Blog Post
Stealing From the Cookie Jar? Beware Evolving Data Privacy Rules.
For many businesses, cookies are the backbone of marketing. These text-only strings of information stored on visitors’ computers, smartphones and tablets allow businesses to track, identify and study online behaviour for the purposes of targeted advertising. This practice is allowable within the confines of the EU Cookie Law, existing privacy legislation that allows websites to store or retrieve information only with visitors’ consent. While cookie-enabled targeted advertising is a boon for marketing campaigns, recent developments in data privacy laws and discourse are beginning to beg the question: is cookie tracking a good thing? More specifically, is the use of cookies compliant in accordance with the GDPR, California Consumer Privacy Act (CCPA) and other emerging data privacy regulations?
Reliance on Third-party Cookies
In exchange for user consent to allow cookie tracking, many businesses offer a wide range of services free of charge to their visitors. While this approach, or quid pro quo has largely worked for many years, consumers are becoming more privacy-savvy, and thus increasingly uncomfortable with the amount of information that is collected and shared online.
Additionally, according to research from McKinsey, roughly 71% of people would no longer do business with a company if it gave away sensitive data without permission. More, fines related to cookies and reported by the Spanish supervisory authority have hit as high as £30,000, and databrackets reported that the number of GDPR fines issued grew by 260% between 2018 and 2019.
of all users feel that almost everything they do online is being tracked by advertisers.
of users say that the risks surrounding data collection outweigh the benefits from the services offered by businesses.
One study reported by TechCrunch showed that approximately 90% of users accept the use of cookies, but only 3% actually want to accept them. The reason for this enormous gap is down to the design of the cookie banner, which some consumers view as “deceptive,” given that they display in such a way that prompts users to automatically click the accept button. Privacy activist and founder of the non-profit organisation NOYB (None of Your Business), Max Schrems, has developed a system that detects non-compliant banners. This system has generated 10,000 complaints on the most visited websites in Europe. They have gone one step further for those who are “unwilling to comply,” by issuing formal GDPR complaints to the relevant authorities—powers that are authorised to issue fines of up to €20 million. As of May 31, 2021, NOYB has issued more than 500 GDPR complaints.
In recent months, there has been increasing pressure on businesses when it comes to user tracking. Changes to the EU ePrivacy regulation means the way third-party cookies are allowed and used to track online behaviour is likely to change. That said, developments in the U.K. suggest the potential for an approach to cookies that loosens the requirements outlined in ePrivacy and GDPR. In a Sky News article, the U.K. Culture Secretary indicated plans to change the country’s data laws, including reducing the use of cookie consent banners.
Regardless of how varying jurisdictions will ultimately address the issue of cookies, technology companies are beginning to respond to the increased emphasis on data privacy. In 2020, Google announced removal of its support for third-party cookies in Chrome. David Temkin, Director of Product Management, Ads Privacy and Trust at Google stated in an blog post that, “people shouldn’t have to accept being tracked across the web in order to get the benefits of relevant advertising, and advertisers don’t need to track individual consumers across the web to get the performance benefits of digital advertising.”
Search engines have been testing alternatives to third-party cookies, including methods that allow advertisers to track internet user behaviour while identities are kept anonymous. This approach assigns visitors’ browser history with an anonymised identifier, then adds it to a cohort, i.e., a group of other browsers with similar behaviours. This is one way advertisers can continue to track and target while respecting the privacy of personal information.
A user’s cohort ID is also re-calculated on a regular basis, providing a summary of online behaviour, via an algorithm. The benefit of this is that the process takes place locally on the user’s device meaning, so that no data is stored on servers, which remediates one of the biggest privacy concerns associated with third-party cookies. The cohort approach can also remove any cohorts that have a high rate of visits to pages with sensitive topics, such as medical, political and religious sites, to avoid advertisers from learning or tracking more personal details about a cohort.
Whilst this approach may begin to address some privacy concerns around the use third-party cookies, it does fully answer growing consumer concerns and questions around tracking. This is why first-party relationships and a strong position on data privacy are more vital to an organisation’s success than ever before.
Businesses that remain heavily reliant on the use of cookies must take additional steps to maintain privacy compliance and consumer faith. This includes transparent consent notices and blocking all non-essential cookies and utilising cookies only as allowed by the legislation outlined in each country or region where the organisation is using them. With third-party cookies slowly phasing out, having a robust privacy policy and practices that account for the use of cookies alongside strong, direct and trusting relationships with consumers, will become a crucial marketing tool and competitive differentiator.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.