Are cookies losing their flavour?
The world of on-line cookies is changing with regulators making their use more difficult, browsers blocking them automatically and users waking up to how to disable them. But what does this mean for Australian businesses and consumers?
What are Cookies?
Cookies are text files with small pieces of data which are used to identify your device. They were originally intended to improve the internet browsing experience. An example of the way cookies can streamline your browsing experience is their ability to remember a website you visited to make it easier to visit that site again. Functionality of cookies also may extend to remembering your preferred choice of language or even maintaining information relating to a user’s session such as the contents of a shopping basket.
First and Third-Party Cookies
In essence there are two types of cookies – first party cookies and third-party cookies. Both perform and function in the same way from a technical perspective, but the difference arises in how they are created and subsequently used.
First party cookies are stored by the domain (website) you are visiting directly and are put on your device (your browser) directly by the website you are visiting. These cookies allow for website owners to collect analytics data, remember language preference and potentially numerous other functions such as remembering usernames and passwords.
Third party cookies are created by domains other than the one you are visiting directly and are used for cross-site tracking and ad-optimisation. These are the cookies that are placed on your device, not by the website you are visiting, but by a third party like an advertiser or other ad tech entity.
An obvious use of third-party cookies is for ad-retargeting services which follow website visitors who have previously visited a website and show ads for products or services with which they have interacted with previously.
Other kinds of cookies
Most of us are familiar with cookie banners that pop up when we visit a site and give options to choose different settings for different types of cookies. These banners are required for compliance with the ePrivacy Directive discussed further below.
Generally, cookies fall into the following categories although there can be some overlap:
- Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
- Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
- Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.
- Marketing cookies — These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always are third-party cookies.1
Broadly, the ePrivacy Direct allows ‘strictly necessary cookies’ but requires ‘consent’ (in the GDPR sense of the term ‘consent’) for other cookies.
Moving Away from Cookies
We are seeing many large tech players turning away from third-party cookies, once the main stay of the ad tech industry. Google, Apple and Facebook have all been active.
Apple’s blocking cookies in Safari browser
Apple has implemented a block of cookies in their Safari browser. Apple released a major update to its Safari Intelligent Tracking Prevention (ITP), which is a privacy feature that allows the Safari web browser to block cookies and prevent advertisers from tracking and collecting your data. Mozilla’s Firefox has also introduced ad blocking preventing third-party cookies from being trackable.2
Google has announced that it will stop the use of third-party cookies in Chrome by the end of 2023. Google’s plan to phase out third-party cookies in Chrome is part of a larger strategy of creating a privacy sandbox with open standards for tracking users while protecting users privacy (e.g. through new browser APIs like trust tokens). Google plans on implementing a profiling system which essentially groups individuals into a crowd of people with similar generalised interests. Google argues that this offers more privacy which seems odd considering it is touted as being 95% as effective to advertisers. Such a program raises obvious discriminatory and profiling concerns but currently cookies will remain as the dominant tool in this space.
Google’s plan is already facing heavy challenges in the forms of antitrust investigations from the EU Commission and the UK’s Competition and Markets Authority (CMA). It is worth noting that it is competition rather than data privacy regulators leading these investigations, an example of the growing overlap between competition and data protection regulators.
Facebook’s Move to First-Party Cookies
Facebook makes both first-party and third-party cookies available, with their own innovation the Facebook Pixel.
The launch of Facebook’s first-party cookies means Facebook will now create cookies that pass data back to Facebook as long as the sites have established a first-party relationship. Essentially these cookies operate as a work around to maintain advertising despite the third-party cookies being blocked, although advertisers have been advised to use both first- and third-party cookies for the most complete set of data.
It is not clear how long this will last. A report by Cookiebot CMP about third-party tracking on EU government and health websites from 2019 revealed that Facebook bypassed third-party cookies by instead using first-party cookies combined with a pixel tracker to ensure continued, unconsented surveillance of EU citizens.
Why are cookies losing their flavour?
One of the reasons for the shift away from cookies is increasing focus by regulators on their use.
In the EU, cookies are are covered by the GDPR and the ePrivacy Directive .
The ePrivacy Directive was most recently updated in 2009. There were also consequential changes to the ePrivacy Directive on the introduction of the GDPR, which introduced a new definition of ‘consent.’ The result is that, in the EU, entities must:
- Receive users’ consent before using any cookies except strictly necessary cookies.
- Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
The ePrivacy Directive was to be updated again and released as the ePrivacy Regulation in 2018, at the same time as the GDPR. However, the negotiation of the new ePrivacy Regulation (EPR) and the regulation of cookies has been extremely contentious. However, after many years, a new proposed version of the Regulation is being progressed through the EU process for ratification with some hope for success. The new ePrivacy Regulation: “promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.”3 The new EPR is expected to come into force some time in 2023. A potential transitional period of 24 months means that any new regulations would then not come into effect before 2025.4
There is evidence of increased regulation of cookies in other jurisdictions, particularly those aligned to the EU. For example, recent amendments to Japan’s APPI refer to the use of ‘personally referable information’. This new category of data includes cookies and purchase history (for example), which may not independently be linkable to a specific individual (and thus would not constitute personal data) but which could, if transferred to an ad-tech organisation or Google or Facebook in possession of additional, related data, become personal data. The Amendments introduce a new consent requirement (such as an opt-in cookie banner) for ‘personally referable information’ which will become effective in 2022.
Cookies and the Australian Privacy Act
There are no current legislative changes proposed around the treatment of cookies under the Privacy Act and, as third-party cookies are being phased out, it is more likely that consideration will need to be given to how the Act will compensate for different forms of information collection (other than cookies) for targeted advertisements.
The phasing out of third-party cookies over the next few years does not necessarily mean that users will have more control over their online activity. It’s likely that first-party cookies will be increasingly used, with links back to advertisers and other entities in the ad-tech chain. As well, organisations such as Google and Facebook, whose business model relies on advertising, are likely to develop new ways of gathering data to compensate for the loss of third-party cookies and to maintain the current effectiveness of advertising, despite the potential for unintended discrimination and profiling.
Meanwhile, Australian businesses have little to worry about, other than how cookies are impacted by changes forced by browsers and international regulators. It might well be that Australia’s consumer protection regulator, the ACCC, takes the lead in the war on cookies. But in the meantime, customer expectations regarding cookies are being driven by practices enforced by a different privacy regime, not the Australian Office of the Information Commissioner.