Never Mind Google's Crumbling Cookies, It's Retailers Who Are At Risk

In the wake of Google's latest privacy fiasco, is it time to give up on cookies? Last Friday (Feb. 17), a Stanford University researcher reported that Google and three other advertising companies use cookies on Apple's Safari Web browser even when it's set to block cookies. The backlash has increased scrutiny on how Google uses cookies—but any new regulations will affect cookie-using E-tailers, too. That same day—coincidentally—Facebook was sued for its own cookie mishaps.

With cookies already under tighter controls in the U.K. and the European Union, and the near-certainty of some sort of U.S. Congressional hearings, retailers should be making new customer-tracking plans—plans that don't include cookies.

The Stanford research, by grad student Jonathan Mayer, called out Google, Vibrant Media, Media Innovation Group and PointRoll as having circumvented Safari's cookie policy, which by default blocks third-party cookies. Within days, Microsoft also accused Google of sneaking cookies past the defenses of Internet Explorer. (That finger-pointing is a little harder for Microsoft to support, because Amazon and at least 11,000 other sites have also used the same trick on IE—a trick that, according to Google, was originally recommended by Microsoft to work around an IE bug.)

The uproar has had the usual results, thus far including a class-action lawsuit, a proposed Federal Trade Commission investigation and a probe by the U.K.'s Information Commissioner's Office. All that is happening in the context of Google's plans to merge the data it has collected on each user on March 1, which already had privacy proponents complaining.

But it's cookies that get most of the privacy attention. Lawmakers and regulators are skittish about any broad ban on the collection of data about customers, because the government types know that would make modern retailing almost impossible and cripple many other types of businesses. But cookies are specific and something that Web browsers are already supposed to be able to block. They make an easy target.

And because almost all online retailers use cookies to track customers, any real results from a Google backlash will require retailers to make changes in the way they use cookies. Cookie regulation is already in place in Europe, and it is written so that it's illegal to place most cookies on a European customer's PC without an explicit, informed opt-in.

The Facebook lawsuit, filed in a California federal court, accuses Facebook of using its cookies to track the Internet activity of consumers after they have logged out of Facebook, even though its terms of use promise it wouldn't.

The lawsuit said that a Facebook engineer, Gregg Stefancik, confirmed the problem after a security researcher reported it. The lawsuit quotes him as saying there was a bug where the cookie data "was not cleared on logout."

All of which should spell the death of cookies in E-Commerce. Yes, they're an easy way to track customers as they wander through your Web site and to collect CRM data along the way. But as they're increasingly regulated, cookies will become less and less useful to retailers, because there will be fewer things you can do with them—and increasing numbers of customers who can actually block them.

What may be just as problematic is the fact that cookies can no longer give a retailer a competitive advantage.What may be just as problematic is the fact that cookies can no longer give a retailer a competitive advantage. All your competitors use them, too, and in pretty much the same way you do.

Then there is the real downside. Right now, you know that you probably have at least a decade's worth of cookie-using code in your E-Commerce systems. What you don't know is what cookie-based tricks your developers (or third-party contractors) have used over that decade or so. Say there's a cookie crackdown, and you clean up all the sketchy cookie practices you know about. If there's old code in your system that sneaks a cookie in despite a customer's preferences, you'll eventually be caught, sued and investigated, probably in that order.

Ironically, there are several better ways to do what cookies currently do badly (because so many customers try to block them).

One is to track customers by way of their browsers and other characteristics of their computers or phones, but without putting a tracking cookie on the customer's machine. That requires more server power than simply using cookies. But it neatly sidesteps all existing cookie controls, because you're not putting anything on the user's machine or retrieving any data from it.

For example, a project by the Electronic Frontier Foundation has found that at least 80 percent of customers can be uniquely identified without cookies, just by using a handful of characteristics reported by the Web browser, including time zone, system fonts and browser plug-ins. That's 80 percent of all customers, not just the ones who aren't blocking cookies. That rises to almost 95 percent if the browser has Flash or Java enabled.

A second approach actually improves security for customers: doing every E-Commerce session using Secure HTTP, which creates an encrypted tunnel for the customer's transaction. That chews up more processor power, but it means no one (at least in theory) can hijack the customer's online shopping session or eavesdrop on product choices or payment information. Lots of E-tailers already use Secure HTTP at checkout time; extending it to your entire site means you just happen to gain the ability to track each customer.

Then there's a third approach: Just ask customers to identify themselves when they arrive at your E-Commerce site. Offer a carrot, such as special offers for customers who sign in or allow you to use cookies or other Web-tracking technology. If they say no, they can still shop—they just don't get the bargains. If you already have a brick-and-mortar loyalty program, maybe that just means adding a box for the customer to type in that number, rather than requiring a user ID and password.

Considering how willing most shoppers are to sign over large quantities of CRM data when they sign up for a loyalty program, that seems like a reasonable bet. And with loyalty programs getting more popular as tracking cookies come under more suspicion, that may be the easiest way of getting out from under the Cookie of Damocles.