Cookie Policies in Privacy

Introduction

When users visit websites, they are often greeted by “Cookie Banners”, the jump-out messages about the websites’ use of cookies. Usually, the messages inform the users that the websites use cookies to provide social media features, personalize content and ads, and analyze traffic. The messages also tell the users that websites may share users’ information collected with third parties to optimize the websites’ services. Finally, the messages ask for users’ consent to the use of cookies, either by clicking the “accept” or “decline” button or by informing the users about how to change the cookie preferences if they do not want to be tracked.

Left: Implicit Cookie Consent from AP (https://apnews.com/); Middle: Implicit Cookie Consent from CBC (https://www.cbc.ca/news); Right: Explicit Cookie Consent of France24 (https://www.france24.com/en/)

For ordinary Internet users, having to see such messages on almost all websites can be annoying. However, the messages about cookies, with certain variations, are not only legally required in many major economies but also crucial to protect users’ privacy. Cookies have the ability to track and store users’ data and potentially expose sensitive data to third parties. Therefore, obtaining users’ consent before or when using cookies is necessary for the safety of users’ data.

This paper will analyze the threats to Internet users’ privacy imposed by cookies, compare cookie policies in the EU, the USA, and Canada, and discuss how effective these cookie policies are for the protection of users’ privacy.

The Technology of Cookies on Website

Web cookies, or cookies, were invented by Lou Montulli in 1994 to simplify the website visiting process with the Netscape web browser and have been widely used in the Internet industry since then.1 According to Cisco, web cookies are strings of data that are created by web servers when users are visiting the website, and cookies will then be stored on users’ devices. When users visit the same domain in the future, the browser will send the same string of data stored in cookies back to the origin server.2 ?

The use of cookies is sometimes essential for a website’s functions. In the conventional Hypertext Transfer Protocol (HTTP), websites do not track or record users’ identities or behaviours, which may cause difficulties in certain user scenarios when websites need to keep a track of users’ progress. For example, online shopping websites need to keep items in the virtual shopping carts when users leave the online markets and come back the next day, and online study platforms need to continue users’ exam sessions when the users accidentally close the webpage and then connect back in. During these scenarios, cookies keep track of what users have done on the website with session tokens in the cookies.3

However, due to the nature of cookies in data tracking, storing, and sharing, there are many ways that cookies can impose threats to the website users’ privacy.?

A Brief Description of How Cookies Work (Source: GeeksforGeeks)4

Privacy Issues with Cookies

Leakage of Sensitive Information

In R. v. Carswell (2009) ["Carswell"], a detective copied and analyzed the files of the cookie folder in the defendant’s devices to investigate the allegation of the child pornography crime of the defendant, Mr. Carswell. Based on the cookie files obtained, the detective managed to prove that the defendant had visited several child pornography websites. The detective was even able to pinpoint which pictures on the websites the defendant had viewed based on the cookie files obtained. Moreover, the defendant’s cookie files also showed that the defendant had attempted to purchase child pornography contents from these websites, although whether these transactions had succeeded was not clear. In the end, the defendant was convicted.5

While cookies helped convict a child pornography criminal in Carswell, people nevertheless need to be concerned about the leakage of their private information if their devices are seized by a third party. Common people’s web records are likely not as extreme as child pornography, but some records may be embarrassing, and their disclosure may deteriorate one’s reputation and social relationship. Some may be supporters of an unpopular politician, and others may have their underground online romance. Unfortunately, cookies can capture these secretive events in our lives and may come back to haunt us. Carswell has told us that if a third party has access to the cookie files stored on our devices, our sensitive online activities can be revealed to a great extent.?

Disclosure of Personal Preferences

When browsing the Internet, users will probably be bombarded with all kinds of advertisements either in pop-up windows or in ad banners embedded on web pages. What is even more miraculous is that these ads are often very relevant to users’ preferences. One may have just booked flight tickets and then seen ads about hotels at the next minute. It seems that the Internet knows each user’s preference and sends personalized ads to each targeted user.

Cookies are the cornerstones of personalized advertisement. When websites use advertising networks, such as Google Ads, these advertising tools will not only display ads on these websites but also track users’ data such as which websites each user has visited and how long the users have stayed on each website with cookie files generated by these websites.6 From the tracking data contained in the cookie files, the advertising system will get the knowledge of each user’s profile and display ads that fit users’ preferences. In short, with the transfer of cookies between websites and advertisement companies like Google Ads, users have unknowingly shared almost their entire browsing history with these advertisement companies, with which users are not even directly doing business.7 Many may think such a cookie-based practice of personalized advertisement is intrusive to people’s privacy.8 ?

Security of Log-in Authentication

Many websites, such as many social media, have offered a “remember me” function which allows users to automatically log in to their accounts without having to input their usernames and passwords every time. This function is based on authentication cookies. More specifically, after a user’s initial successful login, the website will issue an authentication cookie to the user’s web browser. Next time, when the user needs to log into the same account on the same browser, the website will recognize the authentication cookie as the pass to the user’s account in lieu of the user’s username and password.9

The use of authentication cookies has brought about convenience to users, but it also creates privacy threats. One famous incident is the Yahoo information breach in 2013 and disclosed in 2017. In this case, attackers forged Yahoo’s website authentication cookies (also known as “cookie minting”) and led to a breach of three billion Yahoo users.10

Cookie Policies in Protecting Privacy

Since web cookies are threatening users’ privacy yet essential in performing certain website functions, websites’ use of cookies must abide by cookie policies to balance the advantage of cookies and the threat to user privacy. There are generally two types of sources that regulate how websites use cookies: one is the website cookie policy, which is adopted by each website itself and agreed upon by its users; the other type is the governmental cookie legislation and regulations, which are made by governments and oversees the website cookie policies within their governing regions.

Website Cookie Policy?

The website cookie policy is a list of cookies used on the website. It is also an agreement between the website and its users on the use of cookies to track, collect and share users’ data.11 ?

More specifically, a website’s cookie policy should be up to date and inform users of the following issues: 1. what types of cookies are on this website, 2. what kind of personal data is captured by the cookies, 3. how long the cookies will stay on the users’ devices, 4. where the data will be sent to, and 5. how the users can consent to or not consent to the website cookie policy, and how the users can change the consent status.12

The website cookie policy is legally required in many parts of the world, and it must be compliant with privacy legislation and governmental cookie policies.?

Governmental Cookie Legislation and Regulations

In general, cookies are regulated by legislation regarding privacy and data protection across major economies. Although these policies have variations in their scopes and level of strictness, they mainly regulate two aspects: 1. what kind of data related to cookies should be under protection, and 2. how users can give and revoke consent to data tracking and collection by cookies.?

European Union (EU)

The regulation of cookies in the EU is split between the GDPR13 and the ePrivacy Directive14 . Both regulations are based on and enforced by Supervisory Authorities from the European Economic Area and Switzerland. Moreover, they apply to any business that targets EU citizens, which means any foreign business that has customers in the EU must comply with both regulations.15

The General Data Protection Regulation (GDPR) is the most stringent privacy and security law in the world. Created and approved by the European Union (EU), it imposes obligations on organizations whenever they collect data from individuals in the EU for the organization.16 Recital 30 of GDPR rules that cookies, when used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.17

The ePrivacy Directive, still being revised with a new version published in January 2017, aims to revise the current electronic privacy framework.18 The Directive specifically requires prior consent from the website visitors before the websites can use cookies, and visitors retain the ability to withdraw the consent. It complements (and in some cases circumvents) the General Data Protection Regulation (GDPR), which addresses important aspects of email privacy and the wider internet community.19

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive, a website must: 1. Receive users’ consent before using any cookies except strictly necessary cookies. 2. Provide accurate and specific information about the data each cookie tracks and its purpose in plain language. 3. Document and store consent received from users. 4. Allow users to access the service even if they refuse the use of certain cookies. 5. Make it easy for users to withdraw their consent.20

Regarding the types of data protected by both regulations, the Regulation (EU) 2016/679 of the European Parliament rules that these regulations should apply to “any information concerning an identified or identifiable natural person”.21 Even though some personal data have undergone the process of pseudonymization, they may nevertheless be attributed to a natural person with some additional information, and thus should be considered identifiable to a natural person. This document also indicates whether a piece of information should be considered within the scope of protected data depends on the cost and technology to make the information identifiable.22 ?

USA

Privacy laws at the federal level of the US are very weak compared to many other major economies. By default, the US does not require cookie consent. The strictest privacy law in the US is in California, which applies to all US-based companies.23 ?

The California Online Privacy Protection Act (CalOPPA) deals exclusively with what information must be disclosed in a business’s online privacy policy. Any commercial website or online service that collects personally identifiable information about California residents must abide by CalOPPA. The “personally identifiable information” in CalOPPA includes the user’s name, home address, email address, telephone number, social security number, and any combination of the information above.24 ??

Regarding cookies, the CalOPPA requires the operators of commercial websites or online services with consumers in California to “[d]isclose whether other parties may collect personally identifiable information about an individual consumer’s online activities over time and across different Web sites when a consumer uses the operator’s Web site or service.”25 ?

Unlike the EU, the CalOPPA does not need users’ consent before using cookies to track users’ personally identifiable information. However, it adopts an opt-out model, requiring websites to “[d]isclose how the operator responds to Web browser ‘do not track’ signals or other mechanisms that provide consumers with the ability to exercise choice regarding the collection of personally identifiable information…”26

Canada

Cookies in Canada are regulated under the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada’s Anti-Spam Legislation (CASL).27 ?

Regarding websites’ use of cookies to track users’ information, PIPEDA mentions what kind of information is considered sensitive and the types of consent required for sensitive and non-sensitive information respectively. According to PIPEDA, some information, like medical records and income records, is almost always sensitive, and the sensitivity of other information depends on the context. For example, one’s name and address may not be sensitive when collected for news magazine subscriptions.28

Based on the sensitivity level of information collected, PIPEDA allows two types of consent, which are express consent or “opt-in” consent, and implied consent or “opt-out” consent. An organization should seek express consent, such as asking the users to click the “I agree” button29 , when the information to be collected is “likely” to be sensitive, and implied consent, such as offering the option of “stop tracking”, would be appropriate if the information is less sensitive.30 Particularly for implied or opt-out consent, PIPEDA requires the opt-out process to be simple enough, so that “[i]ndividuals are able to easily opt-out of the practice - ideally, at or before the time the information is collected; The opt-out takes effect immediately and is persistent;”31

CASL prohibits the installation of a computer program to another person's computing device in the course of commercial activity without the express consent of the device owner or an authorized user. However, for certain types of programs, including cookies, the users are considered to have already expressed consent without being requested. Moreover, the implied consent also depends on the conduct of the users. If users disable cookies in their browsers, it would not be considered to have consented to install cookies.32

Comparison of governmental cookie statutes

Discussion of Cookie Policies

The curse of consent

Currently, the cookie policies in all three places are hinged on a single element: users’ consent. It seems that websites can use cookies to track whatever they want as long as they get users’ consent. However, according to a Deloitte survey, 91% of people consent to legal terms and services conditions without reading them.33 We can expect most website visitors do not read websites’ cookie policies nor do they understand the extent of potential privacy breaches due to cookies if they click “I agree”. On the other hand, some users choose to give a blanket rejection to all cookie consent requests, which can also be problematic as it may cause website malfunctions on the users’ end.?

Also, most websites only give users two options: “agree” or “decline”, whereas a better way could be to give users options to decide what kind of data can be tracked. Currently, the level of consent can be set in web browsers, such as Google Chrome34 , but the operation of such a setting is not simple enough for common users.??

Proposed solution: informed consent?

We cannot expect people can give authentic consent if they are not aware of what they are consenting to. Therefore, websites should be required to give an explanation that is understandable to common website users.

The vague and growing scope of data under protection

Regarding what kind of data is under protection, the EU and the USA adopted the idea of personally identifiable data, and Canada focuses on the sensitivity of the data. However, both criteria are vague, and we can expect the list of data under protection will only grow with the advancement of technology. Moreover, some “unidentifiable” and “non-sensitive” data that is not under protection currently may become identifiable and sensitive in the future, and the use of unprotected data now may also evolve into a breach of privacy in the future.?

Proposed solution: time limits for stored information

Instead of worrying about whether personal or sensitive information can be exposed in the future, the data storage should be deleted after a period of time.

Conclusion

Cookies are essential to some web functions but are also a great threat to Internet users’ privacy due to cookies’ ability to track and collect data and share it with third parties. Although the governmental and website cookie policies inform users on what data cookies are tracking and sharing, and websites are required to get users’ consent before tracking or offer users a choice to stop tracking, such protection is likely not enough as users may not be aware of the consequences of giving cookie consent, and even the non-identifiable data may become identifiable and threaten users’ privacy with the advancement of technology.

References

1.? DailymailCom, Ryan Morrison For. “Web cookie inventor says they were meant to protect privacy, not for snooping”, (28 January 2022), online: Daily Mail Online <https://www.dailymail.co.uk/sciencetech/article-10452263/Web-cookie-inventor-says-meant-protect-privacy-not-snooping.html>?

2.? “What are cookies? what are the differences between them (session vs. persistent)?”, (2 April 2021), online: Cisco <https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117925-technote-csc-00.html>?

3.? Dalziel, Henry & Alejandro Caseres. “1.13. Cookies, sessions, and authentication” in How to attack and Defend your website, ed (Waltham, MA: Syngress, 2015).?

4.? “Javax.servlet.http.cookie class in Java”, (8 May 2019), online: GeeksforGeeks <https://www.geeksforgeeks.org/javax-servlet-http-cookie-class-java/>?

5.? R v Carswell, [2009] OJ No 2624

6.? “How google uses cookies – privacy & terms”,, online: Google <https://policies.google.com/technologies/cookies?hl=en-US>?

7.? Cherry, Denny. “Chapter 1. Storing Your Personal Information Online” in The basics of digital privacy: Simple tools to protect your personal information and your identity online, ed (Rockland: Syngress, 2014).?

8.? Kumar, S., & Sharma, R. R. (2015). Empirical Analysis of Unethical Practice of Cookies in E-Marketing. Abhigyan, 33(3), 42-56. https://ezproxy.lib.ryerson.ca/login?url=https://www.proquest.com/scholarly-journals/empirical-analysis-unethical-practice-cookies-e/docview/2633987316/se-2?accountid=13631

9.? Daswani, Neil & Moudy Elbayadi. “The yahoo breaches of 2013 and 2014” (2021) Big Breaches 155.?

10.? ibid.

11.? “Automatic cookie policy with Cookiebot CMP: Transparency and compliance on Your website”,, online: Automatic cookie policy with Cookiebot CMP | Transparency and compliance on your website <https://www.cookiebot.com/en/cookie-policy/>?

12.? ibid

13.? "General Data Protection Regulation (GDPR) – Official Legal Text", (2022), online: General Data Protection Regulation (GDPR) <https://gdpr-info.eu/>

14.? E-privacy Directive 2009/136/EC <https://edps.europa.eu/data-protection/data-protection/glossary/e_en#e-privacy_directive2009-136-ec>

15.? Paruch, Zachary. “The ePrivacy Regulation: Europe's Next Big Privacy Law”, (30 March 2022), online: Termly <https://termly.io/resources/articles/eprivacy-regulation/#who-needs-to-comply-with-the-eprivacy-regulation>?

16.? “What is GDPR, the EU's new Data Protection Law?”, (13 February 2019), online: GDPReu <https://gdpr.eu/what-is-gdpr/>?

17.? “Cookies, the GDPR, and the ePrivacy directive”, (9 May 2019), online: GDPReu <https://gdpr.eu/cookies/>?

18.? “The new EU Eprivacy Regulation: What you need to know”, (28 December 2020), online: i <https://www.i-scoop.eu/gdpr/eu-eprivacy-regulation/>?

19.? ibid.

20.? ibid.

21.? “Document 32016R0679”, online: EUR <https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng>?

22.? ibid

23.? Bateman, Robert. “Cookie consent outside of the EU”, (10 January 2022), online: TermsFeed <https://www.termsfeed.com/blog/cookie-consent-outside-eu/>?

24.? TrueVault. “CCPA vs. Caloppa: What's the difference?”, online: TrueVault <https://www.truevault.com/learn/ccpa/ccpa-vs-caloppa-whats-the-difference>?

25.? The Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code §§ 22575-22579 (2004).

26.? ibid

27.? Bennett, Chris, Tyson Gratton & Jason Yao. “Website cookies in Canada: Is consent required?: Insights: DLA piper global law firm”, (2 April 2020), online: DLA Piper <https://www.dlapiper.com/en/canada/insights/publications/2020/04/website-cookies-in-canada-is-consent-required/>?

28.? Office of the Privacy Commissioner of Canada. “Interpretation bulletin: Form of consent”, (11 December 2015), online: Interpretation Bulletin: Form of Consent - Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_07_consent/>?

29.? Schorr, J. (1999, Aug 19). Seldom-Read Software License Contracts Contain Surprises. Newhouse News Service <https://ezproxy.lib.ryerson.ca/login?url=https://www.proquest.com/wire-feeds/seldom-read-software-license-contracts-contain/docview/454672917/se-2?accountid=13631>

30.? ibid.

31.? Office of the Privacy Commissioner of Canada. “Policy position on online behavioural advertising”, (13 August 2021), online: Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/technology/online-privacy-tracking-cookies/tracking-and-ads/bg_ba_1206/>?

32.? Government of Canada, Canadian Radio-television and Telecommunications Commission (CRTC). “Canada's anti-spam legislation requirements for installing computer programs”, (18 September 2020), online: CRTC <https://crtc.gc.ca/eng/internet/install.htm>?

33.? Cakebread, Caroline. “You're not alone, no one reads terms of service agreements”, (15 November 2017), online: Business Insider <https://www.businessinsider.com/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11>?

34.? “Clear, enable, and manage cookies in chrome - computer”, online: Google Chrome Help <https://support.google.com/chrome/answer/95647>