Note: The header image was created by Visual Cinnamon for The New York Times on an opinion piece on digital trackers.
By now everyone is familiar and desensitized to cookie popups that bombard us on our first visit to almost every. These cookie consent alerts are there for a reason, they are required by new legislation such as GDPR and the California CPA. This legislation has been introduced to try to protect consumers from boundless data collection policies , which is a laudable goal. I’m not certain how much of a difference it’s made though as most users accept the terms as quickly as a EULA or a Windows Security Warning popup. Recently Senator Sherrod Brown has realized this and is trying to shift the burden of privacy from consumers onto the companies that hold the data. No longer will it be enough for a company to fall back on the “but you clicked on the Privacy Policy button” defense:
The web was designed to share information, this openness has led to users unknowingly giving up their privacy in fundamental ways.
If you do examine your choices in the cookie popup to choose which trackers are acceptable the list is often so exhaustive that it could take minutes to simply disable tracking for each of the marketing companies, let alone the hours or days it would take to understand what each tracker is doing.
Every time a company shares browsing history or other personal information with another company it increases the likelihood that information is lost in a breach. Recently, data aggregation companies such as Exactis , the Republican National Committee , River City Media , and more have been the source of many massive data breaches. This means that users were exposed to more risk at no fault of their own. Their data was lost because of aggressive data collection policies and normal internet browsing.
Pop Quiz:
Which of these are real companies that track you around the web and which are companies I just made up:
- MiQ
- Floodlight
- Google Analytics
- Kameleoon
- Ve
- Baidu Analytics
- Hotjar
- Mautic
- Impact Radius
- Pixlee
- Facebook Pixel
- UNiDAYS
- YOUTH ID
- Amazon Associates
- Adform
- Adroll
- AWIN
- AppNexus
- TradeDesk
- Google Ads Conversion Tracking
- Partnerize
- Flashtalking
- iAdvize
- LinkedIn Ads
- Facebook Connect
- Facebook Custom Audiences
- Conversion Linker
- Sajari
- Evalanche
- AnswerDash
That was a trick question, those are all trackers. What’s worse, they are all used on a single page for a single site.
A new future
It doesn’t have to be like this. Sales and Marketing can be done with a privacy and security first model. The New York Times recently announced they are phasing out all 3rd party advertising data. This is a great win for the consumer supported news model. More companies, outside of news, can follow suit.
Agree that privacy is important
The first step to take is to understand that privacy is fundamental and important to your customers. Stating this at the onset is important because it sets the stage for the rest of the conversations and discussions. If your team doesn’t first agree that privacy is important to your business and customers the rest of the conversations will not be fruitful.
Set goals for data collection
Data collection doesn’t have to be an all or nothing effort. There are legitimate reasons to collect data. It can help you understand your customers and to help sharpen messaging and content. However, without clear goals, the team may end up adding trackers that don’t help the business. This will add to the customer’s risk with no upside.
Goals may include things like giving the sales or marketing team actionable insights into your visitors. Other goals should be to ensure that your site continues to behave appropriately when adblockers are used, or when cross-domain cookies and Javascript are disabled. Another user-centric goal is to ensure features like browser Do-Not-Track settings are respected.
Set a high bar for new trackers
Without clear goals and customer protections, it can be tempting to add each tracker and tool to a website each time they’re suggested. Perhaps, one tracks demographics, one tracks history, and another tracks political leanings; ensure that each new tracker will help you with your goals, make sure there are measurable KPIs for each tracker. If they’re not useful, remove them.
Share the data you do collect with interested parties. Many times teams will set up their own trackers and accounts because that’s easier than getting the data from another team. This failure of communication shows other organizational issues that should be addressed before customers are put at additional data-loss risk. Each new tracker should provide new functionality. Make sure you’re not tracking the same data in multiple places.
Gather only necessary data
The data collected must be able to be shown to make a difference for your team and users.
Destroy data as soon as it is no longer useful. If you’re collecting and managing your own user data make sure that data is purged as soon as it is no longer needed. Set a default data expiration that is as short as possible: 6 months is a good default. Create an exception process to hold data longer than the default if necessary.
For users
As mentioned above, much of this information is collected without your consent or knowledge. Even if you examine each cookie consent dialog there are still hundreds of digital trackers and cookies that will remain enabled. To protect yourself I recommend taking additional steps.
1. Install an ad and tracker blocker
A good ad-blocker such as uBlock Origin , Privacy Badger by the EFF, or DuckDuckGo Privacy Essentials . These extensions will block advertising, malware, trackers and more at the request level. The result is that you are protected from tracking, see less advertising, see less visual clutter, and have a faster browsing experience. You can disable or tune your ad blocker for certain sites that you want to support through ad revenue. When browsing to a site like wired.com you will see about 15% of the total requests blocked.
2. Delete Facebook, Replace Google
Facebook and Google are advertising platforms. Their primary source of revenue comes from the tracking and sale of user data. These companies build a complete demographic profile of you based on the information they gather. Because of their significant reach and market penetration they can achieve this goal exceptionally well.. They use this information to sell advertising across the web.
Replace other Google features and products as well. Don’t use Chrome as your default browser, I recommend Firefox or Microsoft Edge. Don’t use Google’s DNS servers, I recommend Cloudflare’s 1.1.1.1 servers. If you can minimize the use of other Google applications such as Gmail, Google Calendar, Drive, Play Store, Android, Groups, Hangouts, Maps, News, and even YouTube.
3. Enable browser based privacy features
Most browsers include good privacy features. Both Microsoft Edge and Firefox have good automatic tracking prevention. Enabling strict tracking prevention will protect your identity the best, but may break some sites and pages.
Enable the “Do Not Track” requests option. This is an optional setting that the browser can send to the server to tell the sever not to track them. Unfortunately there isn’t anything enforcing companies to respect this setting, but it is a good practice to enable it.
Takeaways
The web was designed to be open. The principles that allow for open standards and information discovery are beautiful, lofty, and important. When many of these standards were designed and developed there was no idea of what the internet would become. The very concepts of security, privacy, authentication, authorization, and threats on the internet were so nascent, little to no effort was made to mitigate those risks. Now trillions of dollars flow through internet based companies, many of which anchor their business on tracking users, selling advertising and marketing to every micro-demographic possible. There are massive market forces pushing companies to collect more data than ever before. We must make the active choice as business leaders and consumers to strike a balance between data collection and privacy.