Cookie consent is not enough

For all the time companies have spent implementing cookie consent statements, the number and scale of the recent spate of privacy lawsuits and regulatory fines is increasing. Needless to say, notices do very little to protect businesses or their customers.

Transparency is undoubtedly a good thing, and we’re starting to see more common sense emerging, but businesses are still vulnerable to a host of issues that are often beyond their direct control.

The recent lawsuits involving the Meta pixelwhich many American healthcare companies also have to deal with, are a perfect example of this.

The problem is ingrained in the way websites are built. Aside from some of the biggest technology companies, we all use third-party cloud services to build our websites. These services include essential software such as CRM, analytics, form builders and also trackers used by advertisers. The problem is that these third parties have a lot of autonomy and very little oversight.

For example, the Meta pixel serves as a tracker that reports data back to Meta. This can be harmless data that marketers use to target ads to potential customers and track the effectiveness of their advertising campaigns. However, highly detailed and specific personal information is also collected by these trackers and included in existing data portfolios.

Abused healthcare, financial data

The problem is that when you visit a healthcare website, the stakes are much higher. You don’t want to share a medical condition you’re researching with Facebook. And you definitely don’t want this data added to your social graph. This brings us to the heart of these lawsuits: Protected Health Information (PHI) falls under the Health Insurance Portability and Accountability Act (HIPAA), and the actions just described violate this law. It also sheds light on how troubling tracking can be when you look at digital advertising through the lens of healthcare.

The same applies to financial services. As with PHI, the collection of and unauthorized access to personally identifiable information (PII) and financial information can have serious consequences. These are parts of our lives that we want to keep private for good reason; they do not mix well with modern digital advertising practices.

Two other recent lawsuits help us better understand the complexity and scope of the issue, which extends far beyond the metapixel.

Looking through the lens of sensitive data

A lawsuit has been filed against Oracle alleging that the 4.5 billion records they hold — for reference, the world’s population is 8 billion — can be used as a proxy for tracking sensitive data that consumers deliberately don’t want to share . This idea, re-identification of anonymized data, is old news, but it serves as an objective lesson of why all these “random” bits of data being collected matter. With enough data, Oracle, or whoever gets access to the information, can deduce most details of a person’s life with astonishing accuracy, and it’s a certainty that this is exactly how the data will ultimately be used.

Another recent case involved the use of web testing tools that record web sessions to see how well a user can navigate a website. These are very common tools used by web developers and marketers to optimize user interfaces.

To make headlines, some companies using these tools are being sued under eavesdropping laws because these tools can transmit much more data than the website owner intended without the user’s knowledge. Who would have given thanks? But when you look at all this through the lens of sensitive data, it becomes very clear that there is a big problem.

This brings us back to cookie consent

Aside from the fact that most consumers quickly go through these cookie consent popups and click “Accept All,” the companies granting these consents are not meaningfully protected, and neither are their customers. In addition, there are many ways to track users online that do not use cookies at all, and these are the issues at the center of the recent lawsuits.

The solution is not just about fine-tuning cookie consent. The problem is of a technical nature. Businesses need the ability to see, monitor, and control the part of website interaction they don’t currently master: the browser. That’s the new endpoint.

The vast majority of companies want to do the right thing, but they can’t manage what they can’t see. Just because they don’t know doesn’t mean they can’t be held accountable by new laws and regulations, lawsuits or the public. Example: The average Fortune 1,000 website has more than 120 third parties on the homepage. If you show someone the scope of the problem in this light, they will care a lot.

Ian Cohen is CEO and founder of LOKKER.

Brian Ebert is a member of the LOKKER Advisory Board and former Chief of Staff of the United States Secret Service.