Cookies and Data Privacy

Recent developments in data privacy

On October 6, the European Court of Justice (ECJ) issued a landmark decision that invalidated the Safe Harbor Framework. The Framework had allowed U.S. companies, from pharmaceutical giant Pfizer to tech firms like Microsoft, to move personal data such as user and employee data back and forth across the Atlantic. The potential ramifications of the ECJ’s ruling are troubling and real. Many U.S. companies that leverage data analytics for business or advertising operations now have to comply with stricter E.U. data privacy laws regarding personal data generated in E.U. Meanwhile, in the United States, Google just in the last two years agreed to pay a whopping $50 million settling privacy violation claims. The Internet giant is currently sparring over another video privacy claim before the Third Circuit for allegedly tracking children’s Internet habits.

At stake are social media posts on Instagram and Twitter, purchase records from Amazon and Uber, and search inquiries through Google and all the revenues they generate. The tension is high as companies are eager to incorporate more and more technologies, such as super-cookies, to track increasing amount of personal information. In an era where the vast majority of online services are powered by advertisements, data is a potential revenue source. This digital advertising industry alone is expected to be worth more than $80 billion worldwide by 2018. The same issues affect e-commerce companies such as Expedia or eBay. They leverage purchase patterns to cross-sell or up-sell, and even employ price discrimination to charge more for the same product based on information gleaned from personal data.


Cookies, the enabler

The technological enabler of this data tracking and storage is cookies—small text files that websites embed into users’ browsers—such as Chrome and Safari—to identify visitors and store activities performed on the website. Despite the privacy intrusion, cookies are extremely useful. They dispense with the need to log-in every time you browse through a website and allow convenient features such as shopping carts and auto-filling forms on the web.

The balance between convenience and privacy concerns is tricky, however, when the nature of the data stored becomes more “personal.” While the relevant authorities are trying to come up with a uniform definition of Personally Identifiable Information (PII) in information privacy law, in many circumstances information that we generally consider not personally identifiable can also be linked to individuals and transformed into PII.[1] In reality, non-PII is more problematic and vulnerable to privacy intrusion. Due to its sensitivity, PII such as name, address, e-mail, phone numbers, and credit card information that directly reveal a user’s identity is carefully managed under most websites’ privacy policies. On the other hand, companies and marketers regularly combine various pieces of non-PII to produce PII. According to a study done by Professor Latanya Sweeney at Carnegie Mellon, the combination of a ZIP code, birth date, and gender—data generally considered to be non-PII—would be sufficient to identify 87% of individuals in the United States.[2]

More problematically, websites that feature third-party banner advertisements also track users through third party cookies unbeknownst to users. This has raised considerable privacy concerns as consent is less obvious for third parties’ data collection. In response, browser makers—such as Apple, Microsoft, and Mozilla—and federal authorities are limiting the use of cookies by third parties by providing options to block advertisements.



Despite these efforts to curb privacy intrusions, large wireless service providers companies such as Verizon and AT&T that oversee large amounts of personal data were recently revealed to be experimenting with a variant of cookies known as super-cookies. These super-cookies are difficult to detect and disable through browser privacy setting. Super-cookies are stored in places such as files used by flash plug-ins, hence the name flash cookies. A more notorious forms of super-cookies—zombie-cookies—regenerate themselves even after deletion.

After news about the development of super-cookies broke, AT&T swiftly announced that they would stop experimenting with super-cookies in an attempt to minimize bad publicity. However, Verizon took the opposite stance and recently reported that it will be sharing data received through super-cookies with AOL’s ad network, which they acquired earlier this year. Despite souring public opinion, Verizon’s bold move reveals how crucial exploitation or utilization of personal data is to Internet based companies.


Legal framework

In terms of personal data privacy and specifically cookies regulation, Europe has been leading the pack. New rules governing the use of cookies by websites came into force in 2011. Rather than the “opt out” option for website visitors, websites are required to gain the consent of visitors; users must “opt in” before cookies can be stored on their computers.

In contrast, the U.S. does not have such regulations. In 1986, Congress extended the Wiretap Act to the Internet. However, applying the Wiretap Act to the Internet context has been tricky due to interpretive problems. In particular, courts have had difficulty applying the act, originally focused on person-to-person communication, to modern person-to-device communication. Courts have likewise grappled with the question of whether the monitoring of URLs is considered surveillance of content or metadata. This important application problem is raised in a case now pending in the Third Circuit.


Future regulation

In response to the growing importance of Internet privacy, three Federal privacy bills have been introduced in 2015: the Consumer Privacy Protection Act (S. 1158) which would provide protection for many types of data including biometric data, user’s geo-location information, and private digital photographs and videos, the Student Digital Privacy and Parental Rights Act (H.R. 2092) which would prohibit operators of websites from selling students’ personal information to third parties, and the Data Broker Accountability and Transparency Act (S. 668) that would, among other things, allow consumers to see and correct personal information held by data brokers and tell those businesses to stop sharing or selling it for marketing purposes.[3]

While these bills are expected to strengthen personal data privacy, they will not be panaceas. Just recently, AT&T started to market an Internet service product called GigaPower in Kansas City for a lower starting price if customers agree to have AT&T track their Internet browsing. Certainly, there will be many more creative ways data-driven companies will adapt to the evolving realities. It will be interesting to watch.


[1] Paul M. Schwartz & Daniel J. Solove, The Pii Problem: Privacy and A New Concept of Personally Identifiable Information, 86 N.Y.U. L. Rev. 1814 (2011)

[2] Latanya Sweeney, Simple Demographics Often Identify People Uniquely 1, Carnegie Mellon Univ., Sch. of Computer Sci., Data Privacy Lab., Working Paper No. 3, (2000).

[3] Edith Ramirez, Julie Brill, Maureen K. Ohlhausen, Joshua D. Wright & Terrell McSweeny, Data Brokers: A Call for Transparency and Accountability, Federal Trade Commission, Report, May 2014.


Comments are closed.