Today, some of the most invasive tracking technologies don’t rely on a single cookie to stockpile your personal information. And yet most conversations about online safety and privacy are still hung up on cookies–like it's 1994. These conversations scapegoat cookies as the most significant source of risk for online privacy–ignoring a variety of other tools that do the work of cookies with more stealth and access than any cookie has ever had.
As tracking technologies are undergoing significant change, a single-minded focus on cookies is being used to dumb down internet users.
What’s the deal with cookies?
A 2020 study by Deloitte called the “Cookie Benchmark study” claims that European laws set rules for “cookie practices.”
Yes, and no.
Cookies (also called web cookies, Internet cookies, browser cookies, or HTTP cookies) are files, software, or information from websites that are stored on a user’s device by a web server so that websites can reference them later.
Cookies have been in use since around 1994. They were invented to help websites keep track of online activity effectively.
For example, websites need to remember that you have paid for products or services, so you are not charged for them endlessly; or that you are logged into your account so you don’t have to log in again and again to access each new page. Website owners also need to keep track of how visitors access different parts of their website to ensure their site does what they intend.
Cookies help websites remember your purchases, logins, and other activities. However, cookies are not the only technologies used for such purposes. And, problematically, cookies and cookie-like technologies aren’t only used for good ends.
What GDPR and the ePrivacy Directive say about cookies
In the European Union, there are two main laws that cover cookies, cookie-like technologies, and other tracking tools, the General Data Privacy Regulation (GDPR) and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive.
GDPR is a single law that applies to the worldwide activities of people or businesses in the European Economic Area (EEA), which includes all twenty-eight members of the European Union, plus Iceland, Liechtenstein and Norway. GDPR also applies to any person or business offering goods or services in the EEA, regardless of where they are located.
GDPR sets strict standards for any technologies that collect or store any information that can be related to a specific person (personal data). So the law covers only those cookies, cookie-like technologies and other tracking tools that relate to personal data.
The ePrivacy Directive covers all cookies, cookie-like technologies and other tracking tools, regardless of their relationship with personal data. As a directive, it sets goals that member states are required to achieve and has led to national laws that cover accessing and storing information on user devices.
While the ePrivacy Directive is often called a “cookie law,” thankfully, it covers more than cookies.
Supercookies, browser fingerprinting and other ways to identify you
Consider the following. When it comes to home safety, the law doesn’t provide detailed regulations on breaking locks–which is only one of any number of ways someone breaks into your house. Instead, laws ban breaking into someone’s house without permission or good reasons. Policemen, firemen, repairmen, and even one’s children can lawfully “break into” one’s home, for a range of reasonable purposes.
Similarly, in the digital context:
So-called cookie laws prohibit harmful access or storage of information to user devices. If you compare your device (for example, your laptop or cell phone) to your home, then this would be like prohibiting a thief from breaking into your home or vandalizing it.
So-called cookie laws also require consent before any access or storage on your device that could put you at risk. This includes, in the main, access and storage of personal information, especially using trackers that follow-you across the Internet to learn about your habits and preferences. Think of this like requiring door-to-door salesmen to knock before entering your home or requiring permission before anyone sets up a camera on your property.
Finally, so-called cookie laws don’t require consent for any accessing or storing of information on your device that is related to using the Internet properly or effectively accessing online products or services. This would be similar to how gardeners or repair persons can access your property to complete the tasks assigned to them.
In each of these scenarios, cookies are just one of the tools available for accessing or storing information on a user device.
There are an ever-increasing number of other technologies used to access your device for any number of purposes. For example, “supercookies” are not cookies. They are pieces of information inserted into the tools your browser uses to communicate with the Internet. This makes them much harder to detect on your device and delete.
According to the Electronic Frontier Foundation, so-called supercookies not only track your online activity, they can also access data from deleted cookies, for example login information for your online accounts.
Other technologies threaten your online safety–without relying on any access to your device.
Take for example, fingerprinting: device, machine, or browser fingerprint, happens when information is collected from your device, remotely (without accessing your device), with the aim of identifying you, specifically. Fingerprinting makes your device hand over a bunch of information about you that, especially when combined with other information, reveals exactly who you are and what you do online. Browser fingerprinting can be used to partially or fully identify you even when cookies are blocked–without your knowledge.
And yet, most privacy discussions remain cookie-obsessed.
With so many significant technological changes taking place when it comes to tracking online behavior, there can be no doubt that focusing conversations about online privacy on cookies is a guaranteed formula for disaster that hurts users, undermines product development, and threatens the overall health of the Internet.
We think something needs to change. We need to start having transparent, user-friendly, conversations about how our products and services actually work.
Save the Internet
At Volument, we are working to create effective web analytics that do not rely on any personal information, whatsoever.
In other words, we are trying to make web analytics part of the solution to your online privacy and security concerns–and not a part of the problem.
Our web analytics is designed as an essential part of what keeps websites and the Internet running smoothly and efficiently.
We strive to be honest and transparent with you about how our technology works. This is part of how we work to make the Internet a better place.
We will continuously and thoughtfully improve the technologies driving our sites and services to protect your safety and privacy online. And, through how we explain our products and services to you, we hope that we also empower you to make thoughtful decisions about your digital life.