The cookie conundrum: Complexity for publishers in the age of ecommerce and cybercrime rings

The cookie conundrum: Complexity for publishers in the age of ecommerce and cybercrime rings
featured image

This article originally appeared in Digital Content Next on December 3, 2018.

Media publishers in 2018 are at a historical juncture as they face new pressures from many directions. These pressures included competing content providers who provide a wider array of products to draw site users; readers with changing habits, expectations, and preferences; and a growing number of data privacy regulations that are forcing businesses, in general, to change how they operate.

Publishers in the increasingly diversified digital media landscape have had to revise their business models along with the introduction of paywalls, multi-tiered subscription packages, and merchandise. Not only are they content providers but full-blown ecommerce businesses, a change that comes with its own set of challenges.

Cookies and commerce

That fact is that, if a website accepts any form of payment, it is running an ecommerce platform. Actually, media companies are unique in that they can have three disparate revenue channels all tied to their digital environment: advertising/sponsorships, subscriptions and merchandise. More likely than not, these three channels are managed by various internal groups with different objectives. The absence of a single throat to choke for the digital environment at a time when the latter is under mounting cyberattacks and a growing number of data privacy regulations raise these companies’ exposure to a host of digital risks.

The most significant challenge is managing all the third parties and digital partners who help make the ecommerce websites’ user experience a success. That experience involves providing content to users based on their subscription level and enabling payment for subscriptions and—for a growing number of publishers—merchandise.

The problem is, most of these third parties, and the cookies they use to identify visitors/users, are unknown to publishers. On average, the cookies they drop into an ecommerce site can account for anywhere between 50-95% of all cookies on that site. Left unmonitored and unchecked by publishers’ digital policies, those largely unknown cookies can degrade the user experience by driving up latency, collecting information from unsuspecting users, or both.

Regulation ups the stakes

While latency might not break any laws, collecting information without users’ informed, specific consent violates a rising number of data privacy regulations. We have seen the impact of changes to the legislative landscape on publishers. Privacy laws such as the EU’s GDPR and the state of California’s Consumer Privacy Act have created an increasingly dangerous environment for data processors who fail to adhere to them.

In May of this year, after GDPR came into effect, large US based publishers such as The Chicago Tribune became unavailable to EU readers, due to the mismatch in privacy laws in the European Union, and the code operating on these sites. At the time of writing, the Tribune remains offline in the EUhighlighting how seriously even the largest publishers are taking the legislative changes we have witnessed this year. The proposal of a U.S. federal Consumer Data Privacy Act, which would jail CEOs for misleading regulators makes compliance even more urgent, especially for large companies.

The mood of publishers’ audiences is also changing. As the Cambridge Analytica scandal has proven, users of all types of platforms are increasingly aware and suspicious of how their own data is collected and used. The last year’s mega breaches such as Equifax have only escalated consumer wariness of the security and use of the data they willingly provide to publishers.

Bad actors

To further muddy the waters, we have seen the exponential growth of malicious campaigns targeting publishers. Increasingly sophisticated cybercrime groups such as Magecart, widely believed to be responsible for the British Airways breach, and, more recently, 3ve, are exploiting vulnerabilities around payment pages, capitalizing on digital advertising’s obscure processes, and targeting users of digital wallets.

As if all of this wasn’t enough, publishers also have to contend with upstream partners who process or use the data harvested on their platform whose consent management process, or lack thereof, could put publishers at risk of infringing data privacy laws.

Digital cookies are routinely dropped on with 65% of cookies collecting personal data, and 28% of cookies lasting longer than a year. While they allow publishers to provide a better experience for readership, it can also mean that they are in direct conflict with the latest data privacy laws.

Getting cookies right

Publishers can take proactive measures to stay compliant by ensuring that executives in charge of the various ecommerce revenue streams align their goals, objectives and policies in order to safeguard and enhance the user experience. Understanding the landscape of your digital ecosystem is essential. Make sure that you are monitoring your website for the code being run, and proactively question why it is running. Furthermore, the third parties running code, and the companies in their own supply chain who process data need to understand the players and activities in their own digital landscapes.

However, taking these steps are just the start. Publishers must also prove such measures are being taken. Therefore, publishers, their third-party partners and any other relevant parties should undertake rigorous audit trails to retain proof of regulatory compliance. This allows you to make the case for your overall legislative posture, if it is called into question.

In addition to this, there are industry organizations which aim to create a set of standardized compliance-related practices in order to create a more transparent culture around cookies. The International Advertising Bureau have attempted to deliver and enforce a framework via their CMP Validator. The AOP (Association for Online Publishing) UK has engaged in similar activities with their Cookie Consortium. Involvement of as many publishers and technology vendors as possible in these industry initiatives is crucial to the continued success of publishers and other players along the digital supply chain.

Why it matters

It’s important to establish that the running of cookies on web pages is a fundamental part of how the internet functions in 2018. It makes life significantly easier for both publishers hoping to keep users happy, even working to turn this hope into an actionable reality. It also benefits users hoping to access content, and marketers hoping to build a strategy.

However, they can only provide these useful functions if the organizations that use them do so with the appropriate regard for any regulations that govern them, as well as for the users whose data is stored in them. In fact, publishers stand to gain the most from the changing regulatory environment, which provides an opportunity to collaborate more closely with third parties and digital partners, and ultimately build customer trust by improving their user experience.