For years, consumers have noted the striking level of detail that marketers can glean from their online browsing habits. Search for a new pair of shoes or a tennis racket, and watch ads for the product follow you from one website to another for the next few days.
Periodically, data leaks or news stories explaining the comprehensive picture that companies can construct about an individual’s internet usage raise alarms about privacy. But most people have shrugged and accepted the status quo in exchange for convenience.
Soon, though, changes by businesses and governments will upend the current system of tracking internet users, says Guy Aridor, an assistant professor of marketing at the Kellogg School, who studies competition and regulatory issues in digital markets, focusing on the economic aspects of consumer data collection and dissemination.
“From a consumer standpoint, what that means going forward is that hopefully you’re going to have more transparency about what’s going on online,” says Aridor.
Aridor explains how tracking has developed, what regulators are doing to increase transparency, and how online data protections are set to improve for users.
How did we get here?
The current system of tracking internet users’ activities across the web—the ubiquitous “cookies”—arose as a hack to the first commercial browser, Netscape, in the 1990s. The earliest internet protocols had no way for websites to gather personal information or browsing histories, which limited functions like tracking what users put in a shopping cart or what movies they wanted to watch.
The upside of this hack was that the web became a lot less cumbersome to use. “Not all data tracking is necessarily bad,” Aridor points out. “If you go on Netflix and they’re able to track you over time, you get better movie recommendations.”
Over time, consumer attitudes toward such tracking clustered into three groups.
Fundamentalists object to data collection on principle and go out of their way to minimize the trail they leave online. Pragmatists care about harmful effects of tracking, such as data leaks or having uncomfortably personal internet habits made public, but they also see the upsides in terms of convenience and personalization. Unconcerned users are generally oblivious to the ways data is collected—and the privacy issues its collection raises.
While most consumers fall into the pragmatist group, the widespread collection and selling of data by third-party groups have raised objections from both fundamentalists and consumer-privacy advocates. Today, regulators, as well as some tech companies, are attempting to address these concerns.
“A lot of what’s going on in the privacy space now, both from federal regulation and from industry, is effectively trying to engineer a new privacy environment,” Aridor says. “The goal of those groups is to maintain elements of the old status quo—like that firms can profit off being able to track you online—while making it so that consumers have some control.”
How governments and tech companies have responded
Regulators have largely focused on protecting internet users’ privacy by giving consumers more insight into the data being collected.
The European Union’s GDPR, or general data protection regulation, which took effect in 2018, established individuals’ right to give consent to the collection and sale of their personal data. The GDPR also obligates companies tracking consumers to provide transparent and easily accessible information about how their data is used.
Other countries, including Canada, Israel, and Japan, have adopted GDPR-style legislation, as have some U.S. states: the California Consumer Privacy Act resembles the GDPR and recently added enforcement powers, while states such as Colorado, Connecticut, Utah, and Virginia have passed similar legislation that takes effect in 2023.
In some ways, GDPR-style laws put the onus on consumers to protect their own privacy and make informed decisions, Aridor says. They primarily help the fundamentalists and those already paying attention to online tracking but do less for the pragmatists and unconcerned users who spend little time weighing the trade-offs.
“Let’s say you go on a website like The New York Times,” Aridor says. “They tell you they use your data to collect analytics, send it to third-party advertisers, and improve your experience on the website. But to make a reasoned decision, you have to weigh the costs and the benefits of personalization, and it’s not very obvious what those are.”
Some major platforms are making proactive changes in response to the sea-change in how data privacy is valued and regulated. This could help protect a wider range of consumers. For example, recent updates to Apple’s iOS mobile operating system have given users more control over data shared with third-party apps, while Google plans to make its Privacy Sandbox widely available in 2023. This new feature aims to preserve the benefits that businesses receive from third-party cookies without including individual tracking.
In this new system, consumers’ data won’t leave their browsers. Rather than being identified as a specific person across the websites they visit, they will be matched to interest profiles based on the topics they explore. By the end of 2024, Google plans to phase out third-party cookies in its popular Chrome browser.
The changes could make it more difficult for marketers to track the effectiveness of their ads. They could also harm the businesses that rely on targeted advertising. A recent study by researchers including Kellogg professors Anna Tuchman and Nils Wernerfelt finds that the median cost of acquiring a new customer could go up 37 percent over current costs, with smaller businesses being disproportionately affected.
“If your main concern is that your personal history is going to be leaked to the internet, we’re moving toward a world where that should be less likely to happen.”
And because Google already owns so much of the advertising space online, the shifts are opening a broader debate about the company’s market power, Aridor says. To that end, Google has been working with the UK’s Competition and Markets Authority to address possible antitrust concerns.
“The big contention is that Google already owns a lot of the advertising space, so this could make them pretty much the only player in town,” he says. “Maybe we’re getting potentially better privacy protections for consumers, but are the anticompetitive effects going to make consumers worse off on other dimensions?”
What changes mean for consumers
Previously, if consumers wanted to carefully protect their privacy, they would have to be savvy enough to delete their cookies or their cache, which remembers parts of webpages. They might also install browser extensions to prevent their identity from being automatically tracked across different websites.
Soon, Aridor says, the default settings will better safeguard consumer privacy, which is especially helpful for the pragmatists and unconcerned users, as well as people who are less technologically sophisticated.
“If your main concern is that your personal history is going to be leaked to the internet, we’re moving toward a world where that should be less likely to happen,” he says.
Even given all these added protections, the most privacy-conscious consumers may still want to install third-party tools that detail how each website is tracking them. And they will also want to keep an eye on the ways major platforms continue to make trade-offs between respecting users’ privacy and collecting their data. For example, Google Chrome recently delayed the introduction of planned changes that would interfere with ad blockers, following a backlash from privacy advocates.
“There will be a transition period,” Aridor says. “It’s hard to predict what the equilibrium consequences are going to be. But at least on the privacy dimension, things should be better.”
Amy Merrick is a writer based in Chicago.