According to the Information Commissioner’s Office (“ICO”), “a cookie is a small file, typically (consisting) of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to the originating website on each subsequent visit. They allow a website to recognise the user’s device.” In simpler words, cookies incorporate information regarding your visit to a web page along with the data you have agreed to share. Here are some examples:
You should always bear in mind that there are different types of cookies serving different purposes and storing personal data for different durations.
What are the different types of cookies?
Cookies can be categorised based on their lifespan and the domain to which they belong. The lifespan of a cookie can also help us determine the necessity or not of a particular cookie.
Based on the lifespan, cookies may be of the following types:
- Session cookies: These are usually strictly necessary cookies that enable a website to remember information about you (or your behaviour) while you navigate from page to page. A session cookie e.g. helps to store the items in the cart in a webshop. In principle, session cookies are removed once you leave a website or close your browser
- Persistent cookies: These cookies remain on the device of a user for a longer period of time, or until their active deletion. A persistent cookie allows a website to recognise a user (or device) across sessions. So when I abandon my session in a webshop and re-enter two weeks after, the site might still suggest to buy the items that I left in my shopping cart.
Based on the domain to which they belong, cookies may be of the following types:
- First party cookies: They are set by the web server of the visited page or website and share the same domain;
- Third-party cookies: They are set by a third party and stored under a domain that is different from that of the visited page.
First party cookies are usually completely legitimate. Who wants to lose information filled out in a form, or reset user preferences time and again when visiting the same website? It’s the third party cookies that usually receive the most attention. This is the case because the more websites participate in the network employing a particular third-party cookie, the more valuable information can be collected about the behaviour of a particular user.
Cookies in theory and in practice
The ePrivacy Directive, together with the more generic GDPR, determine the conditions under which cookies may be used by website owners. The rules are fairly restrictive, in the sense that website owners may not freely use all cookies they like to monitor and track user behaviour. But still, cookies can be used for some purposes without prior user consent under some circumstances, whereas other uses clearly need informed prior consent.
There are two criteria under which prior user consent is not needed: when cookies are used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and when they are “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.
First party session cookies are generally permitted without user consent. They are deemed necessary for proper functioning of a website. Examples provided by the WP29 Opinion 04/2012 on Cookie Consent Exemption are cookies used for user input tracking, authentication, security, multimedia playing, load balancing, customisation and social content sharing for logged in social media users.
First party persistent cookies generally do require informed consent.
Third party cookies, be it session cookies or persistent cookies, require informed consent as well. The same WP29 document lists as examples of such cookies: social plug-in tracking cookies, third party advertising, and first party analytics. Let’s not forget that in practice, cookies can be used for various functions at the same time and are then judged by their most ‘infringing use’.
That’s the theory. Now there’s practice. These days, a website often contains externally hosted analytical tools that allow the website owner to learn more about the behaviour of visitors. Also, there’s often integration of social media functionalities, chat applications and advertisements. A public, commercial website can easily set some 20 cookies on your computer. Tools such as Ghostery can give you more insight and control over those practices.
Despite the relevant articles in the GDPR and the relatively clear guidance of the European Data Protection Board on consent, which should be “freely given, specific, informed and unambiguous” a practice has grown where cookie banners do not follow the rules of the game, e.g. by:
- placing cookies on your computer before you have given the relevant consent
- forcing consent applying to all types of cookies instead of giving users a choice
- denying access to a service whereas the refused cookies are not necessary for providing that service
Most people will quickly click all the green ‘Yes I accept the cookies and please let me go to the website now, please, hurry’ buttons. It is therefore very hard to build a non-intrusive yet compliant cookie banner. The subject matter is simply too complex to summarise in a very brief text. Usually, therefore, the consent cookie banner will only show limited information on the types of cookies used, and refer to a more elaborate description of cookies in use as a part of the privacy statement.