If you’re using the Internet, you’re bound to run into pop-up messages from websites asking you how you feel about cookies. Not the edible kind that everyone likes, but the software kind that websites have been planting on your computer for years without your knowledge or consent.

Those messages were prompted in part by Europe’s GDPR (General Data Protection Regulation) and the California Consumer Privacy Act of 2018, which requires sites to notify you what personal information they’re collecting about you and what they might do with it. Since the laws went into effect, an increasing number of sites have been using the pop-ups to let people know that they use cookies and offering them a chance to stop the sale of their personal information.

At least they’re supposed to make that offer if they sell the data they collect. But some may not. Here’s a quick guide to understanding cookies and the sorts of pop-ups you might encounter, as well as what to do when you see one. (Hint: Don’t ignore them.)

What are website cookies?

Cookies are small text files that websites store on your computer to identify you uniquely. They have a variety of purposes, but a fundamental one is to make a site’s features work – for example, by keeping you logged in as you move from one page to another within a site, or by retaining items in your cart as you continue shopping. Other types of cookies measure how popular a site’s offerings are, and still others help the site and its advertisers make money.

Sites issue a number of “first-party” cookies to support their features and functions. But as targeted advertising has spread online, another type of cookie has become ubiquitous: “third-party” cookies that collect your data on behalf of a site other than the one you’re visiting.

Often called tracking cookies, they’re used by online advertising networks and data brokers to build profiles of what you do online – sometimes identifying you, sometimes grouping you anonymously with other users with similar characteristics.

The typical goal of this sort of data collection is to sell more goods and services, but the profiles have at times been used to offer goods and services to some consumers and not others – witness, for example, the settlements Facebook signed after civil rights groups accused the company of helping marketers target ads for housing, jobs and credit in a discriminatory way.

So what’s up with these pop-up messages?

According to the California attorney general’s office, California residents have a right to know what personal information businesses collect about you, to have that information deleted, and to insist that your personal data not be sold. In addition, the attorney general says, “you also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information.”

Consumers have been slow to exercise those rights. A survey by the Interactive Advertising Bureau last year found that only 1% to 5% of web users were telling sites not to sell their data.

The low rate may reflect Internet users’ desire not to disrupt the targeted advertising system that generates income for sites and supports many free services online. But it may also reflect confusion among consumers about what their options are, given the many different approaches that sites have taken to notify consumers about cookies and data tracking.

The first time you visit a website, you will often see a banner or other pop-up notice alerting you to the site’s use of cookies. Other sites may also post persistent links to their data policies somewhere on their home pages.

The most basic pop-up banner will say something along these lines: “This website uses cookies. By continuing to use this website, you consent to cookies being used.” Then it will have links to the site’s privacy policy and a button to click signalling your assent.

Even if you don’t agree, simply closing the banner is typically considered the same as giving consent. So if you are concerned about how your personal information will be used, follow the link to the company’s privacy policy. Bear in mind, though, that you don’t have the right to tell a site to stop collecting your data – you can only instruct it not to sell that information. And if it doesn’t meet the law’s definition of a data seller, it may not offer you any control at all over cookies.

Some sites’ pop-up notices do offer more granular control over the cookies planted on your device. For example, Yubico.com’s pop-up states, “By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice.” But in addition to an “Accept All” button, it provides a “Preferences” link that takes you to a page where you disable some or all of the site’s inessential cookies.

Sites that offer you the option to manage preferences typically allow you to grant or deny permission for various types of cookies – for example, “functional” cookies, “performance” cookies, “analytical” cookies, “marketing” cookies or “targeting” cookies.

The types that raise the most immediate privacy issues are the ones involved in marketing or targeting, because they can be third-party cookies that track your behaviour across the Internet.

For sites that sell non-anonymised personal information to third parties, the pop-up notice should include a button or link that says, “Do Not Sell My Information”. California law requires data sellers to provide a “clear and conspicuous link” on their home pages to a web page that will allow you to block the sale of your information. For example, Tapatalk.com’s pop-up explains that California law allows consumers to opt out of the data sales, then offers two options: “Save and Exit” – presumably allowing the company to continue to sell your data – or “Do Not Sell My Info”.

A few notes of caution

A number of sites that let you manage your cookie preferences or bar the sale of your data make it hard to tell what limits you’re setting. They typically have sliders that you toggle on or off for each kind of cookie, but in many cases it’s not clear which position allows the cookies and which one blocks them.

Moving the slider to the right generally signals a “yes” to allow that type of cookie or to permit the sale of your personal information. When in doubt, look at the setting for “necessary” cookies, whose slider you won’t be able to move. That one will indicate which slider position signals “yes” to cookies or the sale of your data and which position signals “no”.

Some sites also will make you jump through a few extra hoops to stop the collection and sale of your data. One common practice is to point you to a site such as AboutCookies.org that explains how to set your browser to block cookies.

Another is to direct you to sites such as the Network Advertising Initiative and the Digital Advertising Alliance’s YourAdChoices page, which plant cookies on your device that opt you out of targeted ads from multiple sources. That technique stops working, however, as soon as you clear the cookies from your browser.

Other ways to block tracking cookies and data sales

Consumers may not be rushing to click on Do Not Sell links, but California’s data privacy law is just one factor affecting the sale of personal data online. Browsers are growing increasingly hostile to third-party cookies, leading a number of ad-industry analysts to say that targeted advertising is going the way of MySpace and the Palm Pilot.

Two of the most popular web browsers, Apple’s Safari and Mozilla’s Firefox, block tracking cookies by default, and Microsoft’s Edge browser is automatically set to block some of them. Google has said that its Chrome browser, the most widely used one on the market, will stop supporting third-party cookies in 2023. And even browsers that don’t block all third-party cookies by default can be easily adjusted to do so.

Another option is to equip your browser to send the sites you visit the “Do not sell my information” signal developed by the Global Privacy Control coalition. Two browsers – Brave and DuckDuckGo – send the signal by default, and the others can send it with the help of downloadable extensions. After some sites refused to recognise the signal, the attorney general’s office adopted a regulation in 2020 clearly requiring them to do so.

The expanded online privacy law that voters approved through Proposition 24 in 2020, the California Privacy Rights Act, goes one step further, barring companies from presenting a degraded or more expensive version of their site to browsers that send a Do Not Sell signal. That law takes effect on Jan 1, 2023. – Los Angeles Times/Tribune News Service