Cookies are all over the internet. They allow websites to remember your language preferences, the items in your shopping cart, track your browsing on the internet, what videos you like to watch on Youtube and help them recommend better videos, and so on. Learn how to comply with data privacy cookie requirements here.

Cookies for a website are usually a complicated subject. It doesn’t have to be like that. Learn about cookies, HTTP cookies, and third-party cookies here!

Introduction

Online businesses want to make data-driven decisions. That’s why they need to collect data about user’s behavior on their website, where their users come from, what demographic groups they belong to, and so on. That’s where cookies come in handy.

Cookies are all over the internet. They allow websites to remember your language preferences, the items in your shopping cart, track your browsing on the internet, what videos you like to watch on Youtube, and help them recommend better videos, and so on.

They can be helpful but at a price. That price is the collection of personal data and the related risks.

Due to the possible abuse of personal data, many governments worldwide have introduced legislation to regulate the use of cookies - the most essential and comprehensive being the EU cookie laws.

Businesses must comply with these laws to avoid penalties and losing customers’ trust. That’s why it is essential to understand the following:

• What are cookies
• How do cookies work
• What types of cookies are there
• What do the data protection laws require from your business regarding your use of cookies, and
• How to comply with the legal requirements easily so that you can use cookies and other trackers and collect data lawfully without the risk of getting fined.
  

What are cookies?

Cookies are small files that a website or an app sends to the user’s computer, mobile device, or another device to track something and collect data about it. When these text files reach the user’s device, they create an identifier for the specific user and help collect certain categories of data for which that particular cookie has been designed to collect. 

What's the difference between browser cookies, computer cookies, internet cookies, and HTTP cookies?

In many places on the internet, cookies are called HTTP cookies, browser cookies, web cookies, or internet cookies. There is no difference between them.

How do cookies work?

When you visit a website, your browser sends a request to the web server. The server then sends back a cookie to your browser. The cookie is stored on your computer or mobile device and sent back to the server each time you visit the website.

The server uses the cookie to identify you and remember your  cookie preferences. For example, if you log in to a website, the cookie will remember your username and password so that you don't have to enter them again each time you visit.

Are cookies safe?

The use of cookies is not inherently good or bad, but their use raises online privacy concerns. Data privacy laws protect the personal data of individuals, which means that the use of cookies is affected. That’s why website owners need to learn about user privacy and, in many cases, block cookies until the user agrees to their use.

What are cookies used for?

Cookies are used for a variety of purposes, including:

• Authentication: Cookies can be used to authenticate users and remember their login information.
• Personalization: Cookies can be used to personalize the user experience by remembering preferences such as language settings, font size, and layout.
• Tracking: Sometimes cookies track user activity and browsing history across different websites. This information can be used for targeted advertising or to improve the user experience.
• Analytics: Cookies are sometimes used to collect data about website traffic and usage.This information can be used to improve the website's performance and design.

For example, an analytics cookie sent to a user’s device to track the web pages they visit on the website will collect data on that user’s browsing behavior. If the cookie was designed to collect data that identifies the user by their demographic characteristics, such as country, age, gender, and others, then it will collect that data, too.

Other businesses design and use cookies to track your browsing history. They collect information from your web browser and store information about your browsing data so advertisers can learn more about you and your interest. As a result, they will be able to serve you with ads tailored to your interests.

Some cookies can help remember your user preferences on a website, login information, online shopping cart, and authentication, improving your user experience overall.

And in some cases, cookies may be used for malicious purposes, such as spreading malware.

They will track what you tell them to follow.

What are the different types of cookies?

There are many different types of cookies. You can classify tracking cookies depending on various criteria. The most common standards include the following:

• Duration
• Purpose
• Provenance

Duration

The duration criteria classify cookies based on their expiration date, i.e., how long they stay in the users’ device. They can be:

• Session cookies. Session cookies, also known as magic cookies, last only for one browsing session. They expire the moment the user closes the browser. They collect data produced only between the moment of injecting the cookies till the closing of the browser, which is one user session.
• Persistent cookies. Persistent cookies, on the other hand, stay in the device longer, i.e., until the user deletes them. Sometimes, these cookies can expire by themselves if they have an expiry date encoded in the cookie. However, the user can always clear cookies before their expiration date.

Provenance

The provenance criteria classify cookies based on where they come from. They can be first-party cookies and third-party cookies.

• First-party cookies are stored on your website and injected into your users’ devices as soon as they consent.
• Third-party tracking cookies are the cookies produced by third-party tools that you use for some processing purposes. These third-party tools are connected to your website, but the cookies are not stored there. Instead, they go to the user’s device from a third-party website. These are usually analytic cookies, social media cookies, and similar ones.

However, sometimes cookies cannot be easily placed in one of these two groups. A good example is Facebook tracking cookies - produced by Facebook but stored on your website. Although they have been created by a third party (Facebook), and you can extract data collected by them only by using Facebook marketing tools, they are stored on your website like first-party cookies.

Purpose

Certain cookies differ based on the purpose they serve your business. 

The most general classification based on purpose is on essential and non-essential cookies.

The essential cookies are necessary for the proper functioning of the website. They have to be here to ensure you can use the website or the app.

Non-essential cookies allow purposes that are not necessary for the website’s functioning. All they do is help businesses collect the data they need.

Non-essential cookies can be:

• Analytics cookies. These cookies collect analytics data related to the use of your websites, such as Google Analytics, Mixpanel, Hotjar, and others. They often track users’ behavior based on their IP address. Since the IP address is personal data, you need to comply with the laws regulating such data collection.
• Preferences cookies. These cookies can also remember users’ choices on your website or app. They reflect the font size, preferred language, dark or light theme, etc.
• Marketing cookies. These include the marketing and advertising cookies by Facebook, Google, Pinterest, Quora, Twitter, and other ad platforms. They all use cookies or similar tracking technologies to track users’ behavior and to provide businesses with advertising analytics based on that tracking.

There are many other types of cookies based on purpose - as many as there are purposes - but these are the most common ones.

Malicious purposes are worth mentioning, too. Some website operators serve the so-called zombie cookies. Zombie cookies help collect data without their knowledge, even after clearing cookies.

This classification is the most important from a legal point of view. The granularity of cookie consent required by the EU cookie laws, such as the ePrivacy Directive and the GDPR, fits the purpose-based classification. See GDPR cookie consent examples.

First-party cookies vs third-party cookies

First-party cookies are set by the website you are visiting. First-party cookies are generally considered to be less privacy-invasive than third-party cookies. This is because first-party cookies are only used by the website you are visiting.

Third-party cookies are set by third-party websites that have embedded content on the website you are visiting. These cookies can be used by websites even if they did not put that cookie. This means that third-party cookies can be used to track your activity across multiple websites.

Most third-party cookies have no direct impact on your browsing experience, as many browsers have already begun phasing them out and not allowing third-party cookies to be used in their browsers. Some web browsers, such as Mozilla Firefox and Apple’s Safari, block third-party cookies by default. Google Chrome will block them starting in 2024. Many websites still operate fine and remember your preferences without using third-party cookies.

How do cookies affect user privacy?

Cookies can affect user privacy in a number of ways. For example, cookies are also used to track your browsing history, your location, and your interests. This information can then be used to target you with advertising or to collect data for analytics and research.

How can I use cookies for my business?

You can use cookies for a variety of purposes, including:

• To track your customers' activity on your website and to remember their preferences
• To keep your customers logged in to your website
• To target your customers with advertising
• To collect data for analytics and research
  

What is a cookie policy?

A cookie policy is a document that informs users about the cookies that a website uses and how the website uses those cookies. Cookie policies are typically required by law.

Which laws require a cookie policy?

There are many countries all over the world that require a cookie policy. Some of the most well-known laws include:

• The General Data Protection Regulation (GDPR) in the European Union
• The California Consumer Privacy Act (CCPA) in the United States
• The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada

As a result, many of them require businesses to obtain explicit user consent before using cookies.

However, not all of them have strict requirements for obtaining valid consent. Therefore, compliance with one law doesn’t mean compliance with all the other laws that require it.

You have to do your due diligence to ensure you know your situation’s particular legal requirements.

What does the EU cookie law require?

EU cookie laws aim to protect personal data. Therefore, they regulate the use of cookies that collect data. This means that not all cookies are under the scope of these laws. However, if a cookie contains at least a single piece of personal information from a user, you must comply with the regulations.

EU cookie laws require you to obtain explicit user consent for using cookies. Without consent, you must not use cookies. If you use them without consent, you violate the law and will be fined.

However, not all consent is created equal. You need to request and obtain consent the right way. Consents collected against the GDPR are invalid, and using cookies upon such collection is unlawful and a reason to get in trouble with the GDPR.

How to obtain consent?

According to the ePrivacy Directive, businesses must obtain explicit user consent before using cookies. That was about enough to comply with EU cookie laws from the introduction of the ePrivacy Directive in 2002 till coming into effect of the GDPR (General Data Protection Regulation) in 2018.

Then, the requirements have become stricter. According to the GDPR, conditions are more detailed. They are prescribed in detail in the law and further tightened by the Planet49 decision of the Court of Justice of the EU and the EDPB guidelines on obtaining consent.

Consent has to be:

• Given freely. You have to allow users to share their consent freely. You must not coerce users into giving consent and should enable them to withdraw it without consequences.
• Specific. Consent is specific when obtained for each specific purpose of processing.
• Informed. The consent is informed if you have informed users about why and what data you collect. This information is usually contained in the privacy policy. Therefore, a privacy policy would be enough to meet this requirement.
• Unambiguous. This requirement means the consent is valid only if the user consents by affirmative action.

Ensure that the checkboxes or toggles for giving consent for each specific purpose are not pre-checked. The data protection authority fined Planet49 because they had the checkboxes pre-checked.

• DO NOT. Some websites’ cookie banners’ text is: “By browsing this website, you agree to the use of cookies.” This is unlawful because it is implied consent, not explicit. It is not a proper way to obtain consent and does not allow you to use cookies because the user is not provided with a means to accept or reject cookies.

Also, do not pre-check checkboxes for giving consent for each specific purpose.

• Easily withdrawn. GDPR requires businesses to allow users to withdraw the previously given consent as quickly as it has been given. This doesn’t make obtaining the consent invalid but violates the GDPR.

Website owners generally request cookies consent from the user when they arrive on the website for the first time. The most common way to do so is by a pop-up cookie banner adjusted to the legal requirements of the specific law that applies to the company and the user.

How to comply with the EU cookie laws

You need to:

• Block all the cookies before obtaining consent, except for the essential cookies.
• Request explicit cookie consent from users by a cookie banner.
• The cookie banner text needs to explain to users why you collect data, what you collect, with whom you share it, and other information, or simply provide them with a link to your privacy policy where they can read all the information.
• The cookie banner must allow users to take affirmative action for giving cookie consent.
• The cookie banner also needs the allow users to decline cookies.
• You must not protect the website content with a cookie wall.
• You must not bundle the cookie consent with the Terms and Conditions.
• You need to request consent for each specific processing purpose.
• The checkboxes, toggles, or other mechanisms for giving consent for each specific purpose must be set off by default, and the user should be allowed to check them out or turn them on to give consent through affirmative action.
• Do not assume that browsing the website means consent.
• Keep records of all the consent responses.
• Allow users to withdraw consent without a hassle, as easily as they had given it.

According to the law, it is a “prior consent” solution that allows you to block your essential cookies before obtaining explicit user consent.

The rules on obtaining consent are also embedded into the solution. The checkboxes will remain unchecked, all consents will be securely stored, and the users can withdraw consent easily, just as the EU cookie laws require.

Secure Privacy's cookie management solution to help you manage cookies on your website

Secure Privacy’s cookie solution has embedded the EU cookie laws - the GDPR and the ePrivacy Directive - in itself. 

Our cookie management solution helps you:

• Obtain consent from users before setting non-essential cookies
• Automatically categorize all of the cookies on your website
• Block non-essential cookies until users give their consent
• Regularly scan your website for new cookies
• Generate detailed reports on the cookies that are being used on your website

Sign up for a free trial today and see how easy it is to manage cookies on your website with Secure Privacy.