As part of GDPR, companies based outside Europe can be hit with enormous fines if they track and analyze EU visitors to their website. In other words, say your company resides in New York, but that company has European visitors and customers, or collects their data. If that’s the case, they can be penalized to the tune of tens of millions in fines if they don’t disclose their data collection and obtain the user’s consent.
Understandably, American companies want to avoid huge fines, which is why US users are seeing more and more of these permission boxes.
The boxes are designed to offer users more control over their data, as the EU law was put into place to protect all data belonging to EU citizens and residents. The confusion within the US market exists because the country doesn’t have similar laws to protect the privacy of its citizens.
In February 2022, Saryu Nayyar wrote a piece for Forbes that asks if it’s time for a US version of GDPR. Nayyar wrote that the point of such a law would be “gaining explicit consent for collecting data and deleting data if consent is withdrawn.” That sounds like an awesome idea, but after consulting Montulli, the privacy plot thickens.
Personally, I find it impossible to separate cookies and privacy online. I asked Montulli if it’s true that everything on the internet stays on the internet.
“No,” he says. That’s because information on the internet is detached from your current online presence. The purpose of the cookie is to allow a website to know when the same browser returns. The cookie may contain additional pieces of information. “But the predominant use of it is to pass an ID to your browser as an identifier,” he says.
“Therefore, they can see that this is the same browser that was here a few seconds ago or even a few months ago. But, once the cookie is cleared, there’s no longer any attachment to you.”
The lack of transparency about how cookies work and who manages the data collected from them is a big part of the problem. When you visit a primary website that has hired a third-party ad-tracking network, your browser can get a third-party cookie without your knowledge. “The lack of transparency means that another cookie by another website has added embedded content, without your knowledge.”
Montulli says that if you clear your browser’s cookies frequently there’s no longer any attachment to you and your personal data, at least for that first-party website. “When you return to that website after clearing your cookies, or even if you have a new set of cookies, there’s no association between your browser and the browser that connected to that site several months ago with that old cookie.”
To test the hypothesis, I tried managing and blocking cookies on random sites. I completely ignored the permission box on any that asked me to accept cookies. The majority of those sites allowed me access anyway. Only a few sites blocked me because I ignored the permissions box. In those cases, the only decision I had to make was whether to trust the site. Since I did not actually need to read any content from those sites, I simply moved on. Bottom line, it doesn’t hurt to select the cookies you want to accept and those you want to block. Just be prepared to do it every time you visit, or every time you clear your cookies, which you should probably get used to doing regularly.