Why Is It Called a Cookie?

The inventor of what we call cookies in 1994 was a 23 year old engineer at Netscape who named his invention “cookies” after an old computer term “magic cookie” that refers to a packet of data that is sent and received back unchanged. The cookie initially had an honorable purpose – to help ecommerce websites remember visitors without allowing them to be tracked. But within two years, advertisers learned ways to essentially hack cookies to do exactly what Montulli had tried to avoid: follow people around the internet.

Why Cookies Can Be Dangerous*

Cookies themselves aren’t harmful. They can’t infect computers with viruses or other malware. However, some cyberattacks can hijack cookies and enable access to your browsing sessions. The danger lies in their ability to track individuals’ browsing histories.

First-party cookies are directly created by the website you are using. These are generally safer, as long as you are browsing reputable websites or ones that have not been compromised.

Third-party cookies, often called “tracking cookies”, are more troubling. They are generated by online advertising networks and data brokers, usually not linked to the page you are currently viewing, but to ads on the page. Visiting a site with 10 ads may generate 10 cookies, even if you never click on those ads. Third-party cookies let advertisers or analytics companies build profiles of what you do online — sometimes identifying you, sometimes grouping you anonymously with other users with similar browsing patterns for the purpose of selling goods and services they think match your interests. Whenever you view a page with that advertiser’s ads on it, it recognizes the cookie stored on your computer, across the web on any sites that contain their ads.

Protecting Privacy

Today, a trillion-dollar data economy is harvesting user data from website visitors at an unprecedented scale. For years websites have been planting software cookies on your computer without your knowledge or consent.

As a consumer, you have little control over who is collecting this information or where it is going. Even if you clear cookies from your browser, you’ll never be able to delete servers holding third-party data that has already been gathered. This perceived lack of transparency, along with data breaches, leaves consumers sensing “creepiness” in advertising that has led to privacy legislation from the EU and California.

The EU’s General Data Protection Regulation (GDPR), 2018

Cookies began getting more scrutiny when the EU’s GDPR took effect in 2018, resulting in strict rules for the processing of personal data. Even small U.S. companies are accessible on the internet worldwide and can potentially be subject to GDPR. If your site can be seen as targeting EU consumers by accepting payment in Euros, or if the site’s use of cookies amounts to intentionally “monitoring” the behavior of visitors who are in the EU, you should consider the need for a cookie banner to help comply with the GDPR’s notice and consent requirements.”

The EU’s ePrivacy Directive (ePR), 2021

This regulation is currently in draft, and hasn’t been passed into law yet. But it reveals a trend towards privacy protection. It provides that consent will be needed from end-users to process any kind of electronic communications and its content, including texts, emails, Facebook messages, SnapChat, etc., to protect people in the EU. Basically all electronic communications are treated as private and confidential, requiring that you get the explicit consent from end-users before using cookies and trackers that store personal data on users’ hardware or software.

California Consumer Privacy Act (CCPA), 2018

The CCPA was enacted in 2018, allowing California consumers to sue companies if privacy guidelines are violated, even if there is no breach. It currently applies only to companies that:

• serve California residents
• AND have at least $25 million in annual revenue
• OR companies of any size that have personal data on at least 50,000 people
• OR companies that collect more than half of their revenues from the sale of personal data

Information that qualifies as “personal information” includes any information that identifies, relates to, or could reasonably be linked with you or your household, like your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, inferences from other personal information that could create a profile about your preferences and characteristics.

 “According to the California attorney general’s office, California residents have a right to know what personal information businesses collect about you, to have that information deleted, and to insist that your personal data not be sold. In addition, “you also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information.”

California Privacy Rights Act (CPRA), 2020

This law that voters approved 2020 takes effect Jan. 1, 2023. The new law also creates a California Privacy Protection Agency to step up enforcement of the state’s online data rules. In the meantime, consumers who come across websites that appear to be violating the privacy law can file complaints with the attorney general’s office.