Cookies: What really happens when you click 'accept all'?
ASK A RESEARCHER: Many of us are sceptical about cookies. How should we approach them?
On most websites, you will be informed that:
'We use cookies to ensure the website functions properly and remains secure.'
You then have to decide whether to 'accept all' or only 'necessary' cookies.
However, less than half of Norwegians actually understand what this means. This was revealed in the 2024 privacy survey conducted by the Norwegian Data Protection Authority (link in Norwegian).
The survey shows that about half of Norwegians feel uneasy thinking about how much personal information about them exists online. Yet, only just over 40 per cent think twice before choosing settings for the use of cookies.
Most people disapprove of their online activity being used for personalised advertising.
We are sceptical of cookies, yet we choose not to take a stand on them.
This concerns Vivi Ringnes Berrefjord. She researches digital surveillance of citizens in democracies and leads the cyber programme at the Norwegian Institute for Defence Studies at the Norwegian Defence University College.
What are cookies?
According to the Great Norwegian Encyclopedia, cookies are data received by a web browser from websites visited by the user.
"When you consent to cookies, you give the website the right to collect information about you," says Berrefjord.
This means that you leave behind some data on every website and in every app where you accept cookies.
A harmless example is online stores remembering the items in your shopping cart, which helps them understand what you might be looking for.
Berrefjord explains that the information collected through cookies can be shared within an ecosystem where it could be sold to those willing to pay.
"In practice, you lose control over your own information when you accept cookies," she explains, adding:
"What ends up on the internet does not disappear."
The Personal Data Act
In Norway, our personal data is protected by the Personal Data Act. It consists of both national regulations and the EU's General Data Protection Regulation (GDPR).
The law applies to businesses in Norway that process personal data automatically, such as Norwegian online newspapers, online stores, or apps.
Among other things, the law states that personal data may only be collected with consent and must be processed fairly.
Norwegian websites, as well as websites from countries subject to the EU's privacy regulations, are required to follow laws designed to make them trustworthy. Berrefjord warns that all digital actions leave traces and information, and you can never be completely sure where the data ends up.
"I assume that serious actors follow the laws and do not misuse personal data," she says.
When information ends up in the wrong hands
The Norwegian Data Protection Authority's survey reveals that 74 per cent of participants have chosen not to download an app due to uncertainty about how their personal data would be used.
"Do people have reason to be cautious?"
"There are many examples of information being leaked to individuals we wouldn't necessarily want to have access to it. For instance, marketers can tailor content based on your interests to make you click on what they want you to," says Berrefjord.
In more serious cases, personal data can be misused for fraud or cyberattacks.
"Misuse of information can make it easier for cybercriminals to deceive people. The more information they have about their target, the easier it is to get them to do something foolish," the researcher explains.
Increasing risk of data breaches
The 2024 annual police report on cyber-related and cyber-supported crime (link in Norwegian) states that cybercrime has increased in in Norway, both in volume and severity.
SINTEF reports that the risk of data breaches has increased following Russia's invasion of Ukraine in 2022.
A data breach occurs when someone attempts to access non-public data to manipulate, alter, or steal it. The motives are often financial gain, espionage, or sabotage.
"There are different levels of severity within data breaches," explains Berrefjord, adding:
"When someone breaks in, they don't necessarily get access to the crown jewels right away. The same applies to data breaches – security is often layered."
The severity of an attack depends on who is behind the breach, how deep they manage to infiltrate, how long they remain inside, and what data they manage to extract.
Nothing to hide
According to Berrefjord, cybersecurity is not about fighting cookies themselves, but rather about controlling what they are allowed to do.
"You must be able to hold two thoughts in mind at the same time. The internet is fantastic, and we don't need to dismiss all apps. At the same time, we must be aware that the data collected about us doesn't just disappear," she explains.
The researcher emphasises that privacy concerns extend beyond the individual – they affect society as a whole.
"The mindset that you have nothing to hide needs to be abandoned. Information can be misused, and no one knows exactly what the future holds," says Berrefjord.
"Maybe you personally have nothing to hide, but what about those around you? What if your life situation changes? It's important to maintain a healthy scepticism about what others know about us," she says.
How to reduce the risk of a data breach
There are several precautions you can take to protect yourself from data breaches and the misuse of personal information online.
"Many people use the same password for all their accounts. That's not a good idea," says Berrefjord.
If the password is leaked, hackers can quickly jump from your Instagram account to, for example, your online bank.
Berrefjord also advises users to turn off tracking features and decline non-essential cookies.
"It's also a good idea to do a 'digital deep clean' from time to time. Delete unused accounts, organise your emails, update passwords, and so on," she says.
———
Translated by Alette Bjordal Gjellesvik
Read the Norwegian version of this article on forskning.no
Subscribe to our newsletter
The latest news from Science Norway, sent twice a week and completely free.
