E3: Are You DataSmart? Cookies, ePrivacy Regulation, and What’s Next

Cookies are amazing. Whether chocolate chip or the 1×1 pixel type dropped on your browser session. But GDPR and more specifically, the ePrivacy Regulation, have a lot to say about how cookies will be managed and used going forward.

And what about the business benefits? The ROI on re-targeting (that creepy advertisement following you all over the internet) has been shown to be really compelling. So how do businesses not run afoul of cookie usage!


Jay: “Are you DataSmart?” A weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. And today, we’re gonna focus on cookies. Not the delicious edible kind, but the kind that are placed into your browser by a little amount of code, trapped in a pixel. And the reason why we’re gonna tackle cookies is they are a critical way of how the web currently operates and your business in all likelihood utilizes them on your website, and then utilizes the data that they can allow you to access for a lot of really smart marketing and approaches to dealing with customers. Cookies generally, if we’re just going to take a step back, the concept is really quite simple. If you like having a persistent shopping cart, let’s say you are online and you add things in your shopping cart, then you browse away and then come back, without cookies that shopping cart unfortunately would likely empty and would no longer have the items you had in it. Another great example of cookie usage online is browser sessions or log in sessions. So, if you have a subscription to the wallstreetjournal.com or ft.com, if you don’t wanna have to log in absolutely every time that you visit there, then you really are a fan of cookies because that’s what allows you to have that persistent ID. Sometimes not just in a session of a browser window, but sort of permanent or persistent as they would call it. So, there’s really two types of cookies, there’s persistent that can continue on and live with your browser after the session, and there’s session cookies, and there’s nuances within each of those categories as well.

So, for most people the use of cookies has been really a great user experience enhancement to the web. On the flip side, cookies themselves have a lot of implications when it comes to privacy because cookies ultimately end up putting you into what we refer to as a cookie pool. And while a cookie pool certainly sounds like something that cookie monster would love to swim in, that really has nothing to do with it.

Jay: [Cookie Monster Voice] Yummy. Put that in my last house.
Christian: So unfortunately, that’s not the cookie pool we’re talking about. Cookie pool for us is a collection of all of the visitors that have been on a platform or a site and stored with the company so that they can access that cookie pool later which opens up a really interesting opportunity that you’ve definitely witnessed in your own business or your own personal life which is retargeting. Retargeting takes cookie pools, again the batch of all the visitors that have visited a site and can then target ads to those people on an ongoing basis as they travel around the web. So, if you’ve ever had someone…if you’ve ever looked at a new pair of sneakers or a handbag or a new vacuum cleaner, whatever it may be on a particular site, that site typically will have a pixel, a one by one pixel that drops code into your browser which places the cookie, and that way they can retarget you literally for months after that. So that’s why that handbag is following you all over the internet as an ad it’s because of cookies. And so, we wanna talk about that a little bit today.

Jay: Yeah. Christian, you hit on a word that I think for regulators is very important and that word is “targeting.” Any time you’re doing something on the internet that involves targeting and tracking an individual’s behavior, what they call OBA, online behavior analytics, any of these things that you identify an individual and follow what they’re doing, that’s a red flag for regulators. It’s not illegal, it’s not unlawful, and in most cases it’s not unethical, and it’s profitable. But there are limitations to what you can do and how you can do it. As we’ve talked about before the regulations in the United States are advisory. There’s no specific cookie law in America. The FTC does a lot of work talking about cookies and if you make promises about what you’ll do with cookies then you’re lying, you know, then the FTC might come after you. But it’s not like, you know, thou hast placed too many persistent cookies this year and so, you’re fined. The European Union as always is different and, you know, we talk a lot about the GDPR, but in this case it is another regulation going into effect on May 25th of this year that counts and it’s the ePrivacy Regulation. And that is, I mean, you can basically call it the Cookie Law. That’s what it’s really aimed at doing. It’s driven at controlling and curtailing what you can do with online tracking and cookies. There’s some other provisions too.

Christian: Is this gonna affect everyone’s, you know, pop up window, you know, obviously that was a huge scramble a year or two ago, of everyone having to have that pop up window. What’s gonna happen? What is this new ePrivacy directive really drive?

Jay: Well, interestingly in Europe it’s gonna make life less annoying because if you’ve ever gone on the internet in Europe or gone to European websites, those browsers have pop ups every time you log in and it’s a source of great frustration to users of the internet in Europe. They complain about it. Now, what’s gonna end up happening is for the most part you’ll see a single banner that’s integrated into the page that provides something in the format that follows, “We use cookies to enhance your user experience and for other legitimate purposes. If you agree to the use of these cookies click okay, if you do not agree please click here to learn more or please opt out here.” But most people are gonna say, “Please click here to learn more.” And what will happen is you’ll be taken to a landing page if you say learn more or if you just navigate to it. That will say, “Here are all the reasons that we use cookies. We use them to enhance your experience, to make it easier for us to provide services to you.” And you’re gonna see that language consistently because that’s the language of under the GDPR what’s called legitimate interests which is sort of the catch all for, “We need your personal data to be able to do this particular thing which is important to us and important to you.”

If you do accept cookies, you click once and for a year, you should be good. For the most part you’ll be able to just continue using as always. If you opt out obviously, your user experience will be affected, but it’s really on the producer or the deliverer side that the change is gonna have to be made. Because now, when you go to read about cookies it’s something that, you know, a privacy lawyer might understand or maybe not. I mean, these are couched in terms that are very difficult to understand. The GDPR and the ePrivacy Regulation do away with all that. They say, “If it’s not clearly understandable and as easy to opt out of cookies as it is to opt in, then you’re gonna get fined.” So, look for much plainer language, look for, “If you don’t want cookies, click here.” And look for that change to happen right around May.

Christian: That’s amazing. And so, you know, looking at, you know, how do companies prepare for this, there are a lot of again from the business angle, retargeting almost always has a higher ROI than direct advertisement. It’s been proven time and time again, it can be very effective. Being able to give a great user experience is also very effective. I’m glad to hear that the user experience is going to be better, but how do our listeners prepare for this? Because yes, you can certainly handle the, you know, the one time yearly check, a check box if you’re in the EU. But what would companies need to be thinking about how can they prepare themselves for the changes that they need to be ready in regards to cookies?

Jay: Well, one important clarification is that it’s not just if you’re in the European Union. If you’re an American company and you are marketing and selling in Europe, the GDPR is gonna apply. So, be aware of what you’re European facing internet properties look like because if they’re not compliant, you’re not compliant. In terms of getting yourself ready I think the first thing to do is look at that banner and the reason why I say that is it’s the very first thing that your customers are gonna see which means it’s the very first thing a regulator is gonna see. And if when the, you know, the data protection commissioner in Dublin logs into your website and it says, “We use cookies. By continuing to use the site you consent.” That’s not gonna fly anymore and so the very first thing that you have is, you know, a little check, minus or an x or however they’re gonna grade it in Dublin. And so, that’s not…you wanna avoid that you don’t wanna start out on the back foot. So, think about what that banner looks like, then think about that the content of what you’re communicating to your customers, the people who are visiting your site. If it’s, “We use cookies because they help us customize. You don’t have to agree to have them placed, but it’s not gonna be the same experience for you if you don’t. If you consent, click okay. If you don’t, here’s…read more.” You might be able to tailor what they can consent to, you know, “I won’t consent to physical location tracking, but I will consent to session cookies.” If you can break that out that’ll be helpful and even if it’s more complicated on the front end it will avoid or help avoid a regulatory action.

Christian: You know, it’s amazing because I know we’re talking about cookies which the best analogy I can offer you is this sort of a the way they tag the dorsal fin of great whites and they can track them all over the ocean as they go. There’s some great websites to track the great whites as they travel. That’s kind of the concept around “cookieing,” but sort of passive “cookieing” is going to be a topic that we wanna cover as well in the future. I know Facebook applied for a patent that every imperfection of a camera lens, they could identify which camera took the photo and then by using facial recognition of who was in the photo kind of identify who you are taking the picture which is just crazy. But it makes a lot of sense. A little smudge here or a scratch there is actually unique to your camera lens. So, that’s a different type of tracking that might be harder for regulators to get their arms around.

Jay: Yeah. I mean, it’s… From my perspective, that passive “cookie-ing” is really interesting because it’s an intersection of technology that just could not have been conceived of even two years ago when we were bringing the, you know, when the GDPR was being finalized. And now, it’s gonna be a reality very soon. And so, this dynamic interplay between technology and regulation, we see it all over the place. But the question is are you going to be able to take advantage of the technology without running afoul of the regulators and that’s why you need good guidance.

Christian: It’s amazing. Well, once again, we appreciate everyone’s time listening. Cookies are gonna be a real point of contention for a lot of businesses as they try and grapple with, “Hey, do we need these? And to what extent if we use them are we prepared to handle the regulatory oversight that is going to expand with any level of identification or identifiable information?” Thank you all for listening to this edition of “Are you DataSmart?” And can I get a farewell from cookie monster?

Jay: [Cookie Monster Voice] Yeah. Always be cookie smart.

Christian: Thank you everyone. Bye, bye.

Jay: Thanks a lot.

Leave a Reply