Listen to Klaus Miller on the Economic Consequences of Online Tracking Restrictions on the "Up Next podcast", named the best marketing podcast in the US in Adweek:
Tracking on the web often has negative connotations, but depending on the circumstances, it can be useful. For example, as I'm based in Paris, my browser uses cookies to show me the weather there rather than the rain in London. If I put something in an online shopping cart but shut my computer down without making the purchase, cookies might pass information to advertisers, so the next time I log on, I see adverts for the same product. This same information is picked up by the retailers, who can use it – profitably – to understand their customers’ preferences.
One of the benefits of digital marketing for retailers is the ability to follow and ‘track’ their customers’ online lives, to arm themselves with information that they can use to tailor their offerings and market the right product to the right customer. This way, adverts for a particular product are directed at those customers who are most likely to buy.
One way to retain information about your customer base is to make them log in, but customers often find this annoying. If retailers don’t want to insist on logins, they can follow users through their sites with tracking cookies. These are small text files that collect information about a user's online behavior and essentially provide the browser with a memory that is retained between sessions.
Privacy versus profitability
For consumers, the small conveniences of cookies come with one important disadvantage: a loss of privacy. You have probably experienced making a purchase online and finding that every site you visit offers you an ad for the same item. Many feel that they are being spied on, and some even report finding it ‘creepy’ that a website can show them ads based on their behavior on other sites.
On the retailers’ side, however, the more information they can garner about their customers’ likes and dislikes, the more they can tailor ads accordingly, and, over time, the more they are likely to benefit from those customers’ purchases.
Enter regulation
Policymakers have become increasingly concerned about Internet users’ desire and need for more privacy and have, therefore, begun to regulate how companies use cookies and other tracking devices. Until now, however, such regulation has mainly focused on consent. For example, under GDPR – the European Union’s General Data Protection Regulations, which came into force in 2018 – a company may only install cookies in a user’s browser if that user explicitly clicks a box to allow it.
Cookies come in two main 'flavors,' known as first- and third-party cookies. First-party cookies are installed by, and operate within, the website a user is visiting. Third-party cookies are installed by external sites and can ‘follow’ users around different websites and apps. Worries about privacy and efforts to limit or control cookie use generally focus on third-party cookies.
A right to be forgotten
Nothing in the current GDPR rules or elsewhere mandates how long a company may hang onto the data stored in one of its tracking cookies. This lack of rules limits the protection of users’ privacy, and seemingly goes against another of the principles established in GDPR: the so-called ‘right to be forgotten’. This provision gives individuals the right, in some circumstances, to have personal data on the Internet removed so they can no longer be traced.
Not surprisingly, regulators are beginning to explore how to restrict how long a company may hang onto the data stored in a cookie: in other words, what the maximum lifespan of a cookie should be. There are plans for this to be regulated at the European level, but EU member states have different opinions about what this limit should be. Some have already imposed their own limits, ranging from six months in France to 24 in Spain.
Restricting cookie lifetimes: what is the cost?
Advertising companies are already anxious about the costs of increasing regulation, which the Interactive Advertising Bureau has referred to as ‘the single biggest change to the advertising ecosystem.’ This concern provided us with the starting point and impetus for our study of the value of cookies and the monetary costs of restricting their lifetimes.
Many users delete cookies rapidly within months, which provides a proxy for the lower bound of cookie lifetime.
Cookies are ‘born’ when a user clicks to give consent to data storage, and they ‘die’ either at a set cutoff time or when users delete them. We began by surveying websites to see how long, in practice, the cookies stored there actually persisted. The longest-lived were those few set to a technical maximum that can be as long as 9,999 years: into a far future that no one can envisage. At the other end of the scale, many users delete cookies rapidly within a matter of months, and this end provides a proxy for the lower bound of cookie lifetime.
Restricting the cookie’s lifespan wouldn’t critically affect its value
One important thing we found from our large sample of cookies was that the ‘average’ cookie lives for less than a year: specifically, for about 280 days. So, the restrictions that the EU is talking about – the 12-month and 24-month limits – wouldn’t affect most cookies at all, as they would be deleted by users before their cutoff date.
The economics of restricting cookie lifetime is dominated by long-lived and high-value cookies, but these are very much in the minority. Our simulation suggests that restricting the lifetime of all cookies to two years would reduce their overall value by about 5%, and restricting it to one year would reduce it by about 9%. This latter value would put a dent in retailers’ yearly online ad profit of over €10 billion in the EU, but not an insurmountable one: if divided between all European citizens who we estimate are exposed to those ads, it would come out as about €2 each.
What consequences for the publishers?
This cost might be small, but someone will have to pay it, and it is unlikely to be individual customers. It is possible that governments could pay, but it is more likely that this will fall on the cookies’ publishers. This possibility raises the question of whether they will pass the cost on to their customers as reductions in services. Will e-newspaper readers, for example, pay for increased privacy by losing content behind paywalls? Or will some low-circulation publishers leave the market, leading to market concentration and perhaps less variety? We suggest that these options need careful consideration before more regulation kicks in.
Our research is relevant to all online retail, and it’s important that policymakers in this field consider our findings.
