Cookie Banners — a Case of Stubborn Minorities without Skin in the Game?

  • data protection is super-mega important
  • you just have to respect users’ privacy “choices
The twisted path to privacy

Who would really accept retargeting?

Let’s take retargeting specialist Criteo as an example. Criteo’s performance depends on the ability to tie interactions to the same individual. That is done by requiring their clients to run the Criteo tracker on their websites. That tracker, in case an “unknown” (cookie-less) user visits the website, first pings a dozen of ad servers to perform a so-called “cookie matching”. That way Criteo checks if this user is known from another website already so they can use that cookie instead of having to start from zero. The tracker also informs Criteo on what a user does on that website, e.g. whether she bought something and how much she spent. To recognize the same user on a different device or browser, and to “revive” users that have deleted their cookies, websites also are asked to send a hash of the user’s email to Criteo as soon as that email is known (e.g. after a login).

When the Criteo employees are the only ones you can still track

If you explained the methods employed by Criteo & Co. to someone and then asked that person whether she is fine with these methods, that would be a truly ethical and transparent privacy choice: The user can choose, and she understands what she chooses. And only the 2,800 Criteo employees, fearing for their jobs, would accept these methods engineered with such “great care to respect your privacy”.

Talkin’ ‘bout practice

Sorry, could not resist.

Big regulations can be handled by big players only

This can lead to a situation where a few tech-savvy players can afford to build tracking solutions and privacy controls that evade the common legal restrictions, while the little online shop short of budget and know-how may have to give up. The situation is comparable to that of small banks all over Europe. These banks have never engaged in the shady practices that led to the last financial crisis and a lot of additional regulations. This new “red tape” causes so much overhead that struggling small banks had to introduce unpopular measures like monthly fees (including my German bank). You could say that Facebook, Google, Amazon etc. are the big offenders in the world of data protection, and the regulations that were primarily introduced to control these giants end up making the giants even more powerful. But this is another topic. Back to the stubborn minorities.

The stubborn minority of data protection activists

Instead, this expensive legalistic exercise is performed for a stubborn minority, a term from Nassim Nicolas Taleb’s inspiring book “Skin in the Game — Hidden Asymmetries in Daily Life” [also see Taleb’s Medium story on the “dictatorship of the small minority”].

The “Law of the Stubborn Minority”

According to Taleb, the stubborn minority is a minority that values X so much that they won’t accept Y. At the same time, the majority prefers Y, but can live with X as well. The intransigent minority insists so strongly on X that the majority ends up going for X instead of Y. In Taleb’s words:

It suffices for an intransigent minority […] to reach a minutely small level, say three or four percent of the total population, for the entire population to have to submit to their preferences.

Examples of stubborn minorities

Even though “stubborn” and “intransigent” make these minorities sound like a bad thing, they can be harmless or even positive for the majority. See some examples, the first three from Taleb himself:

  1. 0.6% of U.S. citizens have a peanut allergy. The majority however can eat both peanut-less products (X) and products with peanuts (Y). But even though there are only few peanut allergy sufferers, you will find notes on peanut traces everywhere.
  2. At meetings in most non-English-speaking countries, as soon as one participant speaks only English (X), everyone will switch to English.
    The majority can speak both their preferred native language (Y) and English — or rather its impoverished business variant with usually ear-wrenching pronunciation. So the English speaker will never have to learn another language, as everyone will obey his intolerant preference. And if he is a native speaker, he will be more likely to dominate even conversations abroad as his English is much better than everyone else’s.
  3. A halal eater will never eat non-halal meat (Y), but a non-halal eater can also eat halal (X). So for meat producers, it is easier to let all their animals painfully bleed to death, as that will usually be acceptable for the majority of consumers — even though the majority would prefer Y if given a choice.
  4. A data-conscious minority will refuse WhatsApp and only use Signal/Threema/Wire/etc. The majority prefers WhatsApp, but can use other messengers. The majority thus will end up installing WhatsApp + at least one other messenger.
  5. Even though only a small minority demands opt-in mechanisms like cookie banners, they are everywhere now. The majority prefers the net without cookie banners, but they can of course live with cookie banners.

When the stubborn minority brings benefits for all

We thus do have cases when the majority benefits from the stubborn minority. Even though cookie banners are annoying, the fight for data protection is a fight for a common good that should be in the interest of everyone, and the good part of GDPR is definitely that it has forced a lot of businesses to take a closer look at what they are tracking and storing.

Only skin in the game makes you fully credible

The last point I want to make is on “skin in the game”. For Nassim Taleb, someone needs to have skin in the game to be credible. Taleb has a high regard for practitioners, i.e. people who have to live with the consequences of their actions, who risk their skin by saying or doing something. On the other hand, Taleb does not think highly about what he calls “the Intellectual Yet Idiot”, which in our case would be activists demanding data protection from their pedestal without having to worry about practicability.

  1. You are hired to start E-Mail Marketing for a startup. You have a list of 50,000 emails of people who have ordered or registered in the past, but have not given opt-in to e-mails. Will you
    a) not send the newsletter to these 50,000 people, missing out on a lot of revenue that counts towards your goals?
    Or will you
    b) value privacy so much that you will spend years building up an email list with people who have done a fully compliant opt-in only?
  2. You, the Digital Analytics Expert, are incentivized by your contribution to revenue (e.g. by delivering data to Marketing tools that improve targeting). You discover a great case for using behavioural data from the website to trigger automated emails or text messages (e.g. users who have done X on the website should be sent an email with Y in it). However, your privacy policy does not cover this merging of data. So in theory, you would require explicit additional opt-in consent from your users to connect their supposedly anonymous web behaviour data to the non-anonymous e-mail marketing tool. Will you
    a) ignore that privacy policy and go ahead (maybe with some additional feel-good measures like making sure this practice makes it into the next update of your privacy policy)?
    Or will you
    b) miss this chance of proving your value and hitting your goals, instead lecturing the Head of Marketing that this is illegal?

Why data protecters rarely work for Google Ads

Some data protection activists are not bound by such daily challenges: They have little to no skin in their game. Publicly active data protectors rarely work for Digital Marketing companies. They may have jobs in academia, law, may be consultants or developers. Although I hold high regards for all these jobs, it is easy to demand 100% privacy if you do not have a business to run.

Respect the true data protection practitioners!

But I have the utmost respect for those few that manage the daily grind between data protection on paper vs. practice. An IT Security Expert at a former employer was such a practitioner: She made sure data protection as it should be was heard, she made sure we did as much as was reasonably possible to not harm user’s privacy, she made sure some practices were clearly out of bonds (e.g. screen recording tools or sharing user emails with Facebook), but she was realist enough to understand that, in some cases, privacy had to either wait a bit or would require a compromise to avoid too much self-mutilation of the business.

  1. We should listen to data protection activists, even to those without skin in the game, because even an unrealistic “ideal state” can be good as a north-star-type of guideline. Their work is important, they are a stubborn minority fighting for a common good and reach improvements everyone benefits from. Cookie banners are the wrong result so far, but hopefully some day we will have a privacy regime that is globally enforceable and user-friendly at the same time.
  2. We should listen even more to data protection activists with skin in the game, i.e. people who have to implement privacy mechanisms and find the difficult path between privacy fundamentalism and practice every day. We should however challenge privacy activists without skin in the game on the practicability of their suggestions.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Lukas Oldenburg

Lukas Oldenburg


Digital Analytics Expert. Owner of Creator of the Adobe Analytics Component Manager for Google Sheets: