According to the California attorney general’s office, California residents have a right to know what personal information businesses collect about you, to have that information deleted, and to insist that your personal data not be sold. In addition, the attorney general says, “you also have the right to be notified, before or at the point businesses collect your personal information, of the types of personal information they are collecting and what they may do with that information.”
Consumers have been slow to exercise those rights. A survey by the Interactive Advertising Bureau last year found that only 1% to 5% of web users were telling sites not to sell their data.
The low rate may reflect internet users’ desire not to disrupt the targeted advertising system that generates income for sites and supports many free services online. But it may also reflect confusion among consumers about what their options are, given the many different approaches that sites have taken to notify consumers about cookies and data tracking.
The first time you visit a website, you will often see a banner or other pop-up notice alerting you to the site’s use of cookies. Other sites, including this one, may also post persistent links to their data policies somewhere on their home pages.
The most basic pop-up banner will say something along these lines: “This website uses cookies. By continuing to use this website, you consent to cookies being used.” Then it will have links to the site’s privacy policy and a button to click signaling your assent.
Even if you don’t agree, simply closing the banner is typically considered the same as giving consent. So if you are concerned about how your personal information will be used, follow the link to the company’s privacy policy. Bear in mind, though, that you don’t have the right to tell a site to stop collecting your data — you can only instruct it not to sell that information. And if it doesn’t meet the law’s definition of a data seller, it may not offer you any control at all over cookies.
Some sites’ pop-up notices do offer more granular control over the cookies planted on your device. For example, Yubico.com’s pop-up states, “By browsing this site without restricting the use of cookies, you consent to our and third party use of cookies as set out in our Cookie Notice.” But in addition to an “Accept All” button, it provides a “Preferences” link that takes you to a page where you disable some or all of the site’s inessential cookies.
Sites that offer you the option to manage preferences typically allow you to grant or deny permission for various types of cookies — for example, “functional” cookies, “performance” cookies, “analytical” cookies, “marketing” cookies or “targeting” cookies. The types that raise the most immediate privacy issues are the ones involved in marketing or targeting, because they can be third-party cookies that track your behavior across the internet.
For sites that sell non-anonymized personal information to third parties, the pop-up notice should include a button or link that says, “Do Not Sell My Information.” California law requires data sellers to provide a “clear and conspicuous link” on their home pages to a web page that will allow you to block the sale of your information. For example, Tapatalk.com’s pop-up explains that California law allows consumers to opt out of the data sales, then offers two options: “Save and Exit” — presumably allowing the company to continue to sell your data — or “Do Not Sell My Info.”