Pierluigi Paganini May 20, 2021

Which are privacy concerns on the way organizations collect personal information through the use of cookies?

Data is constantly being tracked, stored and processed right under our noses, and it is quite frightening to know just how much data a company might have on you. They may not have your deepest darkest secrets (or maybe they do), but they have a track of your interests and behaviour, so much so that in this day and age, organizations have enough information about you that they can replicate a digital version of you. The question remains, where are they getting this data from?

There are several avenues through which organizations can collect personal data but one of the main drivers is cookies. When a user logs on to a website for the first time, the server assigns them a user-specific identity that is distinctive. This identity is stored on the mobile or computer on which the browser is running. In case the user enters the website again, the browser sends a cookie to the server, allowing the website to remember the user. In other words, cookies function as a kind of memory of the internet running through protocols that provide data flow. As sneaky as they can be, they were not created with malicious intent in mind. Quite the contrary, in 1994, when a company called Netscape Communications was developing an e-commerce application, a computer programmer Lou Montulli was thinking of the great value to the e-commerce of remembering the information in the user’s shopping cart and used cookies for the first time.

Cookies could be a privacy threat

Before we can dive into why cookies may be a privacy threat, we need to look into the purposes of cookie consent. There are two main types of cookies that can be found on any website. These are the following:

• Session cookies:

As the name suggests, a session cookie is stored in temporary memory and is not retained after the browser is closed. An example of this would be, the cookies that keep your information until the session is closed on the websites providing online banking services are session cookies.

• Persistent Cookies:

These are the opposite of session cookies, as they remain in the system even after the browser is closed and can only be removed either manually or until the cookies expire. Persistent cookies are used for provision of customized content and collection of statistical data about user’s website activity.

First-party cookies

These are the cookies which are usually in effect when visiting a website, but neither one of them is dangerous to your privacy. These are  considered First-party cookies that are stored under the same domain you are currently visiting. So, if you are on a website all cookies stored under this domain are considered first-party cookies. Privacy concerns arise when there are third-party cookies involved.

Third-party cookies

Third-party cookies (cookies that are stored under a different domain than you are currently visiting) are created and placed on your mobile or computer by different internet subjects on the website you are visiting. The different kinds of advertisements that we may observe on websites are provided with these cookies. In other words, ad servers track user behavior to serve customized advertising on another website. These third party cookies may be found on several websites and are considered as the most undesirable types of cookies. This is because of the concern that it may cause privacy and security risks creating a behavioral profile based on your browsing history and the content visited.

Where does consent come into play?

Most global privacy laws such as the GDPR require organizations to obtain the user’s consent before the use of cookies. Such consent must be freely given, specific, informed, and unambiguous indication of the data subject’s wishes. These laws will help consumers feel safe and organizations will have to be much more careful with their data. Obtaining these cookies will although be easy, it will still need consumer’s consent if it has to be processed.

Given the increased frequency and severity of enforcement around consent violations, it is wise for organizations to invest in automation at an early stage of the compliance process and prepare your organization for all data privacy regulations around the world – not just the existing ones but also those that are upcoming.

Conclusion

Cookies may be deemed as a privacy threat, but global privacy regulations ensure that none of personal data can be processed without their consumers’ permission. This will protect the users privacy and also give incentive to organizations to use a first-party approach in order to extract data. That being said, automation is necessary, now more than ever, for any organization that is hoping to comply with privacy regulations in a scalable way.

About the Author: Anas Baig

With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – SECURITI.ai. He holds a degree of Computer Science from Iqra University and specializes in Information Security & Data Privacy.