Cookie Banners — a Case of Stubborn Minorities without Skin in the Game?
Data protection is like #blacklivesmatter: In public, everyone jumps on the bandwagon. In practice, things look different.
If you ask any Marketer, Analytics Specialist or Marketing Solution Vendor about their stance on privacy, they will tell you that:
- data protection is super-mega important
- you just have to respect users’ privacy “choices”
[I put “choices” in quotation marks because only a lawyer with very dark sunglasses who has never left the tower of law can talk about “choices” and actually believe it is a “choice” when a user clicks “accept” while he is just trying to get rid of a cookie banner (Similarly, the “choice” not to change certain browser settings). This legalistic concept of choice is just as ridiculous as having to confirm that you have “read” (and sometimes even “understood”) the privacy policy / terms of service etc.]
Like #blacklivesmatter, one would be foolish to publicly say something against data protection. So there is a lot of lip service out there.
Who would really accept retargeting?
Let’s take retargeting specialist Criteo as an example. Criteo’s performance depends on the ability to tie interactions to the same individual. That is done by requiring their clients to run the Criteo tracker on their websites. That tracker, in case an “unknown” (cookie-less) user visits the website, first pings a dozen of ad servers to perform a so-called “cookie matching”. That way Criteo checks if this user is known from another website already so they can use that cookie instead of having to start from zero. The tracker also informs Criteo on what a user does on that website, e.g. whether she bought something and how much she spent. To recognize the same user on a different device or browser, and to “revive” users that have deleted their cookies, websites also are asked to send a hash of the user’s email to Criteo as soon as that email is known (e.g. after a login).
I picked Criteo, as their tracker is a bit more aggressive than the average, but Criteo is not the only one. This practice is common. Facebook (which of course includes Instagram and WhatsApp) and Google employ similar methods, with the notable exception that those two “services” are even capable of turning the hash back into a real user identity due to their large user base: Everyone owns a Google/Instagram/WhatsApp account tied to a real email address or phone number, but only a few performance marketers have a Criteo account…😅
The Criteo privacy policy is an example of this practice of lip service:
“We have developed our services and technologies taking great care to respect your privacy.”
When the Criteo employees are the only ones you can still track
If you explained the methods employed by Criteo & Co. to someone and then asked that person whether she is fine with these methods, that would be a truly ethical and transparent privacy choice: The user can choose, and she understands what she chooses. And only the 2,800 Criteo employees, fearing for their jobs, would accept these methods engineered with such “great care to respect your privacy”.
However, such a truly ethical (but impractical) choice would have consequences: You cannot track anyone anymore apart from the 2,800 Criteo employees. Not being able to track, of course, conflicts with a vital interest of all Digital Marketers — even when they all claim to be avid privacy activists.
Talkin’ ‘bout practice
So what happens in practice is that privacy “choices” become legalistic instead of ethical. The guideline businesses really try to follow is: “How can we pay lip service to privacy while at the same time trying to get as many bits of user data as legally possible?” This leads to an expensive legalistic exercise that ends up annoying the majority: oversimplifying or meaningless Cookie banners a.k.a. “Consent Managers” and complex privacy policies with long lists of cookies and their functions. This is all well-intentioned, but as impractical as it gets in terms of helping people “choose” their privacy preferences.
And this is just the outside impact (for internet users). Inside a company, this legalistic exercise means a large investment as well as delaying other projects that are important for the bottom line of the business. If data protection were truly and quickly enforceable, this would be ok because you could count on your competitor getting penalized heftily, and soon. But in practice, you can’t.
Big regulations can be handled by big players only
This can lead to a situation where a few tech-savvy players can afford to build tracking solutions and privacy controls that evade the common legal restrictions, while the little online shop short of budget and know-how may have to give up. The situation is comparable to that of small banks all over Europe. These banks have never engaged in the shady practices that led to the last financial crisis and a lot of additional regulations. This new “red tape” causes so much overhead that struggling small banks had to introduce unpopular measures like monthly fees (including my German bank). You could say that Facebook, Google, Amazon etc. are the big offenders in the world of data protection, and the regulations that were primarily introduced to control these giants end up making the giants even more powerful. But this is another topic. Back to the stubborn minorities.
The legalistic exercise of cookie banners & Co. is not done for the majority of users. That majority would be happier without cookie banners, and even if many of them claim that they do not want to be tracked, they do not care about it enough to delete WhatsApp or pay for an ad-free online newspaper.
The stubborn minority of data protection activists
Instead, this expensive legalistic exercise is performed for a stubborn minority, a term from Nassim Nicolas Taleb’s inspiring book “Skin in the Game — Hidden Asymmetries in Daily Life” [also see Taleb’s Medium story on the “dictatorship of the small minority”].
I recently borrowed this book from a well-respected fellow Analytics nerd. When we had lunch last week and I asked what could be examples of stubborn minorities in Digital Analytics, it struck me that both our first thoughts were: data protection!
The “Law of the Stubborn Minority”
According to Taleb, the stubborn minority is a minority that values X so much that they won’t accept Y. At the same time, the majority prefers Y, but can live with X as well. The intransigent minority insists so strongly on X that the majority ends up going for X instead of Y. In Taleb’s words:
It suffices for an intransigent minority […] to reach a minutely small level, say three or four percent of the total population, for the entire population to have to submit to their preferences.
Examples of stubborn minorities
Even though “stubborn” and “intransigent” make these minorities sound like a bad thing, they can be harmless or even positive for the majority. See some examples, the first three from Taleb himself:
- 0.6% of U.S. citizens have a peanut allergy. The majority however can eat both peanut-less products (X) and products with peanuts (Y). But even though there are only few peanut allergy sufferers, you will find notes on peanut traces everywhere.
- At meetings in most non-English-speaking countries, as soon as one participant speaks only English (X), everyone will switch to English.
The majority can speak both their preferred native language (Y) and English — or rather its impoverished business variant with usually ear-wrenching pronunciation. So the English speaker will never have to learn another language, as everyone will obey his intolerant preference. And if he is a native speaker, he will be more likely to dominate even conversations abroad as his English is much better than everyone else’s. - A halal eater will never eat non-halal meat (Y), but a non-halal eater can also eat halal (X). So for meat producers, it is easier to let all their animals painfully bleed to death, as that will usually be acceptable for the majority of consumers — even though the majority would prefer Y if given a choice.
- A data-conscious minority will refuse WhatsApp and only use Signal/Threema/Wire/etc. The majority prefers WhatsApp, but can use other messengers. The majority thus will end up installing WhatsApp + at least one other messenger.
- Even though only a small minority demands opt-in mechanisms like cookie banners, they are everywhere now. The majority prefers the net without cookie banners, but they can of course live with cookie banners.
When the stubborn minority brings benefits for all
We thus do have cases when the majority benefits from the stubborn minority. Even though cookie banners are annoying, the fight for data protection is a fight for a common good that should be in the interest of everyone, and the good part of GDPR is definitely that it has forced a lot of businesses to take a closer look at what they are tracking and storing.
In surveys, majorities do express concern about online privacy. Nevertheless, in practice, they can’t wait to accept the next flurry of cookies. Their behaviour in practice shows their “revealed preferences”: Caring about privacy is only important as long as it does not conflict with existing routines, or as long as they ignore that data protection comes at a cost — the money earned with the current tracking methods has to be earned otherwise (e.g. by asking customers to pay for content).
Data protectors will say this contradictory behaviour stems from users not being educated enough about data protection (it is dangerous when others know better what is good for you), or that users just do not really have a choice if they want to live a somewhat efficient life (fair point in some cases).
So even though better data protection is a common good worth fighting for, cookie banners and Consent Managers everywhere are not what the majority wants. They are the product of a stubborn minority.
Only skin in the game makes you fully credible
The last point I want to make is on “skin in the game”. For Nassim Taleb, someone needs to have skin in the game to be credible. Taleb has a high regard for practitioners, i.e. people who have to live with the consequences of their actions, who risk their skin by saying or doing something. On the other hand, Taleb does not think highly about what he calls “the Intellectual Yet Idiot”, which in our case would be activists demanding data protection from their pedestal without having to worry about practicability.
Data protection activists in many cases are not the ones who have to solve the very, very complex daily conundrum of:
a) taking heed of privacy laws (and paying for their implementation) while
b) still hitting their revenue goals (or not going bankrupt), and
c) not giving their competitor a head-start by becoming too phenomenal at data protection.
Let’s look at two real examples:
- You are hired to start E-Mail Marketing for a startup. You have a list of 50,000 emails of people who have ordered or registered in the past, but have not given opt-in to e-mails. Will you
a) not send the newsletter to these 50,000 people, missing out on a lot of revenue that counts towards your goals?
Or will you
b) value privacy so much that you will spend years building up an email list with people who have done a fully compliant opt-in only? - You, the Digital Analytics Expert, are incentivized by your contribution to revenue (e.g. by delivering data to Marketing tools that improve targeting). You discover a great case for using behavioural data from the website to trigger automated emails or text messages (e.g. users who have done X on the website should be sent an email with Y in it). However, your privacy policy does not cover this merging of data. So in theory, you would require explicit additional opt-in consent from your users to connect their supposedly anonymous web behaviour data to the non-anonymous e-mail marketing tool. Will you
a) ignore that privacy policy and go ahead (maybe with some additional feel-good measures like making sure this practice makes it into the next update of your privacy policy)?
Or will you
b) miss this chance of proving your value and hitting your goals, instead lecturing the Head of Marketing that this is illegal?
In both these real examples, you have a lot of skin in the game…
Why data protecters rarely work for Google Ads
Some data protection activists are not bound by such daily challenges: They have little to no skin in their game. Publicly active data protectors rarely work for Digital Marketing companies. They may have jobs in academia, law, may be consultants or developers. Although I hold high regards for all these jobs, it is easy to demand 100% privacy if you do not have a business to run.
Respect the true data protection practitioners!
But I have the utmost respect for those few that manage the daily grind between data protection on paper vs. practice. An IT Security Expert at a former employer was such a practitioner: She made sure data protection as it should be was heard, she made sure we did as much as was reasonably possible to not harm user’s privacy, she made sure some practices were clearly out of bonds (e.g. screen recording tools or sharing user emails with Facebook), but she was realist enough to understand that, in some cases, privacy had to either wait a bit or would require a compromise to avoid too much self-mutilation of the business.
In summary:
- We should listen to data protection activists, even to those without skin in the game, because even an unrealistic “ideal state” can be good as a north-star-type of guideline. Their work is important, they are a stubborn minority fighting for a common good and reach improvements everyone benefits from. Cookie banners are the wrong result so far, but hopefully some day we will have a privacy regime that is globally enforceable and user-friendly at the same time.
- We should listen even more to data protection activists with skin in the game, i.e. people who have to implement privacy mechanisms and find the difficult path between privacy fundamentalism and practice every day. We should however challenge privacy activists without skin in the game on the practicability of their suggestions.