What is a cookie?

Cookies are text files that allow a website to retain information about a user’s activities. For example, when a user places a pair of shoes in an online shopping cart on Nordstrom’s website, the website’s server receives a request. When the user adds a shirt to the cart, the server receives a separate request. Cookies allow the server to connect the separate requests, typically by placing a cookie with a unique signature in the user’s browser and matching that signature to the user’s activities on the website.

Companies use cookies for a variety of purposes including to enable a customer to complete tasks (as above), remember a customer’s preferences, and identify users. Companies may also allow third-party companies—such as advertisers—to place cookies in the companies’ users’ browser. These third-party cookies may be used by companies to monitor behavior over time and across websites in order to develop a history of the websites an individual visits and deliver ads tailored to his or her interests. The user above, for example, might see an advertisement for the shirt in his Nordstrom’s cart displayed in a banner ad on his local newspaper’s website.

Government Regulation

US federal laws provide little oversight on how companies use cookies, except when it comes to children under the age of 13. The Children’s Online Privacy Protection Act of 1998 (“COPPA”) generally aims to restrict the collection and use of children’s personal information on the internet. The FTC has clarified that information contained in cookies used to identify users across websites is considered personal information. Thus, organizations that use such cookies either on a site directed toward children or in a manner that gives the organization knowledge that it has collected such information, are subject to the restrictions of the law. The European Union (“EU”)’s ePrivacy Regulation, which is still in the negotiation process, and the General Data Protection Regulation (“GDPR”), which went into effect in May 2018, however, require websites to obtain any user’s consent before placing certain cookies on the user’s computer. Cookies that are considered “strictly necessary” are generally exempt from this consent requirement.

The EU rules impact US companies’ policies because so many websites in the US have users in Europe. For example, in its privacy policy, Netflix explains that it uses three types of cookies: (1) cookies that are “strictly necessary”, including those that authenticate customers’ log-ins; (2) cookies that enhance performance and functionality, and (3) advertising cookies. For users in the US, the effect of EU regulations is evident in the increasing number of cookie consent pop-ups on websites.

Because the US federal government provides only limited consumer privacy protections through a patchwork of laws and regulations, individual states have started to tackle data privacy on their own. Last year, several states passed data protection laws, including Colorado, Vermont, and most notably, California, which passed the California Consumer Privacy Act (“CCPA”) to regulate the use of personal information that goes into effect in 2020. Like the EU rules, the CCPA will require companies to notify users about their cookie policies.

Regulatory Challenges

Despite resounding support for increased data privacy regulation, governments—even those proactively regulating cookie usage and other data privacy issues—struggle to keep pace with new technologies. Cookies, for example, can only be used on traditional computers, not mobile devices. Newer technologies, however, allow advertisers to track users across platforms. Thus, the regulation of cookies may do little to protect consumers’ privacy in the future.

Self-regulation

In response to the public’s concern over digital advertising and data privacy, major tech companies are slowly starting to self-regulate. Facebook’s newest privacy policy (updated April 4, 2018) now explains that the company allows digital advertising firms to place cookies on its users’ computers and, more significantly, provides a list of “some of the companies” that place these cookies. While clearly incomplete, this list appears to be part of a larger effort to increase transparency.

Google is preparing to launch a tool on its Chrome browser which will give users more control over the cookies on their computers and allow them to limit the use of tracking cookies. The move is significant because Chrome is the primary browser used on almost two-thirds of desktop computers. Critics of Google’s move, however, argue that cookies increase competition in the digital marketing space. Restricting the use of cookies benefits the largest tech companies because they are able to collect user information through a variety of sources but hurts smaller firms that are largely dependent upon information from cookies. In fact, several digital advertising companies saw their share prices dip in response to the news of Google’s changes.

Moving Forward

For years, people have predicted the death of the cookie. However, the technology has some staying power based on the sheer volume of cookies in existence. Even if the cookie is completely replaced by a newer technology, the same overall issues remain. Americans are worried about data privacy and are losing confidence in major tech companies. In fact, Americans trust the federal government more than Facebook to protect their personal information.

Most Americans believe that the federal government should do more to regulate social media companies and data privacy. Though the current political climate poses myriad challenges, a Wall Street Journal/NBC News poll found that Americans are willing to “green light” increased federal regulations. In the meantime, TermScout aims to offer tools to help people compare privacy policies and cookie policies so that people can make better informed decisions about who they do business with.

 

For additional information, email .

Authors

Ben Golopol

Legal Product Manager and Corporate Counsel, TermScout  

Alex Paalborg

Associate Attorney, Davis Graham & Stubbs, LLP  

Elizabeth Trower

 

Your Cart