Have you ever wondered how websites get your permission to “install” a cookie on your computer, and then sell the data associated with it? The simple answer… when you accept their terms and conditions, you give them the keys to your data.
There is a marketplace in this country for technology companies, advertisers, media firms and other enterprises to purchase consumers’ cookie “identifiers” and their associated information, allowing those organizations to know where you are, and what you are doing, online. Almost always, this information is used solely for tracking website analytics, sign-in permissions and for other advertising purposes. A cookie is “placed” onto a website user’s computer through the user’s browser, typically by publishers or their third party partners. The cookie then collects information – pages that you visit, sign-in information, profile information, what you click, what purchases you make, what you read, etc. When this data is sold (if it is sold), most of this information is not personally identifiable, but some of it can be.
In this blog, the first of a few on the topic of cookies, I will briefly explain the process of how and when websites get your permission to install cookies on user’s computers, and how they use the resulting data collected.
First of all, what is a cookie? Google has a two nice working definition that we can use:
(https://support.google.com/chrome/bin/answer.py?hl=en&answer=95647&topic=14666&ctx=topic)
(http://www.google.com/policies/privacy/key-terms/)
Your cookie settings are controlled in your browser, and can be accessed by opening the browser’s “preferences section.
You can set your browser to not accept cookies, however, that may limit your browsing ability, as there are sites that will not allow you to access content without allowing cookie tracking.
If you click on “all cookies and site data…”, you will see all the cookies that are on your computer.
So, for example, here is a banner that popped up on The Financial Times website when I turned off my cookies:
When you download or start using a pre-downloaded browser, you agree to that browser’s Terms of Service, which includes cookie acceptance, with the option of turning cookie tracking off.
For example, below is a snapshot of Google Chrome’s Terms of Service. You will notice that it references another link to find Google’s privacy policy. On that page, Google states that “[w]hen you use our services or view content provided by Google, we may automatically collect and store certain information in server logs. This may include . . . cookies that may uniquely identify your browser or your Google Account.”
Publishers are common collectors of cookie-based data (there are multiple types of cookies, which will be covered in a later blog). Publishers use cookie-based data for many things, for example to track unique visits, target online advertising to you (through third parties and internally), assess how content should be distributed and presented, run analytics and much much more. Additionally, some publishers sell your cookie data to third parties.
To see the cookies that are tracking your browsing information on any given webpage, right-click on that page, click on “inspect element,” then click on the “resources tab” and then go to “cookies.” Here is an example from the New York Times’ website of what this list will look like:
The next question is how a site gets a user’s permission to install the cookie, and to do what it wants with the data. New York Times (NYT) online is a good example of how the process works for consent to the installation of a cookie, as well as consent to the later sale of the associated data.
To register for a NYT account, you navigate to Myaccount.nytimes.com/register. On that page, directly below the “Create My Account” button, there are two links near the bottom of the page, one for “terms of service,” and the other for “privacy policy.” The act of clicking the “Create My Account” button is consent to the privacy policy and terms of service.
Clicking through to the “Privacy Policy” page, you will see that the NYT collects “Non-personal information collected through technology, which includes tracking information collected as you use the NYT Services.”
What does “information collected through technology” mean? In particular, it means cookies.
In addition to using this cookie data for its own purposes, the NYT also “shares” it with others, in an “aggregated or de-identified form.” There is no reason to believe that “sharing” does not include selling.
Note that the language is explicit, “Nothing in this Privacy Policy is intended to restrict The New York Times’s use of aggregated or de-identified information in any way.” The NYT can sell your cookie information as long as it is not attached to your personally identifiable information. Typically, your name and other personal information that could be used to track back to you is stripped from the cookie and other tracking information. However, there are ways for companies down the chain to re-link that “anonymized” data with your personally identifiable information, but that is the topic of a later blog post.
The cookie information, “in aggregate or de-identified form”, is sold and shared with third party companies. (See “data aggregators” and “data suppliers” in this slide).
(http://www.adexchanger.com/wp-content/uploads/2010/09/LUMA-Landscape2010-12-12.jpg)
Of course, this process only works if you have your cookie tracking “on” in your web browser. The NYT makes it clear that if you do not have your cookie tracking activated, you cannot use some of the services they provide. Notice below, how when my cookies are turned off, the NYT site says I must have them activated to use its site.
Finally, in addition to the cookies that are placed onto your browser by the NYT via your consent, you are also consenting (when you sign up for an account, as above) to the cookie tracking of the NYT partners, most of which are companies serving online advertisements:
In sum, by signing up for a NYT account, you are consenting to having a cookie placed on your browser, having your online activity tracked while on the NYT site, used, and that data potentially sold.
In my next blog, I will review the technologies and legal solutions being used to take your non-personally identifiable information and link it to your personally identifiable information for use in certain contexts.
If there is anything in this blog that you would like more information on, or would like me to discuss in further detail, do not hesitate to send us an email.
1 Comment
Add Comment