Cookies, and cookie banners or notices have been around for a long time now. These notices are aimed at gaining consent to process personal information but it is often hard to see what that actually means. There are times it must happen, for example to provide a service or a product the company concerned does need to know who you are. But the spread of cookies across the Web has a far more sinister use and is often not understood by the general public.
Consider this: When someone goes to website A and looks for toilet rolls and petrol cans (!) and then goes to website B and is presented with that website’s toilet rolls and petrol cans, this may be because a cookie was set on website A which stored the person’s searches and this cookie can be read by website B. This is what laws such as the DPA / GDPR and PECR aim to get consent for from the person looking, and is why websites need to tell the user what cookies are being used and why. Thus cookie banners. But it ignores some other forms of trackers.
Of course, the general public hate these cookie banners and will just click OK to get to where they want to go. And they rarely see other trackers such as those used by Facebook.
But let’s put this into a real, physical world scenario. Consider two supermarkets, A and B. These are different stores, not in the same chain and there is no association between the two. Shopper A goes to Supermarket A and looks at toilet rolls and petrol cans. They are watched by a member of staff A. Shopper A then goes to Supermarket B but the staff member A rushes out and beats them there. The staff member A tells Supermarket B staff member B what Shopper A was looking at and staff member B meets Shopper A as they enter the store and shows them toilet rolls and petrol cans. Not at all creepy… but exactly what advertisers are using the web for.
Think of it like this. Advertisers traditionally used a variety of media to show adverts. These include adverts in magazines and newspapers, billboards, TV and radio adverts, flyers and direct marketing. Direct marketing – ‘junk mail’ and phone calls are generally regarded in a very poor light. Other forms of advertising target people passively. You may be interested in buying an item and see an advert for one. You may pass a billboard and see something which you might be interested in. It does not specifically target a person, it is a broadcast method simply aimed ‘out there’ rather than at you specifically. But there is no feedback except perhaps where a company carries out a survey or when a product is purchased one is asked where one found the information.
Advertisers changed this model into one that can target an individual by profiling them. A prime example of this is Facebook which uses tracking code on all its links, even the ones shown as actual URLs. An example taken at random for an insurance company has a link which contains a considerable amount of information (this has been stripped as it will contain trackers personal to my own Facebook account):
- The URL called when the advert is clicked: https://l.facebook.com/l.php – so, already by clicking on what appears to be a company URL one is directed first to Facebook.
- The target URL, this is the actual URL shown on the advert: u=<REDACTED URL of the target company the advert is for>
- Information appended to the target URL which will be sent to the company when the URL is clicked. Note the ‘fbclid’ field which presumably contains code that shows it was me, or rather my Facebook account that as displaying the advert when clicked: ?cmp=bsc-bra-brn-fac-3251%26fbclid=<REDACTED>
- Three more fields follow which are also sent to Facebook. The purpose of these is not investigated further but each contains tracking codes: h=<REDACTED>, __tn__=<REDACTED>, c=<REDACTED>
Thus, by clicking the URL associated with the advert being displayed by Facebook both Facebook and the company concerned will know that it was my Facebook account that clicked, and in the majority of cases one must assume that this identifies an individual.
Another example is a certain cartoon that I read daily. Nowadays, on entry one is presented with a cookie notice with the usual accept or ‘manage preferences’ options. Clicking on ‘manage preferences’ reveals a page where one can either reject or accept all cookies or chose those you will permit. This is all well and good and I will not drill down into the dozens of options and companies to which your data is sent should you allow it. The issue is when one choses the ‘reject all’ option Safari still announces that three trackers were prevented from profiling and Cookie shows that 17 cookies were set even though ‘reject all’ was chosen. So, what did it actually reject? As a test I reloaded and this time accepted all cookies. It still sets 17 but for some reason this time Safari only said it had blocked two trackers.
Let’s be realistic here. Advertisers will try any trick to figure out who you are and what you are interested in. It’s Big Money. Cookie banners only serve to annoy people and there is a tendency to simply click them away. Some websites have a simple message at the top or bottom of the page detailing cookies and even better some do not have boxes pre-checked so clicking the message away does not set the nasties. Other sites have half the screen or an almost whole screen banner that you cannot get past without reading lots of legal notices that are hard to understand at the best of times. And of course others hide the whole process anyway and give no choice. There are technical measures one can take but why on Earth should we?
And for those designers who claim that their website cannot work without cookies… go back to school. I have cookies disabled on my phone for general browsing and so far I have only come across two websites that actually fail to work at all, both of which were hopelessly written. Yes you probably need a cookie for a shopping cart, but to show your home page? Come on.
Potential changes to data protection laws to get rid of cookie notices is a step in the wrong direction. (1) But things are not yet certain. On one hand, perhaps the regulator will do more to promote privacy by saying no, these cookie banners need to go by not setting these invasive cookies at all, rather than just allowing them. On the other hand, and worryingly so, if they simply want to
The government appear to want to get rid of that OK checkbox by changing the categories of necessary data to encompass pretty much everything this is very backwards. The public will see this as a win as the annoying cookie popups will vanish but in so doing will lose control of their personal information and not even realise.