Cookies have bothered me for a long time. Okay perhaps not that long. For most of their existence, they sat quietly in the background and I gave them almost no thought.
But when I started my short stint in Digital Marketing around the dawn of GDPR, they were thrust rather unceremoniously into the spotlight. I started to become very concerned by what I saw.
For the completely un-initiated, cookies are basically a packet of information we receive from websites we visit, that we send back. They’re not inherently bad. Most of them have legitimate uses. For example authentication. You don’t want to type your password every time you log into Facebook, for whatever reason. You tick the box that says “remember my login plx”. Facebook does this by sending you an authentication cookie. You store that cookie, and while you retain and it is not out of date or invalid, your login is remembered. Harmless, really. (Or not, based on the countless cookie attack vectors we’ve seen over recent years, but we’ll talk about that another day.)
The concern here is with one specific type of cookie. Third Party tracking cookies. If a First Party cookie is one sent to us by the site we visit, Third Party cookies are sent to us by a site we’ve never heard of. Advertising backbone sites. Marketing Automation Systems. We visit a specific website, they send us a cookie from their third party platform. The following is F-Secure’s definition of a tracking cookie.
Tracking cookies are a specialized type of cookie that can be shared by more than one website or service. They are commonly used for legitimate marketing and advertising purposes, but because they contain a history of the user’s actions on multiple sites, they may be exploited or misused to track the user’s behavior.
As you can read, they “contain a history of user’s actions on multiple sites”. Essentially, an invisible backbone of systems collects data about your internet use, trades and sells this data to advertisers to make their marketing more specific to you.
If you’re lucky enough to live in the EU, one of the few entities with the means, knowledge and will to actually stand up to tech giants and advertisers, you’ll know of GDPR. The basic idea was that “People should not be tracked without their knowledge or consent.”
It’s a great idea, in theory. In practice what it did was cripple the internet for millions of Europeans.
Every time someone in Europe visits a website in modern times, they’re assaulted by a permissions request. Some of these are well made and give two clear options. “I consent to cookies, tracking and otherwise” or “I do not consent.”
Others are still more sensible, giving the option to only consent to ‘required’ cookies like the Authentication cookies we’ve discussed earlier.
But most websites found ways around it using dark patterns, which is to say they made opting out needlessly complicated, intending to force decision fatigue upon visitors who, in frustration, will just click “accept all”.
One of which is the “Accept All” or “Customize Cookies” approach, that gives a long list of cookies to opt in or out. That’s fine for people like me, but your average user will not want to customize such cookies. And worst still are the sites which simply state “By browsing here, you agree to any bullshit cookies we or our third party money grinding platform sends, and if you don’t like it, fuck off.”
I believe, in the wake of GDPR, something rather curious happened. The law of the country in which I live, translated into English, states the following about stalking:
Who repeatedly menaces, follows, monitors, contacts or otherwise in a comparable manner wrongfully persecutes another so that it is conducive to causing fear or anxiety in the persecuted, shall be sentenced, unless a penalty as severe or more severe is decreed elsewhere in the law, for persecution to a fine or at most two years of imprisonment.
Tracking cookies repeatedly follow, monitor and contact us. They ask for our permission, consistently, badgering and nagging us with every single website we visit. Personally, I’ve become more annoyed and impatient with the internet because of the constant demand for my permission to track me on every single website I’ve visited in two years, and I’m technically minded. I’m sure this is causing anxiety and fear in people forced to use computers for their every day life and yet not accustomed to their ins and outs. Those who can never be sure whether they have clicked on the correct thing.
Therefore, in my opinion, all marketers and advertising agencies relying on third party tracking cookies in the EU are currently guilty of stalking.