Privacy, Personalization, CCPA and the Future of Web Cookies

Web cookies perform essential functions of convenience in the modern web. They allow you to auto-fill web forms, recall login information and remember items you placed in your shopping carts. They help provide more relevant experiences by reducing irrelevant solicitations. They are used to personalize and create efficiencies. And also used to spoof user accounts and retarget advertising which feels a bit creepy to the wider population.

With growing concern of privacy issues, and the introduction of laws like California’s Data Privacy Protection Act (2020), and the EU’s General Data Protection Regulation (GDPR), comes a need to better understand cookies - what they are, how they work, what value they provide, and how new consumer protection laws could impact the future of cookies and our fortunes.

What are HTTP cookies (web cookies, browser cookies)?

Not as toothsome as they sound, cookies are text files, sent to and stored by your browser (on your hard drive) that associate bits of individualized information in the form of simple key/value pairs. The data collected depends on the domain setting the cookie, but can include:

• User’s browser setting information - user id, geolocation, time of entry, language preference, computer operating system, browser type
• Form fill information - first/last name, company name, email address, phone number 
• Analytics data - number of page visits, URLs visited, pages shared, website entry points 

Cookies also play an essential role in collecting the type of marketing gold that help businesses improve products,  better understand customers and of course, sell more products.

Two Recipes for Delivering Cookies

Today, if you visit a website, chances are you’ll notice a cookie request. If you accept the request or continue browsing the website, the site will deliver one or more cookies to your browser identifying you as user X. If you leave the site and then return to it again, that cookies can be used by the website to recognize that you are the same user X that was at the site previously and enhance your web experience in some meaningful way. Google, for example, uses cookies to ensure you remain logged into accounts and can easily switch between Gmail, Calendars and Docs.

There are essentially two types of cookies – first-party and third-party (second-party cookies are up for debate and we won’t discuss them here). From a technical perspective, there is no real difference between the two types. Both contain bits of user information and can perform the same functions. The real difference is how they are created and subsequently used, which depends on the context.

• First-party cookies are stored by the domain (website) you are visiting directly. They allow the website to collect analytics data, remember language settings, and perform other useful functions that enhance your experience. The limitation of first-party cookies is that they can only be read by the website that set the cookie. This makes them useless for other domains and for cross-site advertising purposes (e.g. retargeting).
• Third-party cookies are created by domains other than the one you are visiting directly, hence the name third-party. They are used for cross-site tracking, retargeting and ad-serving. Ad display networks often require a retargeting pixel (a tiny unit of code) on a webpage, creating a cookie in the user’s browser, which causes the advertisement to be displayed to sales prospects when they visit certain websites within the retargeting network (e.g. Google Display Network). Ever get an eerie feeling that you're being followed through the web? That’s often the result of third-party cookies and retargeted advertising.

How Does the California Consumer Privacy Act Impact Cookies and Our Fortune?

(Disclaimer: do not use this article as legal advice)

Rejection of third-party cookies is on the rise. Whether from high-profile consumer data breaches or political hacking, increasing numbers of people are either manually blocking third-party cookies, or deleting them regularly. Additionally, browsers (like Apple’s Safari browser) have begun blocking third-party cookies by default in an attempt to protect consumers from third-party Internet tracking.

Organizations that need to be compliant with the CCPA will have to disclose their use of cookies. As with the GDPR, cookies required to make websites function, do not require consent. It is advisable to disclose their use to the website visitors, but it is not required to allow them to deactivate these cookies, if without them, the website would not function properly.

Other types of cookies, such as functionality, performance, or analytics cookies should be optional. The user should consent to their use through a clear, affirmative action. Just like with the GDPR, CCPA requires that phrases like “by continuing to use this website you agree with our use of cookies” disappear from the website. In their place, we should see a clear description of each type of cookies used, how many cookies are used for each type, and the option to opt-out of anything that isn’t mandatory for the website to function. While the text of the CCPA, like that of the GDPR is not that specific, these are the conclusions that can be drawn from major provisions such as transparency, data subjects’ right to access and to be informed, data minimization, and all this should reflect in the cookie policy of each company.

And although amendments are still in progress, California’s Consumer Privacy Act (CCPA) will take effect January 1, 2020. The law has numerous parts. It forces companies to reveal what data they collect. It gives users the right to delete that data and prevent its sale. It will likely restrict how data can be used for online ads. The outcome could have far-reaching consequences for every other state in the U.S.

Consumer advocates say the law could meaningfully improve online privacy without losing what people like best about the internet. Furthermore, global organizations that are currently adhering to GDPR laws will likely notice little change in their practices. Industry experts, however, warn that the California law threatens many technology companies (Google, Facebook, Linkedin and ad service revenue streams) and small businesses by disallowing what the industry calls “third-party behavioral profiling”. The result of which could have a big financial impact on California businesses that use ad retargeting to sell more products.

But People Want Personalized Experiences. Don’t They?

74% of online consumers get frustrated with websites when content (e.g., an offer, ad, promotion) appears that has nothing to do with their interests, according to Janrain (now Akamai). And 90% of consumers find custom content useful, while 78% believe that organizations providing custom content are interested in building good relationships with them. Clearly, there is a disconnect between what consumers say they want and their willingness to provide the information needed to enhance their web experience. Or perhaps there isn’t.

Exploiting the data that cookies collect for unethical business practices has steadily risen over the last decade. Shady businesses knowingly collect, share and sell user data as a part of their business practice.

Why is this important? While most of us generally click absentmindedly to ‘accept cookies’ for the sites we visit, these invisible hangers-on constitute a surprisingly insidious means of tracking your behaviour across the web. Pervasive ad tracking means that someone’s entire web browsing history can be effectively recreated by third party companies – and this information can then be swapped across the web by various information resellers.

And In the wake of Yahoo’s 2016 data breaches which compromised hundreds of millions of Yahoo customers’ accounts through the use of “forged cookies”, consumers are becoming more aware of privacy and actively monitoring their cookies.

Marketing is an exchange. Let’s face it, we don’t get excited and line up to hear products pitches. We will, however, give our attention, consideration and personal information if a product or service is perceived as providing value. But, when companies are not transparent, bury ambiguous legal jargon within their Terms and Conditions, and then sell our personal information to other organizations, we draw a line in the sand. The product’s value simply isn’t worth the personal information investment.

Fortunately for marketers, first-party cookies are so commonly used on the web, that blocking them renders the Internet almost useless. So there’s no real concern that the benefits (or risks) these solutions offer will be going away any time soon. Which is why it’s important to take the time to read privacy and cookie policies and understand how your information is being used by the sites you visit.

Many Popular Web Browsers Are Fighting The Good Fight Against Third-Party Cookies.

Safari and Firefox have recently joined the fight to protect consumers’ privacy. Each is disabling third-party cookie tracking by default and taking additional measures to detect and block cryptominers and other malware from leeching off your computer.

Chrome, the most popular web browser on the Internet, is lagging behind. But that’s no big surprise considering it’s owned by one of the biggest exploiters of consumer data, Google. Users can and are beginning to manually turn off third-party cookies within Chrome’s intuitive settings.

Conclusion

• Web cookies are simple text files that help brands create better digital experiences for their customers. But like most technology meant for  good, can be exploited by unethical, greedy businesses to harm consumers.
• Third-party cookies are under fire (for the creep factor) and are now being blocked by Safari and Firefox browsers.
• California’s Consumer Privacy Act is the U.S. equivalent of the EU’s General Data Protection Regulation and will require businesses to be more transparent about the data they collect, how it is used and how it can be removed.
• Consumers want easy, personalized web experiences, but not at the expense of having their personal data compromised or sold.
• Fortunately, most of the technologies we use as marketers on our websites use first-party cookies and that’s not going to change any time soon (if ever).