WRIT340 Ethics Project

Data collection is scary. What starts as an innocent aim to customize user experiences can quickly devolve into a series of shady transactions where your data is harvested and distributed to who-knows-where. Data is harvested in a number of ways, the most common and well-known type of data collection stems from “cookies.” If you’ve ever visited a decently popular website for the first time, you’ve probably seen some variation of a small prompt warning you about the usage of cookies for the website. Despite increasing legislation, modern cookie prompts are often designed to trick the user into giving up more information than they normally would. Thus, it is our responsibility as consumers to make sure that our own devices are properly cleared of cookies periodically. Even with legislation, we cannot trust companies to operate within ethical boundaries when it comes to data collection with cookies.

But first, what is a “cookie,” and how is such an innocently named piece of data used to compromise our privacy? Put simply, a cookie is a piece of information that a website stores on your computer. Cookies are useful for website functionality in the same way that they are abusable by threat actors; they are simple, persistent, and not limited by default. For this reason, cookies are an widely used by advertisers and third parties to learn consumers’ habits. This is a well-known phenomenon, however, and it hasn’t gone entirely unnoticed by lawmakers.

In recent years, privacy regulations have been introduced to prevent the spread of unethical cookie abuse; the two biggest pieces of legislation in this regard are the General Data Protection Regulation (GDPR) and the ePrivacy directive. While the former is a stronger, more influential piece of privacy legislation that affects far more than just cookies, the latter was responsible for the now ubiquitous cookie opt-out prompts that plague most modern websites. GDPR governs the rights that consumers have to their own data and how their privacy should be the priority for any form of data collection that a website might engage in. The ePrivacy directive, on the other hand, deals more directly with cookies, requiring that websites contain opt-out dialogues for cookies, and that cookies be separated into categories (“strictly necessary” vs. third party advertisers, and more), in addition to other standards (Koch). Though both of these regulations have been passed in the EU, their rules are followed by the vast majority of websites, regardless of origin.

However, despite the combination of these two regulations, websites and advertisers are still left with a good deal of wiggle room. While the regulations specify the criteria for informed consent, they don’t control the design language of the website. The modern web-browsing experience almost always includes several pop-up dialogues, including newsletter invitations, promotions, ads, and the most sinister of all: cookie opt-out dialogues. Unethical websites can make these dialogues as blocky, unwieldy, and annoying as possible to trick the average consumer into clicking the “accept all” button — signing over the right to collect as much data as possible. Knowing that the average user likely won’t take the care to look through several menus of fine print to figure out how to prevent their data from being collected, unethical websites can leverage the design of their cookie collection prompts to exploit such users. And while legislation requires that users can withdraw their consent at any time(Koch), the process of doing as such is frequently made to be challenging and unintuitive. By doing this, websites prey upon the naturally impatient tendencies of their users in order to collect more data while still remaining compliant with legislation.

For a lot of users, their impatience often stems from lack of understanding. The term ‘data collection’ often gets thrown around when it comes to discussions about data privacy and personal security, but for the average person who browses the internet in order to learn, shop, or watch videos, such terms seem less relevant. The truth is that data collection is a lot more prevalent and important to the average user than they often think. In 2019, Facebook “enabled advertisers to exclude certain users from seeing housing, employment, and credit opportunities in a discriminatory fashion” (Union). Using cookies, websites can not only know your personal details–location, age, sex, habits, preferences, interests–they can even use it to discriminate against you, or take advantage of your socioeconomic status. While it’s important for consumers to be aware of unethical data collection practices, it is just as important to grasp just how awful it can be for advertisers to have access to this specialized information.

With the further development of internet privacy regulations, a growing demand for compliance has caused for the creation of consultancies and online resources that can help websites to create ways to harvest data while remaining perfectly legal (Shreya). These businesses help websites continue their unethical practices despite protective regulations and will continue to support immoral practices with the emergence of future laws as well. Although the ePrivacy directive is destined to be replaced by an even stronger piece of legislation, the ePrivacy Regulation(EPR), this problem will remain, as companies will look to be as maliciously compliant as possible (Koch).

While tightening legislation may cause the use of cookies to slowly dwindle, it doesn’t mean the problem won’t still exist. For example, in 2020, Google announced that third-party cookies would be phased out of its popular browser, Google Chrome, to address privacy concerns. Despite this announcement, and the ensuing chaos named “cookiepocalpyse,” a recent study found that 80% of advertisers still relied upon third-party cookies to harvest data (Desai). While increasing regulations may help, they are only effective when backed by large political bodies like the EU and the US. Such laws are complicated, expensive, and take a very long time to be passed, hence why the EPR remains as a draft despite the ePrivacy Directive being passed over two decades ago (Koch). The modern privacy problem is continually growing, and the speed of governmental regulation is simply not enough to stop unethical data collection practices right now.

Even if regulation emerges that fully fixes privacy concerns associated with cookies, new technologies can and will replace or extend such issues. Since Google’s announcement, new techniques such as pixels, mobile beacons, and referrers are being applied to trace user activity across websites[8]. One doesn’t even need to dive into the specifics of these technologies to grasp that they aren’t good for privacy. From a consumer standpoint, all of these new forms of data collection fall under the same lump sum: immoral practices by companies to take your data for their benefit. Trying to push forth legislation to get rid of one of these tracking technologies is akin to cutting one head off of the hydra; it’s simply a matter of time before other techniques replace it.

For this reason, it becomes the responsibility of the end user to seize the right to their privacy. Companies cannot be trusted to follow ethical practices regarding user data, as the prospect of selling user data for profit is too tempting. Third parties and advertisers are allowed to continually harvest data in immoral ways, complying to regulations while tricking users into offering more data than needed. Advancements in legislation are helpful, but arrive too slowly to be useful to us now. Unfortunately, the only thing that can be done to stop the collection of your data is to be as meticulous and patient with your internet browsing as possible. Reading the fine print on opt-out dialogues, using browser extensions that enhance privacy, using “incognito mode”, and, of course, clearing cookies periodically. Without these measures, companies are given free rein to exploit your data for their profit.

WORKS CITED

Desai, Anokhy. iapp.org. July 2023. 4 February 2024.

Koch, Richie. gdpr.eu. n.d. 4 February 2023.

Shreya. cookielawinfo.com. 30 November 2022. 4 February 2024.

Union, American Civil Liberties. aclu.org. 19 March 2019. 4 February 2024 .