Who doesn’t love cookies? There are so many different kinds: chocolate chip, oatmeal, peanut butter, internet… wait, what?
In the banking and payments sectors, we’re always thinking about security. Both GDPR and the new California Privacy Rights and Enforcement Act of 2020 revolve around consumer security, and as many of us are now working from home to maintain social distancing because of COVID-19, many people’s thoughts drift back to their personal lives.
I was recently asked what information websites can get from cookies on your computer. I tried to explain that a website can only get information from a cookie that it wrote into that cookie. Allow me to clarify with a metaphor…
Imagine we are at a party in a room full of people. I have a stack of notepads. As people come up and talk to me, I open a notepad, write down some information about them, then I give them the notepad which they carry around the party. If they come back to me, I read their notepad to see what I wrote in it earlier; I might write more information into it. Some of the information I write in the notepad might be about observations I make about them, such as their hair color or what shoes they are wearing. But some of the information I write might be about what we talked about, or questions they asked me. But the important thing to understand is that the notepad was blank – and the only information in it is whatever I write into it.
One of the people in the room approach me and strikes up a conversation. I grab a notepad and write down notes about the conversation and other observations. I then look over my shoulder and tell my friend… we’ll call her Guugle… I tell my friend Guugle everything that I just wrote down. I hand the notepad to the other person and they walk away.
In this scenario “Guugle” never saw the notepad (cookie), but I collected some data and shared it with Guugle. Realistically this type of interaction doesn’t often happen in the real-world, but I use this example to point out that data collection, data sharing, and cookies are separate topics in the overall subject. One more time, let’s return for one last scene…
Midway through the party, I make an arrangement with Guugle. She has an associate who will aggregate information about the people with whom I speak and later give me lots of interesting statistics. Guugle’s associate’s name is Anna Lytics. Anna stands next to me and she has her own stack of notepads. As people come up and speak with me, I make notes in a notepad and Anna makes her own notes in another notepad. When the conversation is over I give my notepad to the person, and Anna gives hers to them as well. (It is important to note that Ana was simply a third-party to the conversation.)
When the next person approaches, we speak briefly. I make some notes, and Ana makes some notes – just like before. When the conversation is completed I hand them my notepad. But this person doesn’t want Anna to remember what was discussed later (and they don’t want Anna to share anything with Guugle’s other associates), so when Anna tries to give them her notepad they do not accept it and they simply walk away. They do not want to accept a notepad from a third-party.
Data collection, data sharing, and cookies are all topics with which we should all be familiar. When considering whether or not to sign up for “free” services, remember to consider the information they may be collecting, with whom they are going to share that information, and how it might be used.