Companies utilize cookies, small pieces of data stored on a user’s device by a web browser, to gather information on marketing strategies, including personalized pricing based on consumer behavior, search interests, and location. While some online users do not mind giving out private information, some consider cookies a breach of privacy. Doreen Pick, Professor of Marketing and International Business from Merseburg University of Applied Sciences, gave a talk on the topic “Are Digital Cookies Bytes of Bliss or Bytes of Betrayal?” urging companies to engage in Corporate Digital Responsibility (CDR) and be transparent on how they extract personal data from consumers. In Europe, the General Data Protection Regulation (GDPR) law went into effect on May 25, 2018, indicating that all companies doing business have to follow the regulation. Article 12 of GDPR identified that anyone who processes personal data should inform the data subject about the facts and present the information in a concise, transparent, intelligible, and easily accessible form. Professor Pick said that in contrast to Europe, some countries lack specific regulations for cookies, leading to varied unethical approaches by online platforms. These are some reasons some countries still lack cookies regulation:

• Some companies may perceive cookie regulations as unnecessary or disadvantageous.
• Governments may not see the benefits of strict regulations, considering potential negative effects on the economy.
• Privacy regulation may be less strict due to consumer apathy or a willingness to trade privacy for convenience or incentives.

Professor Pick gave an example of Lazada Thailand that has no pop-ups or banner cookies consent banner. Instead, consumers have to find the cookie information in another section where online users have to go through pages of the privacy policy without asking for online user consent. Despite low trust and concerns about digital privacy, consumers often accept cookies due to perceived benefits. Consumers accept the breach of privacy as they want to gain website access or are lured by the promise of incentives from the companies. According to Professor Pick, regulation may also be lax in some countries due to the consumer’s attitudes and perceptions:

• Consumers have no or less interest in their online privacy.
• Consumers have an interest in digital privacy, but they weigh up the costs (times and benefits), convenience individual offers, and financial incentives for data sharing in loyalty programs.
• Consumers believe that they have nothing to hide.

She cited her research in Thailand, in which 33.4 percent of people answered that they are “fine with sharing the most basic information so online companies can deliver their shopping items,” and another 32.02 percent said they are “fine with sharing information if it helps the platform to suggest items they like.” Professor Pick said that web users fall into privacy paradoxes when they value privacy outwardly but disregard it privately. Despite the privacy paradox, Professor Pick said that companies participate in CDR due to the awareness of the negative and positive impact of following regulations and the general perception of corporations responsible for business activities. “It is ethical to inform users about data collection and have a consent option for them,” she said. Currently, there are three main types of cookie settings: no option with a confirmation-only button, binary (accept/decline), and checkboxes with options for preferences, statistics, and marketing information. However, dark patterns, including digital nudging and misdirection, may be employed to manipulate user consent, contrary to GDPR regulations. The tricky setups include putting consent pop-ups repetitively and banners in large sizes or different colors so that users have no choice but to click accept on the cookie settings. Professor Pick said that companies respond to legal requirements by adhering to country-specific regulations or adopting the strictest rules across all countries. However, setting country-specific regulations can lead to different information approaches that may be unfair to the consumers. For example, Zara set up the consent banner only in the Thai language, which might not be readable by foreigners living in Thailand. So, are digital cookies bytes of bliss or bytes of betrayal? The conclusion is that both affirmative and negative answers are possible, depending on the perceived consumer benefit, data security, and the involvement of vulnerable groups. “Yes, for bliss if consumers benefit from it in the short-term and long-term, and no, for betrayal if consumers do not benefit from it, if data is sold or can be hacked easily, if data is sensitive, and if vulnerable groups are involved, like kids or the elderly,” said Professor Pick. Discussing possible future research topics on cookies, Professor Pick wishes to explore how the design of cookie disclaimers influences consumer behavior, considering factors like fairness perception and disclosure intention, including the impact of privacy notification size, cookie box size, colors, and webpage location. She may also investigate the influence of personal data experiences, particularly examining the impact of data breaches, with a recognition that not all individuals have been equally affected. The cultural aspect of cookie consent could be explored, with a potential focus on whether collectivistic countries exhibit greater acceptance. Additionally, there is a need for a deeper understanding of the genuine motives behind firms implementing corporate digital responsibility practices.