"I would like another cookie, please!"

Blind trust (and ignorance) in businesses who may be tracking your every move online

16 September 2016
By Lynette Ho, Assistant Manager, PwC Malaysia

Not all cookies are tasty treats. Some – like the kind that can track your every move online – can be nasty.

You may have heard that Niantic Labs, the maker of the overnight mobile game sensation Pokémon Go, is now facing several lawsuits.

The game’s privacy policy is indeed not user-friendly. If you logged in with your Google account, you’d have given the company access to your email, calendars, photos, stored documents on Google Drive (hope you didn’t upload a copy of your passport), camera, and location data.

If you were one of the 35 million who jumped on the game’s bandwagon, but weren’t aware of this until now (because you skipped reading the terms and conditions), then you should be afraid. Because Pokémon Go is probably not the first to get access to all of your sensitive information online.

There is a giant gap between the type of tracking that companies are engaged in on the web and what people know or think is occurring. The moment you’re connected to the Internet, your behaviour is being tracked and used to generate “profiles” which contribute to a multi-billion dollar advertising industry. In fact, a Wall Street Journal investigation found that some of the largest US websites use more than 100 tracking tools at a time. And 26.3% of your browser’s loading time when you access a website is actually responding to requests for your personal information.

How online tracking works

There’s cookies (a very tiny, transparent image that’s embedded in webpages) that record your behavior online. These are usually temporary, and can be deleted by the user to prevent further tracking.

And then there are ‘super cookies’, called flash cookies. They are designed to be permanently stored on your computers and mobile devices. They reinstall cookies that you have deleted.

Beacons track everything you do on a webpage (or app, or email) including what you type and where your mouse is being move.

You may have also heard of application program interfaces (APIs) which are used in building software applications. This is what allows you log into different websites using just your Google account, among other things. But it can also track things like your smartphone’s battery life, which – believe it or not – is enough to identify you online.

Why this could be an issue

There are more than 3 billion Internet users in the world, but that doesn’t mean nobody would be able to identify you.

Advertising now follows you around the Internet, which is known as ‘remarketing’ in the digital marketing community. Companies then use this information to decide what offers to show people, potentially leading to price discrimination. For example, online travel agency Orbitz marketed higher priced hotels to Mac computer users over PC users (watch the ABC News story here). Their reasoning: Mac owners tend to have higher household incomes than PC users.

Obviously, this is not a fair consumer practice.

If you’re a business…

Be honest and respect your customers’ trust. In 2012, when UK newspaper The Guardian began to collect online customer data for advertising purposes, it released a video to clearly explain why it needed to do so. This has become a gold standard that online publishers should strive to emulate.

On the other side of the spectrum, American telecommunications provider Verizon was fined USD1.35 million when it used ‘super cookies’ to track its customers’ online behaviour. This data was then shared with other companies, without informing its customers beforehand or giving them the option to opt out. 

If you’re a consumer, what can you do?

  • Know your rights. Start by understanding Malaysia’s Personal Data Protection Act 2010. If you continuously receive promotional emails/calls despite having indicated otherwise, you can submit a complaint to the Malaysian Communications and Multimedia Commission (MCMC). 
  • Review the privacy policies of any app or online platform that requires a loginIf you’re not familiar with the company, do not trust them with access to your personal data. 
  • Use targeted advertising cookie-opt out plugins, like Google’s. This will automatically opt you out of any 3rd-party trackers that have an opt-out option, but which is hidden. Be aware some companies do not offer opt-outs, or that some of them may interpret this to mean "do not show me targeted ads", rather than "do not track my behaviour online".

Imagine you were browsing online on your phone and noticed a stranger studying your screen over your shoulder - wouldn’t you be uncomfortable? Going online is like having Google, Facebook, or Twitter do the same thing. Just like how you’ll either move away or reprimand the spying stranger, be proactive in deciding who you trust with your data online.

Contact us

PwC Malaysia

General enquiries, PwC Malaysia

Tel: +60 (3) 2173 1188

Follow us