Meg Jones is a Kluge Fellow as well as Associate Professor in the Communication, Culture & Technology program at Georgetown University where she researches rules and technological change with a focus on privacy, memory, innovation, and automation in digital information and computing technologies. “Ctrl+Z: The Right to be Forgotten,” Meg’s first book, is about the social, legal, and technical issues surrounding digital oblivion. She is now working on her second book project, “The Character of Consent: The History of Cookies and Future of Technology Policy.”
Sophia Zahner: Let’s begin with the main subject of your research – cookies. Can you briefly describe what cookies are, the development of cookies over the last twenty years, and how they work as part of a “performance of privacy?”
Meg Jones: Cookies have had an impressive run! A cookie is a string of data (e.g., GA1.2.1114295235435.LHEKQQPF) generated by a site you visit and sent to your browser, where it’s stored on your hard drive. When you visit the site again or click around the site, the browser automatically sends the cookie back to the server and tells the server what data to recall.
Because the cookie is meaningless to you, it’s considered an “opaque” memory system. It’s like taking a ticket at the dry cleaner so your clothes can be retrieved when you come back. This way, the dry cleaner doesn’t have to create an account for you or use your driver’s license number. Similarly, a website can remember you without requiring you to log in or recording your IP address, which were early alternatives to cookies. The cookie is how the web has remembered since the mid-1990s, when Netscape Navigator added the feature to its immensely popular browser.
Today, people everywhere dodge and weave around dozens of cookie consent boxes a day – on bad days, we just click whatever option to get past them. Cookie notifications, click-throughs, and pop-ups are a nuisance because they interfere with the user experience on sites and platforms, while simultaneously failing to provide meaningful protection. The current cookie consent system represents a political failure and a policy rut we’ve been stuck in for over twenty years.
You mention your work is organized around different kinds of characters in the data collection world. Who are some of these characters and what are their roles in data collection?
Instead of asking how we consent (or don’t consent) to cookies, I ask who consents to what and why. My project tells the history of digital consent through three characters that are central to the three areas of law that regulate cookies: the Data Subject from data protection law, the Anonymous User from communication privacy law, and the Privacy Consumer from consumer protection law. People can be treated as any of these characters, depending on how computers are regulated in their jurisdiction. Each has a really interesting story developed through different tech policy processes.
The Data Subject’s origin story begins in the early days of the global computer industry in the 1960s. Consent made little sense as a mechanism for protecting the Data Subject, given that most people would not see a computer in person (let alone enter their own personal data into one) for decades. At the time, computers were really only used for vital services like welfare services, insurance, and credit.
The Anonymous User is a character born of computer networks built on top of phone networks, built on top of telegraph and postal systems. Legacy communication privacy laws from those networks protected users mainly by requiring their consent to intercept or transmit information.
In contrast, the Privacy Consumer is remarkably young. Born in the 1990s to support the US push to dominate the commercial web, the Privacy Consumer is all about choosing the right service within consumer protection law.
Each character is at the heart of a law that governs cookies, and the confusion between them has led to a lot of mischief.
You discuss the large differences between data privacy rules in Europe and in the United States. How did these differences originate and what are their implications today?
The divergence in rules derives from a couple of important differences between Europe and the United States that are easy to spot when you pull the characters and laws apart. The European Union generally focuses on rules protecting the Data Subject, while the US protects users as Privacy Consumers. The Anonymous User, however, doesn’t get a lot of attention in either region these days.
In the late 20th century, when the US and European countries began to consider how they might become major players in the international tech industry (or at least not be at the mercy of IBM), they also began to consider what rules were necessary to govern computers. European countries created an entirely distinct body of data protection law that specifically addresses the power of computers in society, focusing on fair processing and control of data to protect the Data Subject. The Data Subject became so important that data protection now is its own fundamental right, distinct from privacy, under EU law. The US did not follow suit. As an American, I am not protected by law as a Data Subject.
While the EU’s protections focus on the Data Subject, the Privacy Consumer gets all of the spotlight in the US due to its focus on consumer protection law (rather than data protection law or communication privacy law) through the Federal Trade Commission in the 1990s. Today, this discrepancy of focus means the US and EU have a very hard time getting on the same page.
Privacy policies can be incredibly difficult for the average consumer to understand, let alone respond to. How do you recommend we change privacy policies and structures of data protection, especially regarding cookies, to better protect consumers going forward? Which organizations are responsible for making these changes and protecting the consumer?
Forget the privacy policies – they’re really just for lawyers.
There are really only two questions: Does the site collect and share information before explicit consent is given? And is it as easy to click “NO” as it is to click “YES?”
The first is the question of whether data collection is the default. The answer tells you about the values and priorities of the site operators and the policymakers in charge.
If there is no default, meaning users have to choose whether data is collected, we come to the second question. Is it easy to accept all cookies by clicking a big green button, but your only other option is to click a little “learn more” link that may or may not actually give you more choices once you’ve scrolled through enough material? Requiring more clicking and reading to opt out than it takes to opt in results in practically no choice at all.
Policymakers have a responsibility to set these terms. When the EU approved the General Data Protection Regulation (GDPR) in 2016, it changed the definition of consent for cookies. Cookies are actually regulated by European communication privacy law, the ePrivacy Directive, but that law takes its definition of consent from the GDPR. These laws together require explicit consent before cookies can be collected, so the default in Europe is opt-in. At the beginning of 2022, the French data protection agency reasserted this policy by fining Google and Facebook over 200 million euros for using a consent pop-up that was easier to accept than reject. France gave them three months to change it.
The US still promotes the stale opt-out standard outlawed in Europe. This maintains a system of surveillance capitalism that has benefited some US companies beyond anyone’s wildest dreams.
Considering current concerns about data privacy related to apps like TikTok and Facebook, can the consumer do anything to protect their privacy in the current moment? If not, what does this mean for the internet user?
As consumers, we have limited tools to protect our privacy. Our options are to ask for government regulation and to use apps, extensions, or hacks to help us be the best at consuming we can be. Self-help tools and privacy management demand an immense amount of work with uncertain payoffs, but doing that work when you can may help protect the privacy of yourself and others.
Although tons of brilliant people have generated ideas like privacy nutrition labels and the FTC has made incredible strides in creating consumer privacy law that suits the Privacy Consumer, it’s not enough. For instance, if you Google search how to turn on your Do Not Track setting in Google Chrome and navigate your way to Google’s Help page, it will inform you that most of the internet, including Google, will ignore your request not to be tracked.
Efforts like the Do Not Track setting don’t work without the force of law. I suggest that we stop fighting for consumer protection laws as Privacy Consumers and instead fight as Data Subjects and Anonymous Users by developing strong data protection and communication privacy law.
But even as Privacy Consumers, we can demand higher standards for consent. When Apple announced an iOS update that would require opt-in consent for each app to share data, Facebook took out full-page newspaper ads against the change. Facebook knew that very few people would opt into being tracked, so they would lose access to huge amounts of data from iPhone users. And that’s what happened. Almost everyone clicks, “Ask App Not to Track.” Real consent is an important tool for driving tech companies and policymakers to make bigger structural and institutional changes.