The Opt Out: When you should and shouldn’t accept a website’s cookies

Share

You are more than a data point. The Opt Out is here to help you take your privacy back.

IT MAY SEEM as if websites suddenly started displaying banners telling us they were using cookies and asking if we were cool with it. Maybe you didn’t think too much about it—just clicked “accept all” and moved on. And maybe that’s what you’ve been doing ever since.

But you really should stop and think about it. We’ve been dealing with these notifications for almost five years now, and some folks still don’t know what it means to accept or reject all cookies, or even what those yummy-sounding files do. Tech companies don’t make it easy to understand either (perhaps on purpose). But consent isn’t really consent if we don’t know what we’re saying yes to.

Cookies 101

It’s right there in the Cheers theme song: Sometimes you want to go where everybody knows your name. And if the internet were your friendly neighborhood bar, having folks greet you and hand you your favorite drink before you order would be possible only with cookies.  

These small text files are generated on websites and saved in your browser. When you return to a site, the page will retrieve the relevant cookies from your computer to provide a more seamless experience—your preferences will be the same as the last time you were there, the weather information will match your location, and the shoes you were not so sure about two nights ago will still be waiting in your virtual shopping cart. These cookies, also known as HTTP or first-party cookies, are incredibly convenient, and since they’re typically a data transaction between you and the website you’re visiting, they’re mostly harmless (unless a hacker intercepts them via an unsecured website or public WiFi network, but that’s rare).

Cookies in general get a bad rap because of one type: third-party cookies. These are usually generated not by the website you’re visiting but by the advertising networks and data brokers working within that site. These cookies are designed to gather marketable information about you (what you like, what catches your eye, what ads you click on) that can be used to sell you stuff. This data can also be sold to other actors, potentially with nefarious results. “That’s part of the magic of big data,” says Carissa Véliz, author of the book Privacy is Power. “It draws out inferences that we would’ve never guessed. So it’s very hard to predict what the consequences are for sharing that personal data.”  

What’s worse is that third-party cookies can track you across the internet. Let’s say you are a stylish baseball fan with a weakness for high-quality perfume. So you wake up, and the first thing you do is go to your favorite sports website to check the scores of yesterday’s games. Two hours later, while on a break between meetings, you browse a perfume blog to read a review. What you don’t know is that the ads on the sports website were managed by the same company that showed you ads on the blog, so now the advertising network knows you’re willing to splurge on a nice woody scent and also good seats for the next Mets game. Because advertising networks work with countless websites, those third-party cookies keep adding up, feeding more data to advertisers and their clients.

When the European Parliament approved the General Data Protection Regulation (GDPR) in 2018, this bill teamed up with previous regulation to, in part, give EU citizens the right to be informed about a website’s use of any unnecessary cookies, consent to the tracking and use of their data, withdraw that consent whenever they want, and access platforms even after rejecting all cookies. What makes the GDPR different from earlier rules is that it protects EU citizens no matter where they are, where tech companies are headquartered, or where data is processed.  

[Related: When it comes to privacy, smart devices are not the smarter choice]

Because there’s no way to determine if a user is an EU citizen, and running two versions of a website is hard and expensive, tech companies avoided million-dollar fines by adopting a “better safe than sorry” approach, which meant they started asking everyone for consent to use cookies on their websites. That resulted in everyone in the world getting a bit more control over their data online. But know this: Unless you’re an EU citizen, or some other privacy regulation applies to you (like the California Privacy Rights Act), you do not have the right to withdraw consent when it comes to tech companies or data brokers collecting and using your data. Jon Callas, director of public interest technology at the Electronic Frontier Foundation, says some companies, like Twitter and Apple, decided to make things easier for everyone by providing GDPR rights to all their users no matter their nationality. But those are the exceptions. In most cases, if you’ve consented to data collection, a company can use whatever it already has on you however it likes—no law allows you to demand the immediate and total deletion of that data just because you want to. 

You can, however, turn off the informational faucet and sever websites’ access to more of your data. 

The best cookies are the ones you choose

Start by clearing the cache on your browser. This will get rid of all the cookies currently stored on your device and will prompt websites to ask you about cookies again, giving you a chance for a semifresh start. The steps will be different depending on your browser, but you can check out our guide to clearing cookies and web history on all the major browsers. 

With a clean slate in your browser, you’ll want to be more selective when it comes to consenting to cookies in the future. When deciding whether to accept cookies, the fastest, easiest, and most secure answer is to always reject them all. Most of the time, you’ll have to dig into the pop-up banner’s options and find your way to the right button, but you can also use your browser’s settings to reject all cookies from all websites all the time.

You’ll notice most browsers will try to warn you against rejecting all cookies. This is not only because doing so will prevent them from serving you personalized ads and will make your online experience a little less streamlined. They warn you because some websites were built with cookies in mind, and rejecting them all may result in glitches or limited functionality. This is where you must gauge your personal situation and decide what level of risk you’re comfortable with. 

After you reject all cookies, most sites will still be fully functional, just slightly harder to use than you’re used to. You may have to set your preferences every time you visit a page, remember your username, and scroll down to the exact point where you left off reading that lengthy article at lunch. Maybe that sounds like a price you’re willing to pay to protect your data from malicious third parties, but it may also sound absolutely unbearable. Neither response is wrong—you just have to do what’s best for you.

If banning all cookies forever seems right for you, follow these steps:

  • On Chrome: Settings > Privacy and security > Cookies and other site data > check the box next to Block all cookies.
  • On Safari: Settings > Privacy > check the box next to Block all cookies.
  • On Firefox: Settings > Privacy & security > find Enhanced tracking protection > choose Custom > find Cookies > open the drop-down menu > All cookies.
  • On Microsoft Edge: Settings > Privacy, search, and services, find Tracking prevention > Strict.

Microsoft’s browser is different in that it doesn’t let you block all cookies, only “the majority” of them “from all sites.” This doesn’t give you a lot of control over or transparency about what cookies Edge is actually blocking—but this may just be its way to prevent some sites from breaking without them.

Not willing to live in a cookie-free world but still want to protect your data? You’ll likely need to take time to personalize your privacy settings whenever you visit a new website. There’s no one way to do this, as every website is different. But the main strategy is to reject anything that says “tracker,” “third-party,” “targeting,” or “social media” next to it. 

You’ll also have to beware of dark patterns—weaponized web design elements meant to sway your behavior one way or another, sometimes without you noticing. For example, placing a big, noticeable “accept all” button next to a tiny link in a noncontrasting color that says “reject all” is a dark pattern. These can be even more subtle, like when your only options are “accept all” or “edit preferences.” “It’s not giving you the choice of ‘yes’ versus ‘no’—they’re making you look for ‘no’ so you’re more likely to click ‘yes,’” says Callas. “Close” or “X” buttons may also be considered a dark pattern. Because these notifications act as a final hurdle between you and the content you’re interested in, it’s natural for you to click that “X” as soon as possible to get past the banner. But some sites might consider that consenting by omission. Callas says some websites are explicit about this, but others might not tell you what you’re actually doing when you close the disclosure notice without making a choice. That would not be considered proper consent under GDPR, but Callas says some might be willing to take the risk: “The websites are gaming the rules to get the most information out of you, because information is money.” 

Keep in mind that the GDPR forces companies to provide options only when there are unnecessary cookies involved. So if you stumble upon a page that is not explicitly asking for your consent, that’s because there’s nothing to consent to—only information about the site’s use of HTTP or first-party cookies.

As with most things in life, there’s no right or wrong answer to the cookie dilemma. If you find value in targeted ads and are OK with companies potentially abusing the data they collect, you can accept all cookies forever. But there is certainly a middle ground where it’s possible to enjoy a streamlined experience online and still keep your data out of the reach of bad actors. Tech companies don’t make it easy (privacy policies are somehow both dense and vague, Véliz says), which makes us wonder if the GDPR-given right to consent is real and not an illusion. Whichever the case, one thing is still true: Those cookie notifications can be annoying, but they sure are better than nothing.

Read more PopSci+ stories.

Sandra Gutierrez G. Avatar

Sandra Gutierrez G.

Associate DIY Editor

Sandra Gutierrez is the former Associate DIY editor at Popular Science. She makes a living by turning those “Wait, I can make that!” moments she has while browsing the internet into fully-fledged stories—and she loves that. A native from Santiago de Chile who will never get used to the Northeastern cold, Sandra moved to Brooklyn three years ago, where she paints, draws, drinks green tea, and lives with her 11-year-old beagle Lucas.