Tough Cookies: When Tracking Comes at a Huge Cost

The implications of cookies should not be measured only by the financial consequences to companies. Infringements on consumer privacy also carry a substantial cost for the users.

Have you ever pondered why a search on one device appears on another? Or why websites display ads linked to your past searches or purchases? Or how websites recall your preferences like language, currency, or location? The key to all these is cookies.

In today’s digital world, cookies are not just delicious snacks. They’re small data pieces stored by websites on your device to track online actions. While they can improve user experience by recalling preferences and personalizing content, they can also violate privacy rights if misused. 

There are concerns about how cookies track online behavior, and the information is shared with third parties, leading to fears of data leaks, identity theft, or unwarranted surveillance. The consequences can be significant for organizations that breach regulations governing the use of cookies.

Laws and regulations exist to govern how websites can use cookies and the necessity of obtaining user consent beforehand. These laws strive to protect user privacy and grant them greater control over their personal data.

However, not all websites adhere to these laws. Some infringe upon cookie consent rules by using cookies without user consent or failing to provide adequate information to users, leading to serious legal, financial, and reputational damage.

Cookie consent is a crucial part of data privacy rules, with certain criteria required for it to be deemed valid. These criteria can differ based on the country and the kind of cookies in use. Nonetheless, cookie consent must be voluntarily provided by informed users for specific purposes and should be easily revocable whenever the user desires.

Users must voluntarily consent to the use of cookies, with a genuine choice to accept or reject them. They should be clearly informed about the purpose and implications of cookies, including details on types, data collection, processing, and third-party sharing. 

Consent should be specific to each cookie’s purpose, allowing users to choose their preferences for functional, analytical, or marketing cookies. It must be unambiguous and expressed through clear affirmative action, not inferred from inactivity or pre-ticked boxes. 

Users should have the right to revoke their consent at any time, with a process as simple as granting it. Websites should maintain records of consents to demonstrate compliance with data protection regulations, tracking when and how consent was obtained and any accompanying information provided to users.

Key cookie consent laws include the EU's E-Privacy Directive and General Data Protection Regulation (GDPR), and California's California Privacy Rights Act (CPRA). These laws require user consent for cookies, clear information about their use, and rights for users to manage their personal data. They apply to websites that collect or process personal data of their respective residents, regardless of the website's location.

Fines related to cookie consent often stem from a lack of transparency, choice, control, and awareness. Websites may not offer clear details about cookies or their uses, provide limited options for managing cookie preferences, disregard user choices about cookie settings, or lack knowledge of relevant laws and regulations. Many websites have not adhered to these cookie consent laws and regulations, resulting in significant fines from data protection authorities.

In 2020, Amazon was fined €35 million for unauthorized cookies and lack of user information. Facebook was fined €60 million in 2021 for tracking users’ habits and preferences via cookies without their consent and lack of an easy opt-out option. Also in 2021, TikTok received a €5 million fine for failing to protect minors’ data and secure their consent for cookies.

In 2021, Google received a €150 million fine for not providing users with an easy option to refuse cookies. It was additionally penalized €50 million for GDPR violations, specifically failing to obtain proper consent for targeted ads. The tech giant was also hit with another fine of €100 million for breaches related to its cookie policy.

In 2022, Microsoft Ireland was fined €60 million for not providing an easy option to refuse cookies on bing.com. Also in 2022, Apple was fined €8 million for using cookies for profiling and marketing without proper disclosure or consent. In the same year, Sephora was penalized $1.2 million for utilizing data tracking technologies without appropriate disclosure or opt-out choices, and for not processing consumer opt-out requests as required by the CCPA.

Penalties for non-compliance with cookie consent regulations not only lead to monetary damages, but also result in legal complications, heightened regulatory oversight, and erosion of public confidence. To comply with these laws, it’s crucial for websites to implement an up-to-date solution that classifies cookies, provides transparent notifications, facilitates easy management of preferences, and honors the decisions of users.

Although cookies improve the user experience and the relevance of ads, they also pose privacy issues. It’s essential for websites to provide users with comprehensive information about the use of cookies, their functions, and methods for managing preferences. Users should have the ability to easily revoke consent and be educated about their data rights.