Cookie Consent Is Not Enough

Image Credit: Getty Images

Check out all the on-demand sessions from the Intelligent Security Summit here.

For all the time companies have spent on implementing cookie consent notices, the recent spate of privacy lawsuits and regulatory fines are growing in number and size. Needless to say, notices are doing very little to protect companies or their customers. 

Without a doubt, transparency is a good thing, and we’re starting to see more common-sense guidance emerge, but companies are still vulnerable to a host of issues that are often beyond their direct control. 

The recent lawsuits involving the Meta pixel, which are also affecting many U.S. healthcare companies, are a perfect example of this.  

The problem is baked into the way websites are built. Other than a few of the largest tech companies, we all use third-party cloud services to build our websites. These services include essential software like CRM, analytics, form builders and also trackers used by advertisers. The problem is that these third parties have a lot of autonomy and very little oversight.


Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.

Watch Here

The Meta pixel, for example, serves as a tracker that reports data back to Meta. This can be be innocuous data that marketers use to target ads to potential customers, and to track the effectiveness of their advertising campaigns. However, very detailed and specific personal information also gets collected by these trackers and incorporated into existing data portfolios.

Misused healthcare, financial data

The problem is, when you’re visiting a healthcare website, the stakes are much higher. You don’t want to share a medical condition that you’re researching with Facebook. And you definitely don’t want this data to be added to your social graph. This brings us to the heart of these lawsuits: Protected Health Information (PHI) is covered by HIPAA (Health Insurance Portability and Accountability Act), and the actions just described violate this law. It also shines a light on how troubling tracking can be when you look at digital advertising through a healthcare lens.  

The same holds true for financial services. Similar to PHI, collection of, and unauthorized access to, personally identifiable information (PII) and financial information can mean dire consequences. These are parts of our lives that we want to keep private for good reason; they don’t mix well with modern digital advertising practices.  

Two other recent lawsuits help us to better understand the complexity and scope of the problem, which extends way beyond the Meta pixel. 

Looking through the lens of sensitive data

A lawsuit was brought against Oracle claiming that the 4.5 billion records they hold — for reference, the global population is 8 billion — can be used as a proxy for tracking sensitive data that consumers have deliberately opted out of sharing. This idea, re-identification of de-identified data, is old news, but it serves as an object lesson of why all these “random” bits of data being gathered matter. With enough data, Oracle, or whoever ends up with access to the information, can infer most of the details of a person’s life with amazing accuracy, and it’s a certainty that this is exactly how the data will end up being used.

Another recent case involved the use of web testing tools that record web sessions to see how well a user can navigate a website. These are extremely common tools used by web developers and marketers to optimize user interfaces.

To cut to the headline, some of the companies using these tools are getting sued under wiretapping laws because these tools can transmit a lot more data than the website owner intended without the user’s knowledge. Who would’ve thunk? But when you look at all this through the lens of sensitive data, it becomes very clear that there’s a big problem.

Beyond the fact that most consumers breeze through these cookie consent pop ups and hit “Accept all,” the companies serving these consents aren’t protected in a meaningful way, nor are their customers.  Moreover, there are many ways to track users online that don’t involve cookies at all, and these are the issues that are at the heart of the recent lawsuits.

The solution isn’t just about refining cookie consent. The problem is a technical one. Companies need the ability to see, monitor and control the parts of the website interaction that they currently don’t control: The browser. That is the new endpoint.

The overwhelming majority of companies want to do the right thing, but they can’t manage what they can’t see. Just because they are unaware doesn’t mean they won’t be held accountable by new legislation and regulations, lawsuits or the public. Case in point: The average Fortune 1,000 website has over 120 third parties on its homepage. When you show someone the scope of the problem in this light, they care, a lot.  

Ian Cohen is CEO and founder of LOKKER.

Brian Ebert is a LOKKER advisory board member and former Chief of Staff at the U.S. Secret Service.


Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

Read More From DataDecisionMakers