookieless’ refers to the omission of third-party cookies specifically as opposed to removing them completely. This is because functional cookies remain to be necessary. Recently, Apple announced the blocking of third-party cookies from its browser, Safari. There is currently an opt-in requirement for the use of third-party cookies which is a stark difference from certain websites making it almost impossible to reject the use of all cookies. It is hopeful that consumers will no longer click ‘accept all’ just to be able to access information on a website.
From a commercial perspective, Apple has benefited greatly from being at the forefront of this ‘cookieless’ development. This is because they can utilise this new feature of their IOS as a point of differentiation from other sites such as Google Chrome. Apple’s commitment to privacy has therefore made Safari a major player in the digital privacy conversation. Consumers will continue to value and purchase Apple products if they feel their privacy is being valued and protected as more and more consumers revolt against a system of personal data processing unnecessarily and without real purpose.
Looking to the future, we may all be able to breathe a sigh of relief. Big players such as Google have announced that Chrome will aim to be ‘cookieless’ by late 2023 and with these big players listening to the noise on consent, a potential ripple effect might be triggered. This would entail smaller companies such as brands or other users of cookie technologies following suit. Importantly, this could mean a solution to the problem of third-party tracking could be on the horizon.
However, there are always loopholes and with loopholes, data subjects will suffer. Mozilla Firefox was created by a non-profit and so it provided a user orientated experience from the outset. Its entire message revolves around a ‘cookieless’ world in which ‘individuals can shape their own experience and are empowered, safe and independent’. The company started blocking third-party cookies in 2019, yet they their engineers are still working on catching all the loopholes which inevitably popped up. We may remain optimistic about Apple’s developments in this field; however, this optimism might be misplaced at least until all these issues are configured.
No Cookie Crumbs, No Problem?
You might be thinking to yourself that companies such as Apple going ‘cookieless’ coupled with private browsing will prevent you from being tracked on the Internet. It is correct that if you want to browse without collecting cookies then private browsing is the best way to go. However, whilst private web browsing can collect cookies, it does not prevent websites from collecting your personal information. This means you can still be identified even on a private web browser where you would assume complete non-traceability.
The ‘cookieless’ world provides is a promising prospect and seems to be a step in the right direction as it negates the use of third-party cookies which is the main form of tracking on the internet. The issue is that this change merely affects tracking which occurs on the browser end of the internet. In reality, the tracking not taking place on the actual cookie, i.e. the text file, could lead to less visibility on the Web. Unfortunately, this could mean more tracking without the consent of users.
In an idealistic world, the presumption would be that websites do not use cookies. Even if we were to achieve this (unlikely) aim, another snag in our ‘cookieless’ journey is the unfortunate reality that users can still be tracked without cookie crumbs.
A Cookie-Free Diet?
Cookies cannot be wholly seen as naughty or nice and their ethnical nature largely depends on how the website deploys them. Website users who are concerned about data privacy should aim to address the issue of cookies on a case-by-case basis. The developments made towards a ‘cookieless’ world are notable, however we are miles away from waving the white flag.