The Endangered Cookie

Once you’ve moved beyond the OREO Double Stuff phase, the cookies in your life are primarily little text files summoned by your browser. They’re placed, or called, by publishers’ or advertisers’ servers when those browsers visit their pages or contact their servers.

Cookies are very useful online advertising and e-commerce tools. They enable many of the things that make our industry special. Cookies permit publishers and advertisers to identify the type of users and assign certain characteristics to them. For example, cookies are used to remember how many times a user has seen certain ads (frequency capping). They’re used to remember user names or passwords (saves users from having to constantly reenter them). They’re used to remember personal preferences for content personalization (weather, stock portfolio, or favorite sports teams).

Cookies are also used by some e-commerce security systems to help verify certain browser software is what it says it is. They’re used by targeting and analytic systems to track, store, and communicate user behaviors (sports fan or business traveler).

The problem with cookies? Like Rodney Dangerfield, they get no respect.

When cookies are discussed, either inside or outside the industry, they’re often maligned or misunderstood. Many seem to think they have almost-supernatural powers. Cookies are blamed for a range of potential Internet ills: creating security holes; transmitting viruses; sharing user names or passwords with the wrong sites; inadvertently revealing personally identifiable information. They can’t, and don’t, do these things.

Unfortunately, cookies are now getting a new kind of attention, the kind of attention that threatens their very existence and usefulness. Some people want to kill the cookie. More accurately, they want to kill what they incorrectly believe the cookie can do.

I’m referring to HR 2929, otherwise known as the Spyware Act or the Bono Bill (its original sponsor is Rep. Mary Bono). Fred Wilson, one of the top East Coast venture capitalists, has a great blog entry on the proposed legislation. The bill, which recently passed the U.S. House Committee on Energy and Commerce by a 45-4 vote, could have serious and unintended consequences for cookies’ future viability.

The bill started with the best of intentions. It was designed to stop spyware purveyors, those who put active applications on users’ desktops, usually without users’ knowledge or consent. These applications are used to deliver pop-ups, “browser spam,” and other unwanted ads. Of course, it will take the user the better part of a month or two to figure out what happened and rid her machine of the unwanted application.

This is bad stuff. It deserves to be legislated away. Spyware and its purveyors hurt our industry.

In trying to kill spyware, the authors drafted a bill with language that questions the legality of using any code to capture and store user information, including most first- and third-party cookies employed in online advertising. Basically, the bill makes little distinction between bad cookies (such as spyware-type programs) and good cookies (such as ad-server code and legitimate adware).

Everyone working in online advertising, publishing, and e-commerce should educate himself about this bill and the issues underlying it. The bill may not go anywhere. Passing a House committee in a year when the entire country is focused on a presidential election and a war doesn’t mean it’s about to become law. Yet the very fact that using an important, general-interest technology like cookies can be put at risk so easily should give pause.

Reflect on how much you rely on that technology, how important it is to the industry, and how much we stand to lose if it disappears. Ad serving and ad measurement as we know them today would be placed in serious jeopardy. We don’t need this bump in the road just as we’re making real headway and real profits.

HR 2929 is more than a public policy issue. It’s a marketplace issue, too. Many companies that develop and maintain key elements of our infrastructure, from browsers to virus protection and firewalls, deploy applications that can’t differentiate between good and bad cookies. These applications have the potential to erode our ability to rely on an important, useful, and ultimately consumer-friendly technology that’s core to what we do. Let’s not wait until it’s too late to understand the issues and do something about them.

Educate yourself about cookies. Don’t hesitate to call out bad actors that misuse and abuse them. Help those outside the industry understand there are many uses of the technology that are useful, nonthreatening, and necessary for users who want a positive online experience.

Related reading