Cookies perform functions and provide information that helps website users, businesses, publishers, and advertisers. This article looks at what cookies are, what they do, and the legislation that affects how they are used.
Current EU legislation states that all websites must let people know when cookies are in use. Website visitors should also be given the option to accept cookies or not and should be allowed to browse a website and experience the functionality even if they choose not to accept the cookies.
Cookies are supposed to help users to access a website more quickly and easily by telling a website that a visitor has been there before. For example, cookies can store information that allows a repeat visitor to access a website without logging in, or fill in a form (autofill) without a person having to type all the details in. Cookies can also provide information to help with website shops, analytics and can help advertisers.
There are several different types of website cookies. These include:
– First-party cookies. These are set by the website and are used for analytics data gathering (for analytics tools) e.g. the number of visitors, page views, pages visited, and sessions. These cookies provide data to publishers and advertisers for ad targeting.
– Third-Party Cookies. These cookies are used when other, third-party elements e.g. chatbots or social plugins have been added to a website. These cookies, set by domains, can track users, and save data that can be used in ad targeting and behavioural advertising.
– Session cookies, as the name suggests, are temporary, short-lived and expire immediately or shortly after a user leaves a web browser. They are commonly used by e-commerce websites to remember the items have been placed in the shopping cart, to keep users logged in, and to record user sessions to help with analytics.
– Persistent Cookies. These cookies must have a built-in expiration date but can stay on a user’s browser for years (or until a user manually deletes them) in order to track a user and their interaction with a website over time.
– Secure Cookies. Websites with HTTPS set secure cookies. These cookies have encrypted data and are used on payment/checkout pages of e-commerce websites or online banking websites.
The so-called ‘cookie law’, which began life as an EU Directive, is privacy legislation that requires websites to ask visitors for consent to store or retrieve information on a computer, smartphone, or tablet.
The Cookie Law was widely adopted in 2011, became an update to the UK’s Privacy and Electronic Communications Regulations, and was designed to make people aware of how the information about them is collected online and to give them the opportunity to say yes or no to it.
The introduction of the General Data Protection Regulation (GDPR) in May 2018 with its focus on ensuring that businesses are transparent and protect individual privacy rights means that businesses must be able to prove clear and affirmative consent to process personal data and people must be able to opt-in rather than opt-out. These aspects have clear implications for cookies.
GDPR requires consent to be gathered from data subjects and the Court Justice of the European Union rules state that this must consent must be explicit. This means that a website’s users must be presented with a consent banner that is explicit and cannot have pre-checked boxes giving consent on categories of cookies except for those deemed strictly necessary. Websites using cookies other than those that are strictly necessary for its basic function must present a method for obtaining the cookie consent of users prior to any collection or processing.
Website visitors must also be able to withdraw the consent that they have given before, in a way that is accessible, if they choose to. Also, the data controller must delete any personal data of individuals if that data is not necessary for the original stated purpose.
One of the key ways in which a business can remain GDPR compliant is to make sure that it obtains prior consent if it provides service or collects personal data about persons in the EU. This means being very clear and explicit in describing the extent and purpose of the data processing in language that is easy-to-understand language to the user, before gathering any personal data from that user. Website users must be able to find out what type of personal data is being collected about them on a website at any time, and it should be easy for users to withdraw consent that has been previously given.
For those businesses and organisations worldwide, that handle the personal information of any California residents, they will need to also ensure that their data processing (including cookie use) is compliant with the new California Consumer Privacy Act (CCPA).
Strengthening of data protection laws in recent years has, therefore, forced businesses to become very familiar with aspects of how they manage data in order to be legally compliant. This has led to a much greater awareness of cookies and their use and for first-time visitors to a website, cookie consent is the first thing they encounter.
Also, changes that have led to many browsers blocking third party cookies have presented marketing and monetary challenges to publishers and advertisers.