Cookies — Yes, it sounds palatable! But now we’re not referring to those sweet, savory chunks!
What we’re going to discuss here is all about HTTP cookies, the small pieces of text files that a website stores on a user’s computer while they’re browsing the website.
It’s a safe bet to say that you might have come across these kinds of notification popups countless times while browsing the Internet!
Why do most of the users don’t give cookies the attention that it deserves? Perhaps they are not pretty much aware of what cookies are and how they work. But once you get to know this, you’d see cookies as a matter of much greater importance.
This post is intended to help website owners get acquainted with cookies and make its use in line with the relevant laws and regulations including the GDPR, PECR, and the ePrivacy Directive.
HTTP Cookies — What Does it Exactly Mean?
A Cookie as a term has become increasingly prevalent in recent years. But many Internet users are still not aware of what cookies are and how websites would use it.
Let’s discuss them in more detail here!
An HTTP cookie (also known as Internet cookie, or browser cookie, or web cookie) is a small piece of data that a website installs on a user’s browser while the user is browsing the web.
There exist different types of cookies that serve different purposes such as collecting users’ behavioral data for creating targeted ads.
To put it simpler: you might have noticed several times that advertisements keep on appearing on social media sites or some other sites for items you were searching for on any shopping site just moments ago.
Have you ever wondered how these ads reach before you? The cookies (or the so-called small text files) stored on your browser is the reason why this happens! It tracks the information you’ve searched on the web, thereby generating targeted ads tailored to your specific needs and interests.
Types of Cookies
Cookies are generally classified based on their characteristic attributes such as their mode of origin, the time period they remain on a user’s browser, and what purposes they serve. The most common types of cookies are described in brief below.
Cookies Classified Based on the Source
First-party cookies are placed on a user’s browser by a website or a domain the user visits directly.
These kinds of cookies are being set for purposes like collecting analytics data, remembering browsing options such as language or location settings, and carrying out other activities that improve the browsing experience of users.
Third-party cookies are issued by any party apart from the website or a domain that a user visits directly.
A third party can be referred to as an advertiser who provides targeted ads; or services that help website operators add third-party elements (e.g. live chat, social-media buttons, Google Maps element, etc.) on their site.
Cookies Classified Based on the Expiration Period
Session cookies (aka Non-persistent cookies) are temporary cookie files that get expired immediately after a user closes the browser window.
Session cookies are typically used to recognize the online behavior of users and remember their actions during their browsing session. These types of cookies save a user’s items selection or their shopping cart list even after they switch to a different page.
The functionality of persistent cookies is much relative to session cookies but differ from it when it comes to the matter of the expiration period. Unlike session cookies, persistent cookies remain on a user’s browser for a considerably longer time. Therefore, it’s also known as permanent cookies.
Persistent cookies usually come with an expiration period ranging between a single second to several years. Once these cookies reach their expiration date, they will get deleted automatically from the user’s browser.
Persistent cookies recognize users and remember their browser settings or preferences on their subsequent visits. This is how these kinds of cookies help websites provide better user experiences.
Cookies Classified Based on the Purpose
Strictly Necessary Cookies
Strictly necessary cookies, as its name itself suggests, are essential for a website to provide the basic features (e.g. user registration, shopping carts, wish lists, e-payments, etc.) to the users.
Performance cookies (aka Statistics cookies) allow websites to provide enhanced user experience by remembering the users. These cookies evaluate the performance of a website by collecting information on how visitors use the website.
Functional cookies (aka Preference cookies) are classified as cookies that ensure a website functions properly
Cookies that allow user registration or remember username and password for automatic login, a user’s site preferences (e.g. the language preference of a user), etc. are examples of functional cookies.
Marketing cookies are used by websites to track the activities and behaviors of users online so as to provide them with personalized advertisements. These types of cookies are often persistent in nature and are usually installed on a user’s browser by third parties.
Cookies are vitally essential for the smooth operations of your website. As cookies are created to identify users over the web, they can foster the collection of enormous amounts of data, including personally identifiable information about users.
This could be a user’s name, age, gender, residential address, email id, IP address, telephone number, financial/health information, etc.
Now, let’s see what these laws are and how they regulate cookie usage on websites.
The Impact of Various Data Protection Laws on Cookies
The most prominent and comprehensive regulations include the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations (PECR), the ePrivacy Directive (ePD), and the ePrivacy Regulation (ePR) that would come to force in the near future.
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
This conveys that all kinds of online identifiers including cookies that collect the personal data of individuals are required to comply with the GDPR.
This is to say: a website or an organization needs to be very transparent about the types of cookies they use and the purposes they serve.
In other words, websites are required to obtain explicit consent from its users before placing cookies or online trackers on their terminal devices.
The UK Data Protection Act 2018, which has been amended from the UK Data Protection Act 1998 is nothing but the UK’s implementation of the GDPR. The Act aims at protecting the personal data of British residents.
Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 states that:
A person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information.
Although the PECR has not included the term ‘cookie’ anywhere in its legislation, its Regulation 6 can be read in conjunction with the context of cookies.
ePrivacy Directive (ePD)
Regulation 66 of the ePrivacy Directive (aka Cookie Law), which came into effect in 2002 and later amended in 2009, states about cookies as follows:
“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”
This indicates that the ePD mandates websites to obtain consent from visitors before collecting their personal information. Moreover, this data privacy legislation lets users allow or refuse a website’s cookie usage.
ePrivacy Regulation (ePR)
Failing to adhere to the above laws and regulations can put organizations at the risk of heavy penalties or fines. The violators of the GDPR can be fined up to €20 million or 4% of the annual global turnover – whichever is greater.
As a website owner, ensuring regulatory compliance is highly imperative to drive growth in your business and protect yourself from non-compliance penalties.
But managing the cookie consents of a plethora of users may not be quite as easy as it sounds. Therefore the best possible thing you can do is implement a consent management solution that ensures that no cookies and trackers are installed on your users’ terminals prior to receiving explicit consent from them.
How to Become Cookie Compliant?
- Provide information about the cookies that are being used on your website
- Let users give consent by a clear, affirmative action
- Allow refusal or withdrawal of consent anytime
- Keep a record of user consents
“PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes.”
Source: ICO UK
Not only the PECR, no other laws including the GDPR have not set any standards on what privacy information needs to be provided to your users.
What really matters is that the information you provide must be clear, comprehensive, and easy to understand. Simply put, this information must help users make an informed decision about whether to give consent or not.
As a good rule of thumb, you should provide the information about the types of cookies you use, what kinds of personal data are collected from the users, how long will their data be retained, and with whom the data will be shared.
It’s important that you always provide users with real choice and control over how you use their personal data. Or, put differently: the consent must be freely given by an individual. Otherwise, it cannot be considered valid on any legal grounds.
Therefore, your cookie consent banner must operate in such a way that it receives consent from a user only through a clear, affirmative/positive action.
E.g. use of opt-in boxes or toggle buttons to allow users to turn on/off cookies selectively.
CookieYes helps you implement such a kind of cookie banner that lets you receive freely given, informed, and unambiguous consent from your site visitors.
CookieYes sets consent banners with all the non-essential categories of cookies toggled off by default. The banner layout shown below helps users seamlessly enable or disable non-essential cookies, according to their preferences
The following figure shows how CookieYes lets you add an explicit Reject button to your cookie consent banner. The solution also enables you to customize the labels and color choices of the button.
Enabling users to change their cookie settings or preferences is yet another major requirement. CookieYes allows you to include a customizable settings button on your consent banner as shown below.
Clicking the Preferences button, users will be able to view cookie categories separately and change the cookie settings to what they want.
But in case if they change their mind later, you must allow them to alter their cookie preferences. Check out how CookieYes lets you help users reappear a dismissed cookie consent banner, at the click of a button.
Article 7(1) of the GDPR states that:
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This means that, according to the GDPR, you are obliged to record and store consents that you obtain from your users.
This is an essential requirement if, in the future, you need to prove to regulatory authorities that you have obtained consent from your users. Also, keeping a record of user consents is necessary to help users revoke their consent.
Managing records of consent received from each and every user can be a highly tedious task. But with CookieYes, the cookie consent management process will be completely automated.
CookieYes maintains a consent log, where all your users’ consent will be retained securely for an appropriate period of time.
Cookies are small data files that a website stores on a user’s terminal for accomplishing a range of different purposes — such as uniquely identifying users, managing their browsing sessions, facilitating personalized user experiences, ad targeting, and much more. Cookies have actually become an indispensable component for the efficient operation of a site.
Not all cookies are used to track the browsing activities of users across the web. But the cookies used for analytics, advertising, marketing, and functional services are more likely to collect the personal data of users. This gave rise to increasing data privacy concerns among users.
In order to address this issue, many laws and regulations have been formulated, mainly focusing on the residents belonging to the member countries of the (European Union) and EEA (European Economic Area).
Implementing a cookie banner is the best and most effective way to get cookie consent. A good cookie consent solution like CookieYes enables you to add a cookie banner to your site and manage user consents seamlessly.