Journals, data leaks, or news stories that explain the comprehensive picture companies can create of a person’s Internet usage raise privacy alarms. But most people have shrugged and accepted the status quo in exchange for convenience.
Soon, however, changes by businesses and governments will overturn the current system of tracking Internet users, he says Guy Aridorassistant professor of marketing at the Kellogg School, who studies competition and regulation issues in digital markets, focusing on the economic aspects of the collection and dissemination of consumer data.
“From a consumer perspective, what this means going forward is that you’ll hopefully have more transparency about what’s going on online,” says Aridor.
Aridor explains how tracking was developed, what regulators are doing to increase transparency and how online data protections are going to improve for users.
How did we get here?
The current system for tracking Internet users’ activities across the Web—it’s ubiquitous “cookies”— originated as a hack in the first commercial browser, Netscape, in the 1990s. Early Internet protocols had no way for websites to collect personal information or browsing history, which limited functions such as tracking what users put into a shopping cart or which movies they wanted to watch.
The benefit of this hack was that the web became much less cumbersome to use. “It’s not necessarily bad to track all the data,” Aridor points out. “If you go to Netflix and they’re able to watch you over time, you’re going to get better movie recommendations.”
As the use of cookies became more popular, advertisers realized they could better target ads by using third-party cookies, which are placed by websites other than the one the user is visiting, to develop sophisticated consumer profiles.
Over time, consumer attitudes toward such monitoring have clustered into three groups.
Fundamentalists oppose data collection on principle and go to great lengths to minimize the traces they leave online. Pragmatists are concerned about the harmful consequences of surveillance, such as leaking data or making uncomfortable personal habits public on the Internet, but they also see the advantages in terms of convenience and personalization. Disinterested users are generally unaware of the ways data is collected — and the privacy issues its collection raises.
While most consumers are on the pragmatic side, the widespread collection and sale of data by third parties has raised objections from fundamentalists and consumer privacy advocates alike. Today, regulators, as well as some tech companies, are trying to address these concerns.
“A lot of what’s happening in the privacy space now, both from federal law and from industry, is essentially trying to create a new privacy environment,” Aridor says. “The goal of these groups is to preserve elements of the old status quo — like companies being able to profit from being able to track you online — while doing it so that consumers have some control.”
How governments and tech companies have responded
Regulators have focused heavily on protecting Internet users’ privacy by providing consumers with more information about the data being collected.
GDPR or the European Union’s general data protection regulation, which came into effect in 2018, established the right of individuals to consent to the collection and sale of their personal data. GDPR also obliges companies that track consumers to provide transparent and easily accessible information about how their data is used.
Other countries, including Canada, Israel and Japan, have adopted GDPR-style legislation, as have some US states: California’s consumer privacy law is similar to the GDPR, and recently additional enforcement powerswhile states such as Colorado, Connecticut, Utah and Virginia have passed similar legislation which enters into force in 2023.
In a way, GDPR-style laws put the onus on consumers to protect their privacy and make informed decisions, Aridor says. They mostly help fundamentalists and those who already pay attention to online tracking, but do less for pragmatists and casual users who take some time to weigh the trade-offs.
“Let’s say you go to a website like the New York Times,” says Aridor. “They tell you they use your data to collect analytics, send it to third-party advertisers, and improve your experience on the site. But to make an informed decision, you have to weigh the costs and benefits of personalization, and it’s not very obvious what those are.”
Some major platforms are making proactive changes in response to the sea change in how data privacy is valued and regulated. This could help protect a wider range of consumers. For example, recent updates to Apple’s iOS mobile operating system gave users more control over the data they share with third-party apps, while Google plans to make Privacy Sandbox widely available in 2023. This new feature aims to keep the benefits that businesses receive from third-party cookies without including individual tracking.
In this new system, consumers’ data will not leave their browsers. Instead of being identified as a specific person on the websites they visit, they will be matched to interest profiles based on the topics they explore. By the end of 2024, Google plans to phasing out third-party cookies in the popular Chrome browser.
The changes could make it harder for marketers to track the effectiveness of their ads. They could also hurt businesses that rely on targeted advertising. A recent study by researchers including Professors Kellogg, Anna Tuchman and Nils Wernerfelt, finds that the average cost of acquiring a new customer could increase by 37% over current costs, with smaller businesses disproportionately affected.
And because Google already owns so much of the online advertising space, the changes open up a broader discussion about the company’s market power, Aridor says. For this purpose, Google works with the UK Competition and Markets Authority to address potential antitrust concerns.
“The big controversy is that Google already owns a lot of the advertising space, so that could make it pretty much the only player in town,” he says. “Maybe we get potentially better privacy protections for consumers, but will the anticompetitive effects make consumers worse off in other dimensions?”
What the changes mean for consumers
Previously, if consumers wanted to carefully protect their privacy, they had to be savvy enough to delete their cookies or cache, which remembers parts of web pages. They may also install browser extensions to prevent their identity from being automatically tracked across different websites.
Soon, Aridor says, default settings will better protect consumer privacy, which is especially useful for pragmatic and casual users, as well as people who are less tech-savvy.
“If your main concern is that your personal history is going to be leaked online, we’re moving towards a world where that would be less likely to happen,” he says.
Even with all of these additional protections in mind, more privacy-conscious consumers may still want to install third-party tools that detail how each site is tracking them. And they’ll also want to keep an eye on the ways big platforms continue to make trade-offs between respecting users’ privacy and collecting their data. For example, Google Chrome recently delayed the introduction of planned changes to ad blocking, following backlash from privacy advocates.
“There will be a transition period,” says Aridor. “It is difficult to predict what the consequences of the balance will be. But at least on the privacy side, things should be better.”
