Cookies, or any technology that can be used to store data on a user's device, is subject to the European GDPR Regulation and EPrivacy Directive. This article explains the various technologies used and your responsibilities under current Irish and European law.
First things first. What's a Cookie?
A cookie is a small string of text that is stored on the end-user's computer. The string usually contains:
- name/value pair(s) like: currency=euro;language=french;loggedin=true
- an optional expiry date (if no expiry date, then the cookie is deleted when the browser closes)
- the domain (eg mywebsite.com) that stored the cookie
- a couple of security settings (HttpOnly and secure) which we'll ignore for the purposes of this article
Cookies are for Remembering Things
A cookie is "read-only", that means it cannot execute code. In and of itself a cookie file is safe and harmless. The danger is that some companies are using them to track and profile user behaviour across multiple domains. These cookies are often "persistent" and "Third Party". What does that mean?
Under European legislation you are required to inform your visitors about the nature of the cookies used (session, persistent, first party, third party), as well as naming them, describing their purpose and, in some cases, gaining consent to their use before the cookies are even stored.
Session Cookies versus Persistent Cookies
Remember earlier when we defined a cookie, we said that a cookie can optionally set an expiry date as part of it's string? If an expiry date is set, that means the cookie will stay on the end-user's equipment until the expiry date is reached. That means the cookie is Persistent.
If no expiry date is set, the cookie will be destroyed once the user closes down his/her browser. In other words, the cookie will only survive as long as the user's session on the browser - hence the term - Session Cookie.
First Party versus Third Party Cookies
The browser program that you use to access web pages is also responsible for the storage and access of cookies.
When you visit a webpage, your browser will request the resources (images/videos/iframes/scripts/etc) that make up the web page you are visiting. Your browser will also store or access cookies on your equipment on behalf of all the domains from whom the resources are being requested.
- If the resources (images/videos/text/iframes/scripts/stylesheets/etc) belong to the actual domain you are visiting, then the cookies that are stored or accessed are called First Party Cookies. In other words, they're from the same website that you're visiting.
- However, if the resources (images/videos/text/iframes/scripts/stylesheets/etc) do NOT belong to the actual domain you are visiting, then the cookies that are stored or accessed are called Third Party Cookies. In other words, they're NOT from the same website you're visiting.
For instance, if you embed a Google Map on your webpage you would be asked to add code like this to your webpage:
<iframe src="https://www.google.com/maps/embed?pb=!1m18!1m12!1m3!1d38419.67162600166!2d-7.029576220898437! ..."></iframe>
Notice that the domain: google.com is not the same domain as yours. But your browser will obey the code and download all the Third Party resources as instructed.
In a 2015 survey of 478 websites in 8 European member states it was found that:
- There was an average of 34 cookies set per site surveyed
- Of this average, 30 were Persistent while 4 were Session cookies
- 70% of all the cookies surveyed were Third Party Cookies
- 50% of Third Party Cookies were set by just 25 companies! And yes, mainly for the purposes of third party advertising and tracking across domains.
Statistics like these may explain why European legislators are so concerned about the way a harmless technology like cookies are being deployed by to track user behaviour and preferences.
Understanding the Different Cookie Types
When people talk about "cookies" in the context of the European legislation, what they actually mean is:
The use of the end-user's terminal equipment to store or access information.
So the fuss started when people began realising that information was being stored and accessed from their devices without their knowledge or prior permission!
But here's a thing: cookies are not the only technology that allows information to be stored or accessed from your device! People routinely use the term cookies to cover off a myriad technologies that have become of concern to the European legislators, but it's good to be aware that actually a cookie is NOT the same thing as Local Storage, a Pixel Gif or Device Fingerprinting - all of which can be used to store and/or access information from your device, and all of which are under examination by the European legislators. Let's have a quick look at some of these technologies:
Pixel Gif (aka Web Beacon, Web Bug)
Remember I said that your browser will download all the resources from the web page you're visiting eg images/videos/text/iframes/scripts/stylesheets/etc?. Well a pixel gif is a tiny (1px x 1px) transparent image that your browser downloads if it's been put on the web page (usually because of code you were instructed to embed from a Third Party company because you want some functionality they can offer).
Once that image has been downloaded onto your device, the company responsible for the code knows right away that you've visited that web page.
It's also commonly used by mail list companies to track how many campaign emails have been opened (which is why your email program now blocks images by default).
Apart from mail list companies, Two common technologies that use pixel gifs are Google Tag Manager and Facebook Pixel. Website owners who want to use Facebook for analytics or marketing will be asked to install Facebook's code on their website (same with Google Tag Manager, a similar product). When you visit those pages, the pixel gif gets downloaded to the visitor's device.
Obviously, a user's permission should be required before the pixel gif gets downloaded - after all, the companies involved are Third Party, and you have no idea what information is being sent to Google Tag Manager or to Facebook Pixel.
Local Storage (and indexedDB and Cache Storage)
Modern browsers (Chrome, Firefox, Safari, Android etc) all allow web pages to store information from a webpage or app for (stated reason): use offline.
Technologies like Local storage, indexedDB and Cache storage are happening now and make cookies look old-fashioned. Guess what? I bet you know how to delete your cookies, and I bet you don't know how to delete Local Storage - and btw, Local Storage never expires.
indexedDB can store a whole heap more information than Local Storage - it's actually an entire database!
Cache Storage is the newest kid on the block, and it's mostly used with a technology called Service Workers (which means: storing content, like images and text, from an app so that it can be used offline).
Whatever about these newer storage technologies, the principle is the same as far as the law is concerned - the storage is on the visitor's device, and therefore requires the visitor's permission!
Device Fingerprinting has, and will, comprehensively replace cookies by the companies that specialise in tracking user behaviour online and selling that information to interested parties.
Thanks to modern HTML's CanvasElement, your browser will gladly reveal a slew of settings when crafted by the right sort of code enquiry. Browser type, settings, plugins, device OS, language, device resolution and loads more, when added up, will be unique to you. The chances that your settings are identical to someone else's are quite small, even if you're using a popular browser.
And the irony here is that your device's unique fingerprint is NOT stored on your device. It's stored elsewhere - by the company(s) who are tracking you via your Device Fingerprint. Bit of a poke in the eye for the legislators, right?
So when you visit xyz.com they'll know it's most probably you. And now they can build up a complete picture of YOU without storing anything on your device. (eg The fictional you spends 90% of her time between just 12 websites. The fictional you prefers fashion to politics - we can get her attention by using a fashionista ad that's really about persuading her to vote for such and such a political party - because there's an election coming up in her country, but of course we don't know where she actually lives, and we wouldn't pry, but she's probably Catalan since 10 of the 12 sites she visits end in .es , and it happens to be the language of her device's keyboard, right?)
You get the idea. And probably like me are wondering why the European legislators are bothering about cookies at all. Like no-one else is. Not anymore. Not with Device Fingerprinting. Device Fingerprinting is a game changer.
Tip: Do a search for "How to Prevent Device Fingerprinting" to get an idea how difficult it is to overcome this technology.
The EPrivacy Directive vs the EPrivacy Regulation
The (still pending) EPrivacy Regulation is meant to work with the GDPR (General Data Protection Regulation) which became law in May 2018.
So the problem is that GDPR is a Regulation, meaning it's enforced EU-wide, but EPrivacy is still only a Directive - meaning each country can interpret it to suit itself.
And that's very confusing. If your website is hosted in Ireland, for instance, the "Cookie Law" that you'll follow is SI 336/2011 which, summarised is this:
- Clear communication and consent must be obtained in the case of Third Party cookies (by way of points 1-3 above, one assumes)
- Third Party cookies must be named along with their purpose and expiry (persistence). A link must be provided to the "advertising network" (sic) concerned where a user can opt out of receiving their cookies.
From the Irish perspective, the interpretation is pretty lax - put up a cookie banner, declare your Third Party cookies and show users how to turn them off. Whereas in Italy, for instance, no cookies whatsoever can be set without first obtaining the user's consent.
The EPrivacy Regulation is still pending but will completely replace the EPrivacy Directive and because it will be a Regulation, it will be implemented across the EU in a harmonised fashion. Individual countries will no longer be allowed to "interpret it". The (pending) EPrivacy Regulation is meant to work with the GDPR to protect user's data and rights.
Google Analytics records the IP address (your device's numeric address on the internet) of visitors by default. Under the GDPR, an IP address is considered as personal data, because it could be used to identify someone. Secondly the GDPR is uncompromising on the question of users being able to "withdraw consent as easily as they have given it". Thirdly, if you're using it, say in conjunction with Adwords for remarketing, then that's going beyond the scope of just "counting the number of visitors".
My view would be that to use Analytics safely, you need to anonymize IP addresses (guidance on doing this here: https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization), and you need to offer your website visitors a way to disable analytics if they don't want to be recorded as part of your visitor statistics. So yes, imo, it's safe under the Irish interpretation of the Directive if you do all that.
Lastly I think it's crystal clear that between the GDPR and the EPrivacy Directive that no matter what technology you're using, you're going to need opt in consent if you're using tracking technology to remarket to your website visitors.
If you included any copy/paste scripts from other companies - eg embedding code to make a Google map appear on your website - the browser will access the required resources from the domains of those other companies. These domains are different from yours! As the browser retrieves the images, scripts, videos, stylesheets and so on from these other domains, it will also happily store and access cookies on their behalf. These are the so-called Third Party cookies that have come under scrutiny from the European legislators as some of them were involved in tracking visitors across multiple websites.
Here's a list of things we love to do on websites which can lead to Third Party cookies being set:
- Embedding social media buttons
- Embedding videos
- Embedding maps
- Embedding slideshows
- Embedding discussion/comments
- Using Google's Recaptcha on forms
- Using Facebook Pixel
- Using Remarketing with Adwords
Yes, they definitely make life easier! I'll talk about two below, not because they're the best, but because they are the two I've used myself. Feel free to try others, there's plenty out there.
If you're using Wordpress and you want a free one, you could try GDPR Cookie Consent (CCPA Ready). This is the free version, it's moderately easy to use and it works really well.
If you're not using Wordpress, or you want a more comprehensive system, then you could try out Cookiebot (https://www.cookiebot.com). The paid version is way better than the free one, but at €9/mo it really isn't affordable to everyone running a website. So in the free version what you don't get is the ability to template it with your company's logo and branding, you don't get an audit trail (where you can prove to a user that you had such and such cookies turned off when they visited) and you can only scan your site for a cookie inventory once a month. It also works with GMT (Google Tag Manager).