Cookies are one of my favorite things. Usually, this refers to the oatmeal raisin variety rather than those tiny bits of computer code that empower websites to remember a user’s login, keep items in a shopping cart and greet the user by name when she returns. Warm and fuzzy, right?
Sometimes, not so much. I once shopped for a friend on a website that she loves but is not my taste. So years later continuting to be served display ads from that website is irritating. Another friend tweeted that “it’s creepy” when a product she was reading about on one website appears later in a display ad on a different website. It seemed someone was spying on her. Uncanny! “Creepy” is a term borrowed from robotics to refer to a use of personal information that does not legally invade your privacy but is frightening because of the “stalker-like” appearance that a website knows everything about the user.
In 1890, another new technology was changing the media. Then as now, legal scholars were concerned that existing law would not protect consumers from the heretofore unheard of technology. In The Right to Privacy inspired by the invention of “instantaneous photographs”, Justices Samuel D. Warren and Louis D. Brandeis identified privacy as the right of an individual to be left alone. William Prosser further developed Invasion of Privacy into a set of four torts (legal remedy for an injury): False Light, Appropriation of Name or Likeness, Intrusion into Seclusion and Public Disclosure of Private Facts. The body of law that developed from Warren and Brandeis’ article served to protect privacy through the 20th Century until the proliferation of electronic information in the Internet age allowed websites to identify users without using their names or likenesses.
Today it is important to understand and take steps to control the personal information tracked by websites and online technology. Much of the technology is used to provide an internet visitor with a consistent experience across Internet Platforms. Here are descriptions of common types of technology websites use to track users:
- Cookie. A cookie is a small file containing a string of characters that is sent to a user’s computer when the user requests a website address. When that user later returns to the website, the cookie allows that site to recognize the user’s browser. Cookies are usually discarded when the person ends the session and closes the browser.
- Persistent Cookie. Cookies that include an expiration date will persist until the arrival of the expiration date, potentially long in the future. Cookies may store user preferences and other information. A user can reset her browser to refuse all cookies or to indicate when a cookie is being sent.
- Pixel Tag. A pixel tag, sometimes called a web beacon, is a tiny graphic file placed on a website, in an ad or within the body of an email for the purpose of tracking activity on websites, or notifying a sender when emails are opened or accessed, and often used in combination with cookies to connect an ad to an interested consumer.
- Server Log. Website servers automatically record the page requests made by visitors to the website in log files. Server logs typically record web requests, Internet Protocol addresses, browser type, browser language, the date and time of a request and one or more cookies that uniquely identify the user’s browser.
- IP Address. Computers connected to the Internet are assigned a unique number known as an Internet protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country from which a computer is connecting to the Internet. Depending on how a user connects to the internet, the IP Address may identify one computer or may change each time the user connects to the internet.
- Anonymous Identifier. An anonymous identifier is a random string of characters that is used for the same purposes as a cookie on platforms, including those for mobile devices, where cookie technology is not available.
While each of these technologies may be used for administrative purposes such as noting whether a user is a return visitor, remembering the user’s preferences or providing confirmation that the correct ad was served to a particular website to allow a publisher to correctly charge the advertiser for an ad the user clicked, the same technologies may also be used by third parties to quantify and predict consumer behavior. Aggregating non-personally identifiable information stored on user’s browsers allows third party ad servers to accurately predict when a user will purchase a particular product. These third parties use web beacons to find a likely buyer and scan her cookie and log file information to analyze the value of serving a particular ad to that user. Advertiser can then bid on the value of the ad to be served to the user.
Although the third party ad server cannot identify the human, it knows many details about the user’s browsing history and product preferences. That’s when things start to feel creepy. This practice is not an invasion of privacy recognized by Warren, Brandeis or Prosser, but it may be actionable as a deceptive practice under the Federal Trade Commission Act.