What happens when you accept cookies
Once you hit “accept” on a webpage’s cookie consent pop-up, it will embed little pieces of code (“cookies”) onto your browser or your device. Usually you’re accepting multiple cookies at once, each performing different functions. Some cookies are designed to be useful for users, like those that allow a site to remember your username and password from visit to visit. Others are designed to be useful for website administrators, like detecting if certain pages are generating error messages and need to be fixed.
Then there’s third party cookies. These aren’t about making a site easier to use or fixing bugs on the backend. They’re usually in the business of harvesting your data and selling it to advertisers, and whomever else is willing to pay.
What do web cookies do?
Also known as “tracking” cookies, third party web cookies do pretty much what it sounds like: track you online. Tracking cookies stay on your browser or device long after you’ve left a webpage or even shut down your computer for the day. They follow you across sites and over time, collecting information like your geographic location and recording all of your online behavior – like every site you visit, every purchase you make, and every web search you conduct – until the cookie expires, which could be months or even years after you hit “accept”.
These tracking cookies transmit the running log of what you do and who you are to the company that owns them. These companies are largely in the AdTech business – the ecosystem of data harvesters, analysts, tech companies and marketers behind the targeted ads you see online. Your data can be bought by other actors as well.
Data brokers are one of the common companies behind cookies. Brokers specialize in taking all the info that their cookie has collected and combining it with info they’ve gotten about you from other sources – like tracking software similar to cookies embedded on your phone by free downloads such as weather apps. Brokers bundle what they know about you into profiles – and they know a lot.
That’s because watching everything a person does online is pretty revealing. Between our location, web browsing habits, and search history, companies can figure out our age, gender and marital status; our hobbies and interests; our political and religious beliefs; if we have kids or recently lost our job, if we’re having trouble training our dog or are worried about hair loss. If you’ve ever read about a health condition on WebMD, that info has been sold and shared with at least 20 different third parties as of this writing. With all this raw data, brokers typically summarize what they know about us with tags, ranging from things like “working-class mom” and “frequent alcohol drinker” to “financially challenged” and “depression sufferer”. These companies amass a lot of info; one data broker studied by the Federal Trade Commission reported having 3,000 data segments on nearly every U.S. consumer.
Once your data is bundled into profiles, brokers sell it. Sometimes it’s sold to other brokers wholesale. But a lot of times it’s sold to a much broader audience of advertisers in online auctions that run in the background every time you load a webpage. Pay attention next time to how the ads load on a site – there’s almost always a delay between you opening a page and the display of ads. In those seconds, a complex auction is putting what companies know about you up for sale and giving the highest bidder the chance to place an ad in front of you that the advertiser thinks will get you to click.
Of course, clicking one of these ads usually ends up giving third parties another data point to add to your profile, plus the opportunity for even more companies to embed new cookies in your device. Today’s Internet is a reinforcing cycle of link clicks, info gathering and data sales, over and over again.
Should I be worried about cookies and companies selling my data?
Data brokers and the rest of the AdTech system are virtually unregulated, and not all of the companies buying and selling your data have your best interests in mind.
Predatory targeted advertising
Data collected online can be used to take advantage of our private weaknesses and insecurities. For instance, people searching terms like “need money help” on Google have been served ads for predatory loans with staggering interest rates over 1,700%. A precious metals scam used highly targeted Facebook ads to get elderly seniors likely to be suspicious of institutions to spend their retirement savings on grossly overpriced gold and silver coins. And last year, an investigation found Instagram content that promoted diet pills targeting users struggling with eating disorders. Scams and harmful industries have always existed – but the big data system underpinning today’s Internet has allowed them an unprecedented ability to identify, reach and take advantage of their victims.
Invasive targeted advertising
This system can hurt us in less obvious ways, too. Sometimes targeted ads are just plain annoying, but sometimes they can be painful reminders of things we’d rather not be confronted by every time we log in to Facebook to see our nephew’s updates. For instance, one woman making end-of-life arrangements after her mother died of cancer googled funeral costs, and then was repeatedly served ads across the web for all varieties of headstones and grave markers. Going online meant walking through a digital cemetery, whether she liked it or not.
There’s also the issue of rising data hacks, breaches and leaks. All of this data about us changes hands rapidly and is widely spread. You can bet not all of these actors have the most cutting-edge data security protocols. The number of data breaches keeps rising every year; in 2021, there were over 1,800 events, some of which exposed the personal information of millions of Americans – and not just web history, but information like social security numbers, too. When more and more companies keep info about you, the odds that it’ll fall into the wrong hands increases. This system makes you more likely to become the victim of identity theft, or having to pay money to hackers holding your info for ransom, or even just ending up on more telemarketing lists wanting to contact you about your car’s extended warranty.
The whole thing’s unregulated
Unlike credit bureaus whose business model also relies on the collection and sale of consumer data, data brokers and other AdTech companies are virtually untouched by any existing laws. The Fair Credit Reporting Act protects consumers’ data collected by the credit bureaus from being used for illegitimate purposes – and while certainly still important, this law was passed in the 70s before the Internet really existed. New laws are sorely needed to protect people from today’s online data harvesting and commercialization. PIRG is working to get these regulations in place.
What can I do to stop my data from being collected, sold and used?
While we and other advocates continue fighting for meaningful regulatory reform, there are some things you personally can do.
- If you visit a webpage with a cookie pop-up, see if there’s an option such as “Manage my preferences” or “See cookies”. Not all cookie pop-ups will have buttons like this. Many in the U.S. will simply inform you there are cookies and if you don’t like it, tough. But if those options exist, be sure to click and turn off any advertising or analytics cookies in particular. Pay close attention to what you click – many pop-ups are designed to deceive you into consenting to data collection by using confusing colors or other design tactics. If there’s a “Reject all cookies” option, that’s the way to go.
- Clear your cache and cookies. You can remove currently existing cookies from your browser using these steps from the University of Iowa.
- Use browser plug-ins to automatically stop data collection by advertisers and third parties. One useful tool is Privacy Badger from the non-profit group Electronic Frontier Foundation. This tool automatically blocks third party trackers on the sites you visit and uses algorithms to continually learn what to block. Once you download the browser extension, you don’t need to set anything – it handles everything itself.
- Adjust the settings on your Apple or Android phone to limit data collection and targeted advertising on your phone. You can follow the steps in PIRG’s guide here.
- Adjust the settings on your social media accounts to limit data collection and targeted advertising. PIRG has a special guide, which you can find here.
- Use web browsers that don’t suck up as much of your data. Apple’s Safari and Mozilla’s FireFox are better bets than Chrome.
Director, Don't Sell My Data Campaign, PIRG; Policy Analyst, Frontier Group
R.J. focuses on manipulative advertising and the commercialization of personal data online as a part of her work to advance PIRG’s New Economy program. In her work at Frontier Group, she has authored research reports on government transparency, predatory auto lending and consumer debt. She was previously the tax and budget advocate for PIRG. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder.