Cookies and the Law
Cookies, or any technology that can be used to store data on a user's device, is subject to the European GDPR Regulation and EPrivacy Directive. This article explains the various technologies used and your responsibilities under current Irish and European law.
First things first. What's a Cookie?
A cookie is a small string of text that is stored on the end-user's computer. The string usually contains:
- name/value pair(s) like:
currency=euro;language=french;loggedin=true
- an optional expiry date (if no expiry date, then the cookie is deleted when the browser closes)
- the domain (eg mywebsite.com) that stored the cookie
- a couple of security settings (HttpOnly and secure) which we'll ignore for the purposes of this article
Cookies are for Remembering Things
Web pages have no state. That's a technical term; it means that web pages are dumb. They cannot remember choices you make from one page to the next. We use cookies as a way to help web pages to "remember things" - like the fact that you have logged in, or you chose the Euro, or you added something to your shopping cart, or decided to view the website in French.
A cookie is "read-only", that means it cannot execute code. The cookie file itself is totally harmless. The danger is that some companies are using them to track and profile user behaviour across multiple domains, and this is why European legislators are concerned about cookies.
Under European legislation you are required to inform your visitors about the nature of the cookies used (session, persistent, first party, third party), as well as naming them, describing their purpose and, where cookies are persistent, gaining consent to their use before the cookies are stored on the end-user's device.
Learn about the differences between Session cookies, Persistent cookies, First and Third party cookies here
Session Cookies versus Persistent Cookies
Remember earlier when we defined a cookie, we said that a cookie can optionally set an expiry date as part of it's string? If an expiry date is set, that means the cookie will stay on the end-user's equipment until the expiry date is reached. That means the cookie is Persistent. Persistent cookies require user consent.
If no expiry date is set, the cookie will be destroyed once the user closes down his/her browser. In other words, the cookie will only survive as long as the user's session on the browser - hence the term - Session Cookie. Session cookies do not require user consent.
First Party versus Third Party Cookies
The browser program that you use to access web pages is also responsible for the storage and access of cookies.
When you visit a webpage, your browser will request the resources (images/videos/iframes/scripts/etc) that make up the web page you are visiting. Your browser will also store or access cookies on your equipment on behalf of all the domains from whom the resources are being requested.
- If the resources (images/videos/text/iframes/scripts/stylesheets/etc) belong to the actual domain you are visiting, then the cookies that are stored or accessed are called First Party Cookies. In other words, they're from the same website that you're visiting.
- However, if the resources (images/videos/text/iframes/scripts/stylesheets/etc) do NOT belong to the actual domain you are visiting, then the cookies that are stored or accessed are called Third Party Cookies. In other words, they're NOT from the same website you're visiting.
For instance, if you embed a Google Map on your webpage you would be asked to add code like this to your webpage:
<iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d38419.67162600166!2d-7.029576220898437! ..."></iframe>
Notice that the domain: google.com is not the same domain as yours. But your browser will obey the code and download all the Third Party resources as instructed.
Understanding the Different Cookie Types
When people talk about "cookies" in the context of the European legislation, what they actually mean is:
The use of the end-user's terminal equipment to store or access information.
So the fuss started when people began realising that information was being stored and accessed from their devices without their knowledge or prior permission!
But here's a thing: cookies are not the only technology that allows information to be stored or accessed from your device! People routinely use the term cookies to cover off a myriad technologies that have become of concern to the European legislators, but it's good to be aware that actually a cookie is NOT the same thing as:
- Local Storage
- Pixel Gif
- Device Fingerprinting
All of of the above can also be used to store and/or access information from your device, and they are also being examined by the European legislators. Learn more about these technologies here:
Pixel Gif (aka Web Beacon, Web Bug)
Remember I said that your browser will download all the resources from the web page you're visiting eg images/videos/text/iframes/scripts/stylesheets/etc?. Well a pixel gif is a tiny (1 x 1px) transparent image that your browser downloads if it's been put on the web page (usually because of code you were instructed to embed from a Third Party company because you want some functionality they can offer).
Once that image has been downloaded onto your device, the company responsible for the code knows right away that you've visited that web page.
It's also commonly used by mail list companies to track how many campaign emails have been opened (which is why your email program now blocks images by default).
Another you may be familiar with is the Meta (Facebook) Pixel. Website owners who want to use Facebook for analytics or marketing will be asked to install Facebook's code on their website. When you visit those pages, the pixel gif gets downloaded to the visitor's device.
If you are using technologies that rely on pixel gifs, you should state their purpose (what information you collect using these technologies) in your Cookie Policy, and get the visitor's prior permission to download them onto their device.
Local Storage (and indexedDB and Cache Storage)
Modern browsers (Chrome, Firefox, Safari, Android etc) all allow web pages to store information from a webpage or app for (stated reason): use offline.
Technologies like Local storage, indexedDB and Cache storage are happening now and make cookies look old-fashioned. Guess what? I bet you know how to delete your cookies, and I bet you don't know how to delete Local Storage - and btw, Local Storage never expires.
indexedDB can store a whole heap more information than Local Storage - it's actually an entire database!
Cache Storage is the newest kid on the block, and it's mostly used with a technology called Service Workers (which means: storing content, like images and text, from an app so that it can be used offline).
Whatever about these newer storage technologies, the principle is the same as far as the law is concerned - the storage is on the visitor's device, and therefore requires the visitor's permission!
Device Fingerprinting
Device Fingerprinting has, and will, comprehensively replace cookies by the companies that specialise in tracking user behaviour online and selling that information to interested parties.
Thanks to modern HTML's CanvasElement, your browser will gladly reveal a slew of settings when crafted by the right sort of code enquiry. Browser type, settings, plugins, device OS, language, device resolution and loads more, when added up, will be unique to you. The chances that your settings are identical to someone else's are quite small, even if you're using a popular browser.
And the irony here is that your device's unique fingerprint is NOT stored on your device. It's stored elsewhere - by the company(s) who are tracking you via your Device Fingerprint. Bit of a poke in the eye for the legislators, right?
So when you visit xyz.com they'll know it's most probably you. And now they can build up a complete picture of YOU without storing anything on your device. (eg The fictional you spends 90% of her time between just 12 websites. The fictional you prefers fashion to politics - we can get her attention by using a fashionista ad that's really about persuading her to vote for such and such a political party - because there's an election coming up in her country, but of course we don't know where she actually lives, and we wouldn't pry, but she's probably Catalan since 10 of the 12 sites she visits end in .es , and it happens to be the language of her device's keyboard, right?)
You get the idea. And probably like me are wondering why the European legislators are bothering about cookies at all. Like no-one else is. Not anymore. Not with Device Fingerprinting. Device Fingerprinting is a game changer.
Do a search for "How to Prevent Device Fingerprinting" to get an idea how difficult it is to overcome this technology.
The EPrivacy Directive vs the EPrivacy Regulation
The (still pending) EPrivacy Regulation is meant to work with the GDPR (General Data Protection Regulation) which became law in May 2018. As far as websites in EU countries are concerned:
- GDPR tells about the Privacy Policy (aka "Data Privacy") that every website in the EU must provide
- E-Privacy tells about the Cookie Policy that every website - with any type of cookies - in the EU must provide
The Privacy Policy and the Cookie Policy must be two separate documents on your website.
Legal Spaghetti
GDPR is a Regulation, meaning it's enforced EU-wide, but EPrivacy is still only a Directive - meaning each country can interpret it to suit itself.
And that's very confusing. If your website is hosted in Ireland, for instance, the "Cookie Law" that you'll follow is SI 336/2011 which, summarised is this:
- There is clear communication to the user about the use of cookies by way of a banner/prominent notice on the homepage that links through to a Cookie Statement
- The Cookie Statement should provide clear information about the use of cookies and further, inform users how to manage and disable cookies
- Consent to the use of cookies can be implied by the user's browser settings (but only after they've been informed how to change their browser settings)
- Clear communication and consent must be obtained in the case of Third Party cookies (by way of points 1-3 above, one assumes)
- Third Party cookies must be named along with their purpose and expiry (persistence). A link must be provided to the "advertising network" (sic) concerned where a user can opt out of receiving their cookies.
From the Irish perspective, the interpretation is pretty lax - put up a cookie banner, declare your Third Party cookies and show users how to turn them off. Whereas in Italy, for instance, no cookies whatsoever can be set without first obtaining the user's consent.
The EPrivacy Regulation is still pending but will completely replace the EPrivacy Directive and because it will be a Regulation, it will be implemented across the EU in a harmonised fashion. Individual countries will no longer be allowed to "interpret it". The (pending) EPrivacy Regulation is meant to work with the GDPR to protect user's data and rights.
Some Q&A
My view would be that to use Analytics safely:
- Get your visitor's consent before you allow Analytics to set cookies
- Make sure your visitor can change their consent at any time
- Ensure that IP address collection by Analytics is anonymised (guidance on doing this here: https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization)
Yes, they definitely make life easier! I'll talk about some options that I've used myself. Feel free to try others, there's plenty out there.
- If you're using Wordpress and you want a free one, you could try GDPR Cookie Consent (CCPA Ready). This is the free version, it's moderately easy to use and it works really well.
- If you're not using Wordpress, or you want a more comprehensive system, then you could try out CookieBot.com. The free version only applies if your website has 50 pages or less. The paid version is better because you can template the banner, but at €12/mo it really isn't affordable to everyone running a website.
- CookieYes.com offers a free version where you can use custom colours/content provided that you don't have more than 25,000 pageviews/mo. It works really well.
The reason there is no EPrivacy Regulation is because they can't come to an agreement on it. There's a lot of pressure in Europe to get rid of the cookie banners altogether (hurray!) and put the onus on users to adjust their preferred cookie settings in their browser. That sounds hard on users, but Brave browser has already done it. When you install and set it up, you get a simple question asking if you never want to see a cookie banner again, and you just hit Yes. No more tracking cookies, no more pesky banners! This will cause a big problem for analytics and adwords, obviously, but I think they'll move on to stealthier methods to track users like Device Fingerprinting which doesn't require cookies at all.