With cookies already under tighter controls in the U.K. and the European Union, and the near-certainty of some sort of U.S. Congressional hearings, retailers should be making new customer-tracking plans—plans that don't include cookies.
The uproar has had the usual results, thus far including a class-action lawsuit, a proposed Federal Trade Commission investigation and a probe by the U.K.'s Information Commissioner's Office. All that is happening in the context of Google's plans to merge the data it has collected on each user on March 1, which already had privacy proponents complaining.
But it's cookies that get most of the privacy attention. Lawmakers and regulators are skittish about any broad ban on the collection of data about customers, because the government types know that would make modern retailing almost impossible and cripple many other types of businesses. But cookies are specific and something that Web browsers are already supposed to be able to block. They make an easy target.
The lawsuit said that a Facebook engineer, Gregg Stefancik, confirmed the problem after a security researcher reported it. The lawsuit quotes him as saying there was a bug where the cookie data "was not cleared on logout."
All of which should spell the death of cookies in E-Commerce. Yes, they're an easy way to track customers as they wander through your Web site and to collect CRM data along the way. But as they're increasingly regulated, cookies will become less and less useful to retailers, because there will be fewer things you can do with them—and increasing numbers of customers who can actually block them.
What may be just as problematic is the fact that cookies can no longer give a retailer a competitive advantage.What may be just as problematic is the fact that cookies can no longer give a retailer a competitive advantage. All your competitors use them, too, and in pretty much the same way you do.
Then there is the real downside. Right now, you know that you probably have at least a decade's worth of cookie-using code in your E-Commerce systems. What you don't know is what cookie-based tricks your developers (or third-party contractors) have used over that decade or so. Say there's a cookie crackdown, and you clean up all the sketchy cookie practices you know about. If there's old code in your system that sneaks a cookie in despite a customer's preferences, you'll eventually be caught, sued and investigated, probably in that order.
Ironically, there are several better ways to do what cookies currently do badly (because so many customers try to block them).
One is to track customers by way of their browsers and other characteristics of their computers or phones, but without putting a tracking cookie on the customer's machine. That requires more server power than simply using cookies. But it neatly sidesteps all existing cookie controls, because you're not putting anything on the user's machine or retrieving any data from it.
For example, a project by the Electronic Frontier Foundation has found that at least 80 percent of customers can be uniquely identified without cookies, just by using a handful of characteristics reported by the Web browser, including time zone, system fonts and browser plug-ins. That's 80 percent of all customers, not just the ones who aren't blocking cookies. That rises to almost 95 percent if the browser has Flash or Java enabled.
A second approach actually improves security for customers: doing every E-Commerce session using Secure HTTP, which creates an encrypted tunnel for the customer's transaction. That chews up more processor power, but it means no one (at least in theory) can hijack the customer's online shopping session or eavesdrop on product choices or payment information. Lots of E-tailers already use Secure HTTP at checkout time; extending it to your entire site means you just happen to gain the ability to track each customer.
Considering how willing most shoppers are to sign over large quantities of CRM data when they sign up for a loyalty program, that seems like a reasonable bet. And with loyalty programs getting more popular as tracking cookies come under more suspicion, that may be the easiest way of getting out from under the Cookie of Damocles.