‘Accept All’ – Cookies and Data Privacy
Haven’t we all clicked on Accept Cookies without reading the privacy policy? It’s like we do it as unconscious reflex when we see the window pop up. But have you ever given thought to what exactly are cookies and what do they do? This blog post covers an overview of cookies and the data privacy concerns from their ability to collect sensitive user information.
What Are Internet Cookies?
Cookies are text files with small bits of information that are used “to identify your computer as you use a computer network.”[1] These text files are stored on your hard disk and serve as a memory tool that can recognize your online behavior.[2] Each website you visit will ask you to accept their own set of cookies before you start browsing.[3] Remember when you were searching for a particular pen on Amazon and the next time you logged in, you would see a pen advertisement on your Amazon homepage? And that other time when you went back to Macy’s website and found the items you added last time were still in your cart? These are just a few examples of how cookies work.
Cookies are typically used to collect information on what pages you view, your activities on the website, they enable the site to recognize you by remembering your user ID or keeping a track of your preferences, they customise your browsing experience, and are then used to deliver targeted advertisements to you.[4]
Based on the duration they are stored on a user’s device, cookies can be divided into two types: single-session and multi-session cookies.[5] Single-session cookies are temporary cookies that memorize your online activities[6] These cookies are erased when the user closes the browser. They help you in navigating through the website.[7]
Persistent cookies, also called multi-session cookies, are stored on the user’s device to help remember information like settings, filters, and sign-in information.[8] These cookies are saved on the user’s device for a longer time and that they will be stored even after the browser window is closed.[9] They do have an expiration date attached to them, so they are deleted on the expiration date or when you manually clear your cookies.[10]
Based on who introduces the cookies, they are divided into 3 types: first-party, second-party and third-party cookies.[11] First-party cookies are created by the site you are visiting, and can only be used by the site that created them.[12] These cookies are used to optimize the functionality of the website.[13] Second-party cookies, or more commonly known as second party data, are created when one website copies the contents of another website’s cookies as result of data partnership.[14] For example, a social media platform could sell its first-party cookies to a clothing brand to use for ad targeting. Third-party cookies are placed by other domains and not domain the user is visiting; they are used for cross-site tracking, retargeting, and ad-serving.[15] An instance when you would come across a third-party cookie is when the user is reading an article on one website and is shown an advertisement of a product the user has previously viewed – the advertisement carries the third-party cookies.[16]
Cookies make user interaction with website much smoother, however, because of the ability of cookies to collect vast and sensitive information related to the consumers, they pose great data privacy issues.
Privacy Concerns Related to Cookies
While cookies themselves do not dig or search your computer for information, they do store information that you, as a user, input into a website’s order forms, payment pages, account creation pages, registration forms, etc.[17] Viruses are not a risk relating to cookies, the risk comes from how information collected through cookies is used and exposed.[18]
Privacy concerns are raised as users are unaware as to the extent of information collected and it is not clear when data collected from cookies is sold or shared with other companies.[19] Cookies collect information on the user’s web browser, geolocation, profile data, online transactional history, and preferences.[20] This information can help businesses create profiles on their users and can be used as an identity stamp of the user.[21] Some users may want to maintain their privacy and not share their personal information with the world.. In the past, cookies were simply seen as a mechanism that helped the world wide web work. However, now cookies are used much beyond their original function and are now utilized to capture data to create detailed user profiles to sell to other companies for marketing and advertising purposes, which has led users to grow wary of the intentions of cookies.[22]
Some users may not want their personal data be used or shared and that is when the question arises: Do users have the right to prohibit companies from collecting and using their data?
There is no comprehensive federal law concerning cookies in the U.S., but some states have enacted laws to regulate cookies, such as New York and California discussed here.
When on a website, the website can ask you if you would like to accept all cookies for the optimal functioning of the site. As a user you could “accept” or “decline.” The following is an instance of a cookie pop-up:
Once you have selected “decline” or “don’t sell my information,” it becomes the responsibility of the website owner to keep your selection in mind and must accordingly treat the information collected with regards to your preference, and any other management provided by the state law.
The California Consumer Protection Act and Cookies
The California Consumer Protection Act (“CCPA”) is the California state law that provides consumers with 4 important rights: (1) The right to know about the personal information a business collects about them and how it is used and shared; (2) The right to delete personal information collected from them (with some exceptions); (3)The right to opt-out of the sale of their personal information; and (4) The right to non-discrimination for exercising their CCPA rights.[23] The CCPA is based on an “opt-out cookies consent regime.”[24] An opt-out mechanism means websites can use cookies without prior consent, but they are required to provide users with a simple way to opt-out at any time.[25] The CCPA requires businesses to provide a clear and conspicuous link on the business’s homepage, titled “Do Not Sell My Personal Information,” to an internet web page that enables a consumer to opt-out of the sale of their personal information.[26] Additionally, the right to non-discrimination prohibits businesses from discriminating against consumers, who do not agree to give access to their personal information, by providing a different price or giving a superior quality good or service to consumers who do give access to their data.[27] Overall this law does not prohibit the businesses from using cookies all-together, but it places certain control on how data collected from these cookies are used and provides an opening to consumers for opting out of it.
New York’s Privacy and Cookie Laws
New York has laws about data security, such as the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”), but not on consumer-focused data privacy law like the CCPA. The SHIELD Act requires any person or business owning or licensing computerized data that includes the private information of a resident of New York to implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.[28] The act requires the businesses to impose reasonable administrative, technical & physical safeguards to protect private information.[29]
Earlier this year, given the increasing data privacy concern, a bill related to data privacy called the New York Privacy Act (“NYPA”) was introduced for the second time.[30] The NYPA is based on an opt-in model which requires a user’s consent before the collection of data, unlike the opt-out model.[31] The NYPA would require companies to inform the consumers of categories of personal data collected, the purpose of collection, categories of data shared with third parties, and the names of third parties.[32] It also imposes fiduciary obligations on businesses that collect data which means every legal entity that processes personal information would be required to exercise the duty of care, loyalty, and confidentiality expected of a fiduciary with respect to the securing of the personal data of a consumer against a privacy risk; and they must act in the best interests of the consumer, without regard to the interests of the entity in a manner expected by a reasonable consumer under the circumstances.[33] The NYPA would also empower consumers to make requests for permanent deletion of their personal data in the possession of companies.[34]
If this act is passed it would a right step forward in protecting consumers’ personal data and privacy.
Conclusion
Be it the California law or the proposed New York law, they both place responsibilities on the companies collecting data. Companies need to able to separate the information of a user that opted-out or did not give their consent to their data being used or shared with third party. They also need to implement reasonable measures to protect the data they have collected. It is also important that when users access any website, they should be immediately notified that cookies are being used, in what manner, and have restriction mechanisms in place if a consumer opts out. Cookies are a complex but valuable tool for most businesses and businesses heavily rely on them. If the businesses comply with legal requirements as to data privacy, cookies can serve as an excellent way to boost their business and effective tool for marketing and overall website use.
Footnotes