Bad Browsers: How cookie notifications are used online to create friction and influence user behavior
By Elizabeth Stoycheff, Associate Professor of Communication, Wayne State University
Website cookies are online surveillance tools, and the commercial and government entities that use them would prefer people not read those notifications too closely. People who do read the notifications carefully will find that they have the option to say no to some or all cookies.
The problem is, without careful attention those notifications become an annoyance and a subtle reminder that your online activity can be tracked. As a researcher who studies online surveillance, I have found that failing to read the notifications thoroughly can lead to negative emotions and affect what people do online.
How cookies work
Browser cookies are not new. They were developed in 1994 by a Netscape programmer in order to optimize browsing experiences by exchanging users’ data with specific websites. These small text files allowed websites to remember your passwords for easier logins and keep items in your virtual shopping cart for later purchases.
But over the past three decades, cookies have evolved to track users across websites and devices. This is how items in your Amazon shopping cart on your phone can be used to tailor the ads you see on Hulu and Twitter on your laptop. One study found that 35 of 50 popular websites use website cookies illegally.
European regulations require websites to receive your permission before using cookies. You can avoid this type of third-party tracking with website cookies by carefully reading platforms’ privacy policies and opting out of cookies, but people generally are not doing that.
One study found that, on average, internet users spend just 13 seconds reading a website’s terms of service statements before they consent to cookies and other outrageous terms, such as, as the study included, exchanging their first-born child for service on the platform. These terms-of-service provisions are cumbersome and intended to create friction.
Friction is a technique used to slow down internet users, either to maintain governmental control or reduce customer service loads. Autocratic governments that want to maintain control via state surveillance without jeopardizing their public legitimacy frequently use this technique. Friction involves building frustrating experiences into website and app design so that users who are trying to avoid monitoring or censorship become so inconvenienced that they ultimately give up.
How cookies affect you
My newest research sought to understand how website cookie notifications are used in the U.S. to create friction and influence user behavior. To do this research, I looked to the concept of mindless compliance, an idea made infamous by Yale psychologist Stanley Milgram. Milgram’s experiments – now considered a radical breach of research ethics – asked participants to administer electric shocks to fellow study takers in order to test obedience to authority.
Milgram’s research demonstrated that people often consent to a request by authority without first deliberating on whether it is the right thing to do. In a much more routine case, I suspected this is also what was happening with website cookies. I conducted a large, nationally representative experiment that presented users with a boilerplate browser cookie pop-up message, similar to one you may have encountered on your way to read this article.
I evaluated whether the cookie message triggered an emotional response – either anger or fear, which are both expected responses to online friction. And then I assessed how these cookie notifications influenced internet users’ willingness to express themselves online.
Online expression is central to democratic life, and various types of internet monitoring are known to suppress it.
The results showed that cookie notifications triggered strong feelings of anger and fear, suggesting that website cookies are no longer perceived as the helpful online tool they were designed to be. Instead, they are a hindrance to accessing information and making informed choices about one’s privacy permissions.
And, as suspected, cookie notifications also reduced people’s stated desire to express opinions, search for information and go against the status quo.
Legislation regulating cookie notifications like the EU’s General Data Protection Regulation and California Consumer Privacy Act were designed with the public in mind. But notification of online tracking is creating an unintentional boomerang effect.
Second, cookie permissions change regularly, and what data is being requested and how it will be used should be front and center.
And third, U.S. internet users should possess the right to be forgotten, or the right to remove online information about themselves that is harmful or not used for its original intent, including the data collected by tracking cookies. This is a provision granted in the General Data Protection Regulation but does not extend to U.S. internet users.
In the meantime, I recommend that people read the terms and conditions of cookie use and accept only what is necessary.