What are cookies? Learn how they work on your website here!
Cookies for a website are usually a complicated subject. It doesn’t have to be like that. Learn about cookies, HTTP cookies, and third-party cookies here!
Online businesses want to make data-driven decisions. That’s why they need to collect data about users’ behavior on their website, where do their users come from, in what demographic groups they belong to, and so on. That’s where cookies come in handy.
Cookies are all over the internet. They allow websites to remember your language preferences, the items in your shopping cart, track your browsing on the internet, what videos you like to watch on Youtube, and help them recommend better videos, and so on.
They can be useful, but at a price. That price is the collection of personal data and the related risks.
Businesses must comply with these laws to avoid penalties as well as losing trust from customers. That’s why it is very important to understand:
- What are cookies
- How do cookies work
- What types of cookies there are
What are cookies?
Cookies are small textual files that a website or an app sends to the user’s device to track something and collect data about it. When these files reach the user’s device, they can collect certain categories of data for which that specific cookie has been designed to collect.
For example, an analytics cookie sent to a user’s device to track the web pages they visit on the website will collect data on that user’s browsing behavior on the website. If the cookie was designed to collect data that identifies the user by their demographic characteristics, such as country, age, gender, and others, then it will collect that data, too.
Basically, they will track what you tell them to track.
In many places on the internet, cookies are called HTTP cookies. There is no difference between cookies and HTTP cookies.
What types of website cookies there are?
You can classify tracking cookies depending on various criteria. The most common criteria include:
The duration criteria classify cookies based on how long they stay in the users’ device. They can be:
- Session cookies. Session cookies last only for one session. They expire at the moment the user closes the browser. They collect data produced only between the moment of injecting the cookies till the closing of the browser.
- Persistent cookies. Persistent cookies, on the other hand, stay in the device until the user deletes them. In some cases, these cookies can expire by themselves if they have an expiry date encoded in the cookie.
The provenance criteria classify cookies based on where they come from. They can be first-party cookies and third-party cookies.
- First-party cookies are stored on your website and are injected into your users’ devices as soon as they consent to it.
- Third-party cookies are the cookies produced by third-party tools that you use for some processing purposes. These third-party tools are connected to your website, but the cookies are not stored on your website. Instead, they go to the user’s device from a third-party website. These are usually analytic cookies, social media cookies, and similar ones.
However, nowadays there are cookies that cannot be easily placed in one of these two groups. A good example of this is Facebook tracking cookies - produced by Facebook but stored on your website. Although they have been created by a third party (Facebook) and you can extract data collected by them only by using Facebook marketing tools, they are stored on your website like first-party cookies.
Cookies differ based on the purpose they serve to your business.
The most general classification based on purpose is on essential and non-essential cookies.
The essential cookies are necessary for the proper functioning of the website. They have to be here to ensure that you can use the website or the app at all.
Non-essential cookies serve purposes that are not necessary for the functioning of the website. All they do is help businesses collect the data they need.
Non-essential cookies can be:
- Analytics cookies. These cookies collect analytics data related to the use of your websites, such as Google Analytics, Mixpanel, Hotjar, and others. They often track user’s behavior based on their IP address. Since the IP address is personal data, you need to comply with the laws regulating the collection of such data.
- Preferences cookies. These are the cookies that remember user’s choices on your website or app. They remember the font size, preferred language, dark or light theme, etc.
There are many other types of cookies based on purpose - as many as there are purposes - but these are the most common ones.
This classification is the most important from a legal point of view. The granularity of cookie consent required by the EU cookie laws such as the ePrivacy Directive and the GDPR fits the classification based on purpose. See GDPR cookie consent examples.
What does the EU cookie law require?
How to obtain consent?
According to the ePrivacy Directive, businesses need to obtain explicit consent from users before using cookies. That was about enough to comply with EU cookie laws from the introduction of the ePrivacy Directive in 2002 till coming into effect of the GDPR (General Data Protection Regulation) in 2018.
Then, the requirements have become stricter. According to the GDPR, requirements are more detailed. They are prescribed in detail in the law and further tightened by the Planet49 decision of the Court of Justice of the EU and the EDPB guidelines on obtaining consent.
Consent has to be:
- Given freely. You have to allow users to give their consent freely. You must not coerce users into giving consent and should allow them to withdraw it without any consequences whatsoever.
- Specific. Consent is specific when obtained for each specific purpose of processing.
- Unambiguous. This requirement means that the consent is valid only if the user consents by their affirmative action.
Ensure that the checkboxes or toggles for giving consent for each specific purpose are not pre-checked. Planet49 was fined by the data protection authority because they had the checkboxes pre-checked.
Also, do not pre-check checkboxes for giving consent for each specific purpose.
- Easily withdrawn. GDPR requires businesses to allow users to withdraw the previously given consent as easily as it has been given. This doesn’t make obtaining the consent invalid but is a violation of the GDPR.
Do other countries have cookie laws similar to the EU cookie laws?
Yes, there are many countries all over the world that follow the example of the GDPR and the ePrivacy Directive. As a result, many of them require businesses to obtain explicit user consent before using cookies.
However, not all of them have so strict requirements for obtaining valid consent. Therefore, compliance with one law doesn’t mean compliance with all the other laws that require it.
You have to make your own due diligence to make sure that you are aware of the particular legal requirements in your specific situation.
How to comply with the EU cookie laws?
You need to:
- Block all the cookies before obtaining consent except for the essential cookies
- Request explicit cookie consent from users by a cookie banner
- The cookie banner needs to allow users to take affirmative action for giving cookie consent
- The cookie banner also needs the allow users to decline cookies
- You must not protect the website content with a cookie wall
- You must not bundle the cookie consent with the Terms and Conditions
- You need to request consent for each specific processing purpose
- The checkboxes, toggles, or other mechanisms for giving consent for each specific purpose must be set off by default, and the user should be allowed to check them out or turn them on to give consent through affirmative action
- Do not assume that browsing the website means consent
- Keep records of all the consent responses
- Allow users to withdraw consent without a hassle, as easily as they had given it.
Secure Privacy’s cookie solution has embedded the EU cookie laws - the GDPR and the ePrivacy Directive - in itself.
It is a “prior consent” solution that allows you to block your essential cookies before obtaining explicit user consent according to the law.
The rules on obtaining consent are also embedded into the solution. The checkboxes will remain unchecked, all consents will be securely stored, and the users could withdraw consent easily. Just as the EU cookie laws require.
You can sign up for a free trial here.
Want to try
Get your free cookie banner up and running today!
CPRA Data Retention
Unlike other data protection laws, such as the GDPR of the EU, the CPRA does not prevent you from collecting personal data freely without asking anyone. However, it doesn’t allow you to keep it longer than needed. This article will delve into the CPRA requirements for data retention.
CPRA and Employee Data: What You Need to Know
Under the CPRA, employee personal information is any information that could be used to determine who a person is and how they work. California employees have all the same rights guaranteed by the California Privacy Rights Act as any other consumer. Learn all you need to know about CPRA and Employee Data here.
Your users have the right to know what personal information is being collected about them, and they may contact you with a request to get information about how you handle personal information, ask you to delete it, transfer it to another company, or do something similar. Under the CPRA, you are obliged to respond to them. In this article, we explain how to comply with such consumer requests and the CPRA.