How Do Cookies Work?
In the early days of the internet, web designers were faced with the problem of needing to preserve transaction information from one internet screen to the next in order to save users the trouble of reentering the information with each new click. Cookies emerged as a solution to this problem, with designers preferring to store such “stateful” information on the user’s device rather than on the website’s server, thereby conserving data storage space for the website. The term “cookie” is an homage to the fortune cookie of restaurant fame, based on the similar concept of a small item discretely containing a private message.
Although the possibility of using user-embedded information as a means to assess user interests and behavior was immediately apparent, the fact that cookies were actually used to do so was largely unknown to the public for several years. That changed in the late 1990s when the Federal Trade Commission (FTC) noted the prevalence of cookies in public workshops held in 1996 and 1997 and in its report to Congress in June 1998.
As the FTC noted, not all cookies were intended to enhance the user’s experience of the website being visited. Some cookies, in fact, did not even belong to that website at all. Such cookies were not “first party,” but rather “third party,” in that they had been placed on the user’s browser by a domain other than the one of interest to the user. In most instances, the third party was a professional advertiser, and its cookies were intended to enable the advertiser to identify the user as the same person—or, at least, the same IP address—if he or she later visited a different website that also happened to contain the advertiser’s code. If repeated often enough, serial identifications would enable the advertiser to assess the user’s interests and enable the delivery of advertising tailored to the user’s interests.
What Laws Govern Cookies in the United States?
Since May 2018, the EU’s GDPR has imposed a continent-wide consent requirement for the placement of cookies on a user’s browser. Although the United States does not presently have a comprehensive data protection law analogous to the GDPR, most large U.S. businesses have adopted GDPR-compliant standards, given the possibility that European consumers will visit their websites. As a result, the GDPR’s consent standards have, in some sense, effectively come to apply in North America, and perhaps even worldwide.
The enactment of the GDPR in Europe has not, however, deterred U.S. officials from independent action. In 2019, Senator Josh Hawley introduced the Do Not Track Act, which would require the FTC to create a Do Not Track system analogous to the existing Do Not Call list for telemarketing activity. Although the Do Not Track Act is not a prohibition on the placement of cookies—and is overall far more limited in scope than the GDPR—the act would require website operators to notify internet visitors of their option to click on a link and thereby make themselves exempt from data collection for any purpose not strictly necessary for the provision of online services, a step akin to the GDPR’s consent requirement for cookie placement. And for the avoidance of doubt, the act identifies “targeted advertising” as an unnecessary purpose.
At the state level, meanwhile, California has gone much further, passing data protection legislation in the form of the Consumer Privacy Act of 2018 (CCPA). Like the Do Not Track Act, the CCPA allows internet users to declare themselves exempt from tracking technologies. But unlike the federal act—and much more closely aligned to the European GDPR—the CCPA also requires covered entities to disclose what data is collected (whether through cookies or other technology) as well as what is done with the data. And even more importantly, the CCPA is not merely forward-looking in terms of consumer data rights but actually allows consumers to demand that personal data already collected be deleted.
What Is Next for Cookies?
Separate and apart from the changing legal requirements, web browsers and online advertisers have voluntarily begun to phase out their use of cookies, particularly third-party cookies. They have done so partly because of consumer concerns—and, of course, to stay ahead of the law—but also in response to the diminishing effectiveness of cookies as increasing numbers of consumers adopt ad-blocking applications or simply clear their browsers. But the discontinuation of cookies does not mean the end of advertisers’ efforts to learn the shopping habits and preferences of potential customers. In addition to turning to obvious sources of consumer behavior information like loyalty programs, companies have begun testing new technologies, such as “fingerprinting.”
Like cookies, fingerprinting seeks to assign an identifier to persons browsing the internet in order to assess individual behavior. Instead of placing a file on users’ devices, however, fingerprinting seeks to assess the digital characteristics of the website visitor—e.g., IP address, operating system, browser type, and time zone—in order to determine his or her unique online signature. To be sure, the fingerprinting method is no less a form of tracking technology than cookie-based data collection, but because it relies on the inherent attributes of the web user rather than an externally placed “tag,” it is harder to detect or block. As the use of cookies declines and consumer awareness grows, we may see an increased focus on this new type of technology.