Do Those Website Cookies Come in Chocolate Chip?

Who doesn’t love cookies?  There are so many different kinds: chocolate chip, oatmeal, peanut butter, internet… wait, what? 

In the banking and payments sectors, we’re always thinking about security.  Both GDPR and the new California Privacy Rights and Enforcement Act of 2020 revolve around consumer security, and as many of us are now working from home to maintain social distancing because of COVID-19, many people’s thoughts drift back to their personal lives. 

 I was recently asked what information websites can get from cookies on your computer. I tried to explain that a website can only get information from a cookie that it wrote into that cookie.  Allow me to clarify with a metaphor… 

Imagine we are at a party in a room full of people. I have a stack of notepads.   As people come up and talk to me, I open a notepad, write down some information about them, then I give them the notepad which they carry around the party. If they come back to me, I read their notepad to see what I wrote in it earlier; I might write more information into it. Some of the information I write in the notepad might be about observations I make about them, such as their hair color or what shoes they are wearing. But some of the information I write might be about what we talked about, or questions they asked me. But the important thing to understand is that the notepad was blank – and the only information in it is whatever I write into it. 

This is exactly how cookies work. A web client doesn’t have a cookie at all unless the website they are visiting gives them one to store. That website can later read or update the cookie, but there’s no additional information available other than what the website wrote into it already. The website writes cookies through either JavaScript or a server-side technology such as ASP.Net, PHP, etc. This is an important concept because data collection can and does occur regardless of cookies. Cookies are used to store information about previous interactions between the client and the web site – in other words a cookie is used to track the interactions and document them. Let’s go back to the party… 

One of the people in the room approach me and strikes up a conversation. I grab a notepad and write down notes about the conversation and other observations. I then look over my shoulder and tell my friend… we’ll call her Guugle… I tell my friend Guugle everything that I just wrote down. I hand the notepad to the other person and they walk away.

 In this scenario “Guugle” never saw the notepad (cookie), but I collected some data and shared it with Guugle. Realistically this type of interaction doesn’t often happen in the real-world, but I use this example to point out that data collection, data sharing, and cookies are separate topics in the overall subject. One more time, let’s return for one last scene… 

Midway through the party, I make an arrangement with Guugle. She has an associate who will aggregate information about the people with whom I speak and later give me lots of interesting statistics. Guugle’s associate’s name is Anna Lytics. Anna stands next to me and she has her own stack of notepads. As people come up and speak with me, I make notes in a notepad and Anna makes her own notes in another notepad. When the conversation is over I give my notepad to the person, and Anna gives hers to them as well. (It is important to note that Ana was simply a third-party to the conversation.)

 When the next person approaches, we speak briefly. I make some notes, and Ana makes some notes – just like before. When the conversation is completed I hand them my notepad. But this person doesn’t want Anna to remember what was discussed later (and they don’t want Anna to share anything with Guugle’s other associates), so when Anna tries to give them her notepad they do not accept it and they simply walk away. They do not want to accept a notepad from a third-party. 

This example illustrates two points. The first is how Google Analytics collects data about visitors to websites other than Google’s. People add Google Analytics (a simple JavaScript addition to their pages) so they get the benefit of knowing more about their clientele and can potentially make more efficient marketing efforts. The second point is that clients can block third-party cookies. They do this to protect their privacy, and so they can’t be tracked across multiple sites. However, keep in mind this does not prevent the data collection activity – it simply prevents a third-party from writing a cookie on their machine. 

Data collection, data sharing, and cookies are all topics with which we should all be familiar. When considering whether or not to sign up for “free” services, remember to consider the information they may be collecting, with whom they are going to share that information, and how it might be used. 

Are you concerned about your personal privacy online?  What steps do you take to protect yourself?