Practically every single time we enter a website – whether it’s our first visit to it or not – we’re met with a cookie banner that asks if we’d like to accept or reject. Many people (myself included years ago) will just hit “accept”, which is usually (much to regulators’ objections) the faster and easier option. But did you ever get the feeling that by accepting cookies, you might be opening yourself up to something, and just weren’t sure exactly what? The truth is, while cookies have their fair uses, there are sometimes dangers hidden within them that many people clicking that big, bright “accept” button might not be aware of when they do so.
What are cookies?
We’ve all heard the term, but do we all know what it means? Well, browser cookies are small text files created by the server of a website and placed on your (the user’s) computer upon visiting the site. The text file often consists of a unique identifier that enables the server to identify your session, as well as user preferences such as selected settings. Upon subsequent visits, the browser transmits the cookie back to the server, which allows the website to retrieve stored data and maintain state.
Cookies are an essential part of the function of the modern web due to the inherent statelessness of the HTTP protocol; the server will not be capable of appropriately responding without some sort of identifier to link the user to the responses they are trying to retrieve. Cookies are frequently employed for storing login credentials or personalising user interactions, such as shopping history, for example. While session cookies are temporary and expire when the browser is closed, persistent third-party cookies enable extended or cross-site tracking, with their lifespan determined by the website’s server.
What are the risks of accepting cookies?
Advertising services and data brokers, companies who specialise in data collection and profiling, will form partnerships with websites that are looking to generate revenue by integrated advertising. The advertising services will provide advertising links to the website, and in doing so may transfer a small snippet of code or ‘tag’ that is incorporated into the website’s code. The code is executed when the website is accessed, and a third-party cookie, used for advertising purposes, is transferred to the user’s machine. The user may then access a second website, one which happens to employ the same advertising service or broker. The request is received by the advertising service’s server and a data association is established between the first website, the second website, and the user.
Due to the enormous volume of websites that the average person visits, and the ubiquitous nature of some of the services and brokers, a picture of an individual user’s habits and activity can quickly be built. It doesn’t take long for websites to figure out exactly what you’re likely to be searching for online, so if you see a suspicious number of ads related to your exact interests, you know precisely why.
Data collection and cookie fatigue
Despite the relatively small amount of data transferred in individual cookies, the breadth of data collected and the length of time over which tracking cookies can persist on a user’s machine means that a frighteningly large pool of information can be gathered by the distributor. It presents privacy complexities, not only because many users would expect to avoid cross-site tracking, but also because it might reduce the effectiveness of anonymisation measures implemented by other organisations to protect their users. This is especially true where the user’s activity can be tracked to a different service on which they do not expect the same level of anonymity.
Any potential danger of cookie use is compounded by the fact that users are bombarded with aforementioned cookie acceptance banners and consent pop-ups. The result is that most of us – particularly those with less technical expertise – quickly become fatigued by the banners and desensitised to the acceptance of a broad range of cookies being placed on our machines, if we even realise that they are being placed there at all. That fatigue is itself exacerbated by the user-hostile nature of some services’ cookie banners, perhaps an intentional factor employed to nudge the user towards the blanket acceptance of cookies. Ever seen a cookie banner where the most straightforward option is to “accept”, and any alternatives would take you down a long-winded route of “customising your options”? Well, that shouldn’t be happening, but is unfortunately still an alarmingly common practice across websites hungry for your data.
How is cookie tracking regulated?
Putting this in terms of data protection law, the lack of truly informed consent due to cookie fatigue and opaque policies becomes a serious consideration. The invasive nature of cross-site tracking and profiling, and the often rather opaque sharing of this data with third parties are becoming points of focus for tech regulators both in the UK and abroad. While PECR and the UK GDPR strive to enforce transparency, valid consent, and data security, the persistent challenge is still balancing website functionality with individual privacy rights, particularly as tracking technologies become more sophisticated whilst user awareness remains low. This is before the regulators even consider the inherent difficulty in enforcing practically any digital privacy law against businesses that do not feel that they need to follow the decisions of British authorities.
How cookies exacerbate data breach dangers
The sheer volume of data collected makes cookies a prime target for large-scale data breaches. When these breaches occur, all kinds of personal data like login details, shopping habits, and even location data can become vulnerable. The potential for harm ranges from identity theft to financial fraud, or perhaps just to the advancement of the growing market of data brokerage. The lack of user awareness, understanding, and control further exacerbates these problems. Many users are unaware of the risks or how to protect themselves.
How do you safely implement cookies?
The ICO has issued a wide array of guidance for organisations looking to integrate cookies in a safe and responsible way, taking a risk based approach to account for the level of intrusion, the efforts made to gather consent, and consumer concern. However, while they will engage PECR and the GDPR to issue penalties to organisations that fail to gather appropriate consent for example, the complexities of international websites, cookie fatigue, and unlawful practices makes the regulation of cookies an enormous undertaking. As with many developing technologies, the race of regulation against advancement is well underway. New guidance, suggestions, and bills are being drafted more and more often.
What lies ahead for cookies?
Ultimately, cookies are an essential part of the way most people experience the internet today and the UK government has repeatedly expressed its desire not to stifle technological advancement in the UK by over-regulation.
The future of cookie integration and regulation for now seems uncertain. Hopefully though, it might soon become more common for websites to consider its users’ privacy as more of a priority, and somewhere down the line, the days of being met with unlawful or unfair cookie banners will be behind us.
