How Cookies Violate your Privacy

If a web site shows Ads it most likely is profiling you with cookies in order to target you with the right Ads. Ideally these cookies should be activated only after you agree to be profiled. Many web sites don't ask you and may be breaking the law.

by

Ajay Mendez

Role: Ajay is a founder of Kinant

Cookies are yum!

When the web was invented it ran (and still does) on a technology called Hyper Text Transfer Protocol (HTTP). HTTP is a stateless protocol. That is, it does not remember what happens between the browser and the server hosting the web site. For instance, with HTTP there is no way to remember that you have logged in to your bank account.

Cookies were invented to remember state. Without them the web wouldn't be as useful as it is today. Whenever you log into a session the web site you loged into is most likely using a cookie to store some information in your browser.

Cookie ingredients are determined by the maker

There is no standard way of storing information in a cookie. The web site you visit determines what is stored. It could be information that allows your browser to establish that you have logged in, or it could be a number that identifies you, or it could contain whatever your web site wants to record about your interaction.

Cookies can track your online activity

Over time some clever people figured that cookies can be used to track browsing behaviour. These are called third party cookies and they are used heavily in the Ad Tech industry.

Example

gaggle.com is an Ad Tech company that brokers Ads between advertisers and customers.

myworstvacation.co.uk is a web site that posts news articles and blogs about holiday destinations. myworstvacation.co.uk doesn't charge its readers but earns revenue from Ads posted through gaggle.com. In order to do this myworstvacation.co.uk deploys a cookie that sends data to gaggle.com.

buybabydiapers.com is a site that sells diapers. In order to make up for falling revenue the management of buybabydiapers.com decides to post Ads on their web site using gaggle.com.

A reader who visits buybabydiapers.com and myworstvacation.co.uk is tracked by gaggle.com who now has more information to target her with the right Ads. Note that the reader may not even know about gaggle.com.

You may be misinformed

There is nothing wrong with profiling cookies as long as a visitor to a web site is informed about it. Unfortunately many web sites don't.

We list a few things that a web site should do if they deploy third party cookies that profile you.

  1. Be explicit in calling out what cookies are used. If a web site deploys third party cookies that profile you then they should explicitly call out how and by whom you are being profiled.
  2. Profiling should be switched off by default. Third party profiling cookies should be turned on only after you agree to have them. This is called opt-in.
  3. Provide you with options to turn off profiling The web site should give you an option to not be profiled. If you do so, the web site may still display non-targeting Ads that do not track your online behaviour.

How to check the type of cookies deployed by a web site

Use the Kinant AsWise Scanner: https://kinant.com/kinant-adwise/scanner

It may be illegal

If you are a resident of any country in the European Economic Area then it is illegal to profile you without your consent.

Under GDPR profiling can be carried out only if

  • It is necessary for the entry into or performance of a contract
  • It is authorised by Union or Member state law
  • It is based on the individual’s explicit consent