If you blinked, you might have missed what is, in effect, America making another nod towards data privacy. This time I’m not referring to the much-heralded California Consumer Privacy Act (CCPA) which recently came into force, but to Google’s decision to end third-party cookie support in its Chrome browser within the next two years.
Unlike the EU’s GDPR which takes a comprehensive look at data privacy across all industries, America famously has no federal data privacy laws and prefers sectoral privacy laws, targeting specific industries. One example of this is HIPAA (Health Insurance Portability and Accountability Act) which provides privacy laws for medical data.
Google’s decision is such a big deal because it will be more wide-ranging than the CCPA, as its privacy impact is global, not confined to the state of California.
A look at cookies
So what are third-party cookies and why are they cause for concern? In general, cookies are tiny files downloaded on to a device when the user visits certain websites. They are then returned to the originating website on every visit. The domain or website placing the cookie onto a user’s device indicates whether or not the cookie is a first party or a third-party cookie. Cookies which are placed by the website visited by the user, as indicated in the URL, are first party cookies. If a different company places the cookie, then it is a third-party cookie.
Cookies have been around for about 25 years and have various uses. Some may facilitate the smooth operation of a website that you are visiting, for example, by keeping items in your shopping basket after you’ve stopped browsing; or storing passwords on commonly used sites.
The particular cookie that Google will no longer support, in lay terms, tracks you. To the advertising industry, tracking cookies are important because they help to profile a user based on their habits and present targeted advertising to them.
The privacy problem with cookies, especially third-party ones, is around information and consent. They are often set on a device before the user has had the chance to understand the information provided about the cookies to make a decision about them. The Privacy and Electronics Communication Regulations (PECR) which applies across the EU, requires cookie users to provide clear information and toobtain the user’s consent to store a cookie on their device, subject to exceptions. (It should be noted that tracking cookies would not fall within these exceptions.) The proposed ePrivacy Regulation which will replace PECR, complements the GDPR, and will generally require prior consent for cookies or similar identifiers. Happily, no consent is required for non-privacy-intrusive cookies that improve the internet experience (e.g. the shopping cart history cookie).
From a data privacy industry point of view, Google’s decision is exciting because it shows the impact of the GDPR beyond the EU. Privacy by design and default, a decades-old concept which requires organisations to take data privacy into account during design stages, was made a legal requirement under the GDPR. It is not just Google’s popular browser becoming more privacy-conscious either: Firefox previously confirmed that third-party trackers would be blocked by default in its browsers too.
As data privacy rules become increasingly more embedded in technologies and industries, cookie tracking will continue to be in its crosshairs. One thing is for sure, privacy preferences would have to be adhered to. To this end, it is recommended that organisations:
- Review the types of cookies and similar technologies that they use
- Assess how intrusive these cookies are
- Decide which solution is to be used to obtain consent
Compliance with data protection legislation is key to lowering the risk of data breaches and meeting the expectation of customers, regulators and an increasingly privacy-savvy public.