Extending our opt-out cookie’s shelf life

Many users of the Internet are now aware of what cookies are – small files on a computer that store preferences for the user. What many may not be aware of, however, is that every web browser cookie comes with an expiration date – much like the “sell by” date on food items you purchase in the store. Once the expiration date is reached, the cookie becomes “stale” and must be replaced with a new web browser cookie. It’s relatively rare for web site privacy policies to include cookie expiration dates but they are visible in the cookie files themselves. These dates can range from minutes to decades from the date the cookie is set. Although a decades-long cookie sounds like a long time, in practical terms most cookies don’t last for very long. Recent research from TRUSTe shows that users are being more proactive in managing their cookies either by actively deleting them (nearly half of all users clear their cookies on a weekly basis), or by using anti-spyware packages that clear cookies (including opt-out cookies) on a regular basis. In the grand scheme of things these factors makes cookie expiration dates less important but some concerns have been raised.

A few months ago, Yahoo! made changes to make our opt-out cookie persistent to address the concern that opt-out cookies may be inadvertently deleted by users. Today users can make their opt-out both persistent and portable by linking their opt-out choice to their Yahoo! ID. Under this process, the opt-out cookie (and its expiration date) is refreshed at every login.

A more recent issue has been raised by Chris Soghoian, a graduate student fellow at the Berkman Center for Internet & Society at Harvard University. Chris has asked the NAI (Network Advertising Initiative – a group of ad serving companies focused on self-regulation in this area) to set a minimum expiration date of 5 years on online behavioral advertising opt-out cookies and to post the expiration date on the opt-out page as well. We agree that this makes a lot of sense so we revisited this issue.

Yahoo! has been in the process of implementing a two-year cookie expiration date for all Yahoo! cookies. That is why the opt-out cookie for those not making their opt-out persistent is currently set to two years but we recognize that opt-out cookies should be dealt with differently from other kinds of preferences. Yahoo! will be moving forward with extending the expiration date on our opt-out cookies to 20 years (erring on the side of being conservative). Implementing the 20-year expiration date on our opt-out cookie will take us some time to deploy across the thousands of systems we have around the globe, but we aim to have this process completed by the end of the year. We thank Chris for bringing this issue to our attention.

Consumers can learn more about their system’s browser cookies and the expiration dates by visiting Internet Options in their web browser (under “Tools” in Internet Explorer). On the General tab, under Browsing history, click Settings. Then click the View Files button. In this view, you’ll see every cookie on your system and its associated expiration date. To clear a single cookie, simply right-mouse click on that cookie and select Delete.

To learn more about how Yahoo! treats cookies, please visit the Cookie module in our Privacy Center.

Shane Wiley
Sr. Director – Privacy & Data Governance
Yahoo!

Comments are closed.