When it comes to cookies, the customer is always right

Cookies are a part of almost all websites today. It is estimated that a single website runs an average of around 23 cookies.

However, there has been a growing concern towards the intrusiveness of cookies on user privacy. This concern has been manifested in Google’s announcement that Chrome will no longer be supporting third-party cookies.

So, what is a cookie?

A cookie is a file that is exchanged between a website and your browser, which the site generates to keep track of you. With cookies essentially being large and specialised collectors of data, the consent obligation requires consent to be obtained before installing cookies on users’ browsers.

The user should have the power to choose which cookies to allow and deny.

The invention of the Internet cookie has been attributed to a Netscape engineer in the mid-1990s.

But why are cookies called cookies?

The truth is, nobody knows for sure. Some believe the term was derived from another term, “magic cookie”, which is a packet of data received and sent in UNIX programming; others believe they relate to the Hansel and Gretel fairytale, where the main characters are able to retrace their steps and find their way through a forest by using a trail of cookie crumbs.

Cookie consent violations by the big techs

Big techs have been fined for failure to obtain consent for cookies. In 2020, Amazon was fined $35 million euros for installing cookies on the browsers of French users without their knowledge, and for failing to clearly communicate to users the purpose for installation of these cookies.

Facebook was also fined $60 million euros in December 2021 by French regulators for making it difficult for users to refuse cookies. A single button was clicked to accept all cookies, but several buttons needed to be clicked to refuse them. The cookie consent design also made users feel like they could not refuse cookies if they wanted to use the site.

In recent years, cookies have been under scrutiny as awareness over privacy and the need to protect personal data grows. While some cookies are necessary for the website to function, others are not necessary and serve to improve customer experience and to obtain marketing data.

To be clear, cookies do not obtain personal information from your computer – they only contain data placed in them by website servers – they enable companies to track user behaviour and create very detailed user profiles.

Yes, ad networks can track user activity for the benefit of commerce. But cookies, to be fair, can  also make the Web browsing experience more customised and efficient.

So while this may not look like “privacy” or “violation” as most of us know it, it certainly feels like those things.

Ultimately, users must be allowed to opt-in only to the cookies they want, and not be tricked into accepting all cookies. Your cookie policy should clearly explain in layman terms - what these cookies do and how your website uses them.

Find out more about how to develop and sustain a data protection management programme (DPMP) to be compliant with the PDPA through our course here.

I always allow all cookies. Should I?

It is not good practice to bundle consent for browser cookies. One way to segregate cookies for users is through their function.

Necessary cookies are cookies required by the site to function. For example, security cookies are necessary because they keep online payments secure. No consent is needed for necessary cookies. However, it is still best practice to inform users about these cookies and their purpose.

Marketing cookies enable the placement of ads that are relevant for you. They also enable retargeting of ads.

Statistics cookies are cookies that collect data as users navigate your site. They help analyse traffic or where users drop off from the site to understand the customer better.

Preference cookies help improve an individual’s browsing experience by remembering a user so that the experience can be customised.

These cookies may be first-party or third-party cookies. First-party cookies are generated by the site being visited, while third-party cookies are generated by external sites. Some third-party cookies come from the ads that are displayed on the site you are viewing.

Third-party cookies are receiving backlash in recent years, as users are becoming more aware of their privacy rights.

Cookieless browsers: Will cookies soon disappear?

In 2020, Google announced that Chrome will no longer be supporting third-party cookies, following the sentiment that some cookies are intrusive. This has huge implications for digital marketing, as third-party cookies are used to generate leads and targeted ads.

Only third-party cookies are being banned. First-party cookies will still be supported. However, the loss of third-party cookies will entail a restructuring of marketing strategy.

For instance, companies can no longer acquire leads through stalking user behaviour across websites. Leads should now be generated through first-party cookies, which can be done by requiring account creation or login, or requiring an email address to download a newsletter. Email marketing will also be more prominent.

Because of these large changes which involve the handling of personal data, it is advised to start preparing for the cookieless browser era as early as possible. The changes in process would need to be assessed and a programme developed to protect data.

Cookies can indeed be sources of big data. But privacy is a right and it comes first.