Many companies today use cookies to track user activity on their websites. Although almost every website uses cookies, not all cookies are the same, and neither are the rules that govern their use.
Read on to learn about the different types of computer cookies and how they affect your operations as a business owner.
A Helpful Guide About Web and Browser Cookies
If you use cookies on your own website, you need to understand exactly what cookies are. Specifically, you need to know which regulations control their use, and how you can avoid landing in hot water over inappropriate cookie practices.
1. What Are Cookies on Websites?
What are website cookies? Cookies are tiny trackers that connect users and websites. They function like a combination of an online ID card and a digital Post-it Note, helping the website remember the user’s choices and activities.
Internet Cookies Definition
Internet cookies are small text files that a website downloads to a user’s device in order to track their behavior on the website and remember their preferences.
Cookies play a role in almost everything people do on the internet — from remembering user login information and online shopping cart items, to helping companies create targeted ads.
Why Are Computer Cookies Called Cookies?
The name “cookie” has its origins in early computer terms, when “magic cookie” was used to describe a small piece of data passed between programs. The name is still used in today’s computer lingo, but now you’ll most commonly see a cookie referred to as an HTTP cookie, web cookie, browser cookie, or internet cookie.
Are Computer Cookies Bad?
Website cookies aren’t harmful — they don’t download computer viruses or read email addresses. However, cookies still pose security threats to users because they collect personal data about browsing habits. Such information is vulnerable to data breaches and theft.
Because tracking cookies are used for targeted advertising, users often have security concerns about them. Despite privacy concerns, cookie data that web servers collect is vital to creating the smooth online experience that most people have come expect.
Users can manage cookies by opening their web browser (such as Chrome, Firefox, or Safari) and finding where cookies are stored. For example, cookie storage can be enabled/disabled in Google Chrome by clicking “settings,” then “cookies and other site data” and selecting “block all third-party cookies.”
Some cookie files may be difficult to delete. In the past, these included “zombie cookies,” which recreated themselves after deletion by using a separate Flash cookie. Now that Adobe Flash is no longer supported, you should look out for persistent or super cookies, which stay on your computer even after you’ve closed the browser. Intended to remember your usernames and other preferences for a specific period of time, persistent cookies can be deleted by going to your browser and selecting the button that removes cookies. Depending on your browser, you may have to click on the “Advanced Settings” tab in your browser to find an option to delete these cookies.
How Do You Delete Cookies From Your Browser?
Here’s how you can delete cookies from your browser in Google Chrome and Microsoft Edge.
In general, you can adapt these steps to delete computer cookies from your browser, regardless of what browser you’re using:
- Press the three dots on the far right of your main menu
- Find the Settings or Options button
- Scroll down to the Privacy and Security section, where you will then see an option to delete cookies.
How to Delete Cookies from Google Chrome
- Press the three dots on the far right in your main menu. Click on Settings.
- After clicking Settings, a new tab titled “Settings” should have popped up. Scroll down until you see the Privacy and security section. Then, click on the Clear browsing data button.
- From here, you can choose to do a Basic or Advanced computer cookie deletion. A Basic deletion gets rid of all of your browsing history, cached images, and computer cookies.
- Click on Clear data to delete what you’ve selected.
How to Delete Cookies from Microsoft Edge
- Press the three dots on the far right in your main menu. Click on Settings.
- After clicking Settings, a new tab titled “Settings” should have popped up. On the left hand panel, click on the Privacy, search, and services section.
- In the middle of the page, scroll down until you see the Clear browsing data section and click Choose what to clear.
- Select what you want to delete from the Clear browsing data window that pops up.
- Click Clear now to delete the data you’ve selected.
2. How Do Cookies Work?
When a user visits a website, a cookie is downloaded in their web browser (such as Google Chrome) and stored as a plain text file. Each browser stores cookies in slightly different places. When the user returns to the site, their web browser reads the file and shares the information with the domain they’ve visited.
There are two different types of internet cookies. Session cookies only collect details from single browsing sessions, while persistent cookies remain on the user’s device and collect login information over time.
What Do Cookies Do?
Cookies serve a wide range of functions for businesses, but most fall under the following five categories:
Essential Cookies
Essential cookies are a site’s basic form of memory — usually first-party cookies — used to store the settings selected by a user on a given site. As the name implies, they are essential to a website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to prevent visitors from having to log in each time they access a new webpage in the same session.
Performance and Functionality Cookies
These cookies are used to enhance the performance and functionality of a website, but are not essential to its use. However, without these cookies, certain functions (like videos) may become unavailable.
Web Analytics and Customization Cookies
Analytics and customization cookies track user activity in their browsers, so that website owners can better understand how their site is being accessed and used.
Advertising Cookies
Advertising cookies are used to customize a user’s ad experience on a website based on their browsing history. Using the data collected from these cookies, websites and advertising companies can prevent the same ad from appearing again and again, remember user ad preferences, and tailor which ads appear in browsers based on a user’s online activities.
Social Networking Cookies
Social networking tracking cookies allow users to share content on social media platforms, and help link activity between a website and third-party sharing platforms.
The personal information that cookies collect, plus the fact that they do pose a security risk, has created a need for cookie laws and regulations. If your website deploys cookies, there are several legal requirements you need to know if you want to stay out of trouble with the law.
3. Computer Cookie Laws Explained
Laws that impact websites, apps, data, etc., are cropping up around the world in order to mitigate the data security risks associated with cookies.
While cookie regulation is still relatively new territory, the following laws are breaking ground on providing notification and consent rights to users over the cookies they encounter online:
The General Data Protection Regulation (GDPR) and Cookies
The European Union (EU)’s GDPR aims to give users greater rights over their personal data through stringent notification and consent guidelines. Under this law, users need to be informed of the existence of cookies on a website and then give valid GDPR cookie consent to their use. If consent is not given, the site in question cannot lawfully collect information from that user using cookies.
However, there are some exceptions. Essential cookies, performance cookies, and functionality cookies are often used on the basis of GDPR legitimate interest or for the fulfillment of a contract. Therefore, user consent isn’t necessarily mandated for deployment of these cookies to be considered lawful.
In accordance with Article 12 of the GDPR, personal data collection (including personal data collection done through cookies) needs to be clearly outlined through accessible policies. To achieve compliance with the GDPR, you should generate a privacy policy that discloses your use of cookies and thoroughly outlines them in a cookie policy.
You should also keep the following in mind:
-
Cookie walls are not considered explicit consent, since they don’t offer users a genuine choice to reject or accept cookies. All they do is block content from users who reject using cookies.
- This means that you should not use cookie walls.
-
Swiping or scrolling through web content is not equivalent to implied consent. The EU only believes in the validity of explicit consent.
- This means you should always seek to obtain explicit consent from users before using cookies.
When it comes to the relationship between cookie use and the GDPR, it’s important to remember that data collected through cookies is considered personal information — and is therefore subject to all personal data collection guidelines of the GDPR.
The EU Cookie Law
The EU Cookie Law (or EU Cookie Directive) is an adaptation of the EU ePrivacy Directive — a piece of cornerstone legislation that governs digital privacy throughout the European Economic Area (EEA) in conjunction with the GDPR.
As is the case with the GDPR, the law not only applies to all businesses operating within member states of the EEA, but any business with users in the EEA, regardless of the company’s physical location.
The Cookie Law comes down to one main premise: obtain user consent to cookies.
However, the law stipulates that the opt-in requirement only applies to non-essential cookies, meaning you can use cookies that are necessary for the proper functioning of your website without first getting consent.
United States (US) Cookie Laws
In the United States, while there is no one all-encompassing federal cookie law, there are several internet privacy rules that apply to corporate cookie usage, including:
- The Computer Fraud and Abuse Act of 1984
- The Americans with Disabilities Act
- The Children’s Internet Protection Act of 2001 (updated 2013)
- The Children’s Online Privacy Protection Act (COPPA)
Furthermore, the California Consumer Privacy Act (CCPA) also applies to cookie usage, as the act serves to safeguard the personal data of internet users in a similar manner to the GDPR.
On top of fines and penalties from supervisory authorities, the CCPA gives users the right to sue a business for breach of data, even if no monetary or physical damages are suffered.
Starting January 1, 2023, the California Privacy Rights and Enforcement Act (CRPA) will replace the CCPA, giving users all rights under the CCPA plus the right to rectification and the right to limit the use and disclosure of sensitive personal information. This means that the CRPA gives consumers the right to correct inaccurate personal data as well as the opt-out of sharing sensitive personal data.
4. Managing Cookies on Your Website
As computer cookie laws and their specific stipulations differ from place to place, it’s important to look into exactly which rules and regulations apply to your business, and navigate them accordingly.
Although the laws governing cookie usage are complex, the aim of almost all cookie legislation is essentially the same. Therefore, implementing a few simple measures can help you comply with the majority of cookie law requirements, and adhere to cookie use best practices.
How to Stay on the Right Side of Cookie Data Laws
Here are three basic steps you can take to develop a best practice cookie policy and meet the requirements of major cookie laws:
1. Audit and Classify Your Cookies
Many websites run more tracking cookies than they realize. If you’re not sure exactly what cookies are on your site, it’s impossible to describe your cookie practices to users. Not only should you make an effort to audit your cookies to discover which ones you use, but you should then classify those cookies by their purpose (for example, the six categories mentioned above).
Organizing your cookies by the purposes they serve is essential to completing the following two steps.
2. Disclose Your Cookie Practices to Users
Cookies are used to collect personal information, which means they need to be disclosed in your privacy policy.
Current cookie and data privacy laws — like the EU Cookie Law — require you to also provide a cookie policy which fully outlines your use of cookies. This policy should reference your cookie audit discoveries and classifications, detailing exactly which cookies you use, and what purpose they fulfill.
Make this policy easily available by linking it in your website’s footer and in the next step of your cookie compliance plan — your cookie consent banner.
3. Get Consent Before Deploying Cookies
The most important measure you need to take in order to comply with the EU Cookie Law and the GDPR is getting users to consent to how you use cookies.
There are three elements of a legally valid cookie consent:
- Affirmation that the user is aware of and consenting to the use of cookies
- The option for users to set their cookie preferences
- The ability to revoke consent at any time
These requirements can be easily accomplished by a generating a cookie banner.
The banner should pop up when a user navigates to your site for the first time, and inform them that your website uses cookies. There should also be some form of affirmation (a button or checkbox for example) that people can click to show they consent to your use of cookies, and accept them from your site. This kind of banner is sometimes referred to as browsewrap and should be highly visible or else risk being unenforceable.
Furthermore, your cookie notification message should include a link that directs users to learn more about your cookie use and set their preferred cookie settings. If people choose not to consent to the use of all cookies, they should be able to give consent to specific categories of cookies.
You also need to give users the ability to withdraw their consent at any time. Include links in your website footer, cookie policy, and privacy policy that direct users to a form or webpage where they can easily revoke consent if they choose to do so.
4. Check for Cookie Consent Exemptions
According to the overseeing EU advisory body, businesses don’t need to get user consent in the deployment of all cookies under the Cookie Law. In fact, two types of applications of cookies are exempt from the ePrivacy consent requirements:
- Cookies used only for sending data over a network
- Cookies essential for an information society service (e.g., most websites and apps) to deliver a service explicitly requested by the user.
The advisory body further outlines some common cookies that fall under these two exemptions:
- User-input cookies (session-id): User-input cookies are used to keep track of items that the user themselves, input to your website. For example, a cookie that remembers the items in a customer’s shopping cart, or the answers to an online form, is user-input cookie.
- Authentication cookies: These tracking cookies work by identifying a user through their login credentials. When a website visitor enters their user ID and password (including when using a password manager), these cookies will confirm the user’s identity and “remember” their account information.
- User-centric security cookies: These detect authentication errors and abuses, such as incorrect login details. When a visitor enters incorrect login credentials, these cookies detect that and keep track of how many incorrect entries are made.
- Multimedia content player cookies: Content player cookies enable audio or video play. If a user is scrolling through your site and encounters an auto-play video file multimedia player cookies allow that video to play.
- Load-balancing cookies: These cookies serve perhaps the most basic cookie function, in that they connect information between the user’s web server and your web server.
- User-interface customization cookies: These cookies store user-experience preferences. For example, if a user has selected a preferred language or color scheme, this preference will be saved in a user-interface customization cookie.
All of these exempt cookies are only meant to serve their purpose over the course of the user’s session on your website. If they follow your users around the web, collecting information that isn’t necessary for website–user interactions, they are no longer exempt from ePrivacy consent requirements.
5. Key Takeaways
Now that we have explained what an internet cookie is in full, let’s review the main points.
Cookies are one of the most complex yet valuable tools for operating an online business. They’re used for everything from analytics to remembering shopping cart items. Cookies are not harmful, but the information they collect about people’s browsing habits is considered personal data.
The global call for greater user privacy rights and digital transparency has paved the way for emerging data laws that now target cookie use. Complying with legislation like the GDPR and the EU Cookie Law can be difficult business, but not complying can be financially damaging.
If you want a simple solution to cookie law compliance, check out our state-of-the-art cookie consent manager.
6. FAQs About Cookies
reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy