Cookies, or anything you can store on a user's device, is subject to the European EPrivacy Regulations. This article starts with What's a cookie, explains the different types and which ones are affected by the "Cookie Laws".
First things first. What's a Cookie?
A cookie is a small string of text that is stored on the end-user's computer. The string usually contains:
- name/value pair(s) like: currency=euro;language=french;loggedin=true
- an optional expiry date (if no expiry date, then the cookie is deleted when the browser closes)
- the domain (eg mywebsite.com) that stored the cookie
- a couple of security settings (HttpOnly and secure) which we'll ignore for the purposes of this article
A cookie is "read-only", that means it cannot execute code. They are safe and harmless. The danger is that some companies are using them to track and profile user behaviour across multiple domains.
Cookies are for Remembering Things
Understanding the Different Cookie Types
When people talk about cookies in the context of the European legislation, what they actually mean is:
The use of the end-user's terminal equipment to store or access information.
While this is routinely done using cookies (which is a real technology used by programming languages), there are also other ways we can store information on an end-user's equipment. Sometimes we just say "cookies" to cover the technologies that have become of concern to the European legislators, but it's good to be aware that to a programmer a cookie is NOT the same thing as Local Storage, a Web Beacon or a Pixel Gif all of which can be stored and accessed from the end-user's equipment, and ALL of which are covered by the European legislators.
There are two other important concepts to understand in the context of the legislation. Session vs Persistent and First Party vs Third Party cookies. You will need to understand these terms because under European legislation you are required to inform your visitors about the nature of the cookies used (session, persistent, first party, third party), as well as naming them, describing their purpose and, in some cases, gaining consent to their use before the cookies are even stored.
Session Cookies versus Persistent Cookies
Remember earlier when we defined a cookie, we said that a cookie can optionally set an expiry date as part of it's string? If an expiry date is set, that means the cookie will stay on the end-user's equipment until the expiry date is reached. That means the cookie is Persistent.
If no expiry date is set, the cookie will be destroyed once the user closes down his/her browser. In other words, the cookie will only survive as long as the user's session on the browser - hence the term - Session Cookie.
First Party versus Third Party Cookies
The browser program that you use to access web pages is also responsible for the storage and access of cookies.
When you visit a webpage, your browser will request the resources (images/videos/iframes/scripts/etc) that make up the web page you are visiting. Your browser will also store or access cookies on your equipment on behalf of all the domains from whom the resources are being requested.
- If the resources (images/videos/text/iframes/scripts/stylesheets/etc) belong to the actual domain you are visiting, then the cookies that are stored or accessed are called First Party Cookies. In other words, they're from the same website that you're visiting.
- However, if the resources (images/videos/text/iframes/scripts/stylesheets/etc) do NOT belong to the actual domain you are visiting, then the cookies that are stored or accessed are called Third Party Cookies. In other words, they're NOT from the same website you're visiting.
In a 2015 survey of 478 websites in 8 European member states it was found that:
- There was an average of 34 cookies set per site surveyed
- Of this average, 30 were Persistent while 4 were Session cookies
- 70% of all the cookies surveyed were Third Party Cookies
- 50% of Third Party Cookies were set by just 25 companies! And yes, mainly for the purposes of third party advertising and tracking across domains.
Statistics like these may explain why European legislators are so concerned about the way a harmless technology like cookies are being deployed by to track user behaviour and preferences.
The EPrivacy Directive vs the EPrivacy Regulation
The EPrivacy Directive (2011-2018?)
Ireland implemented the EPrivacy directive via SI 336/2011 and provided guidance on the website of the Data Protection commissioner. To wit:
- Clear communication and consent must be obtained in the case of Third Party cookies (by way of points 1-3 above, one assumes)
- Third Party cookies must be named along with their purpose and expiry (persistence). A link must be provided to the "advertising network" (sic) concerned where a user can opt out of receiving their cookies.
The Eprivacy Directive is going to be replaced by the Eprivacy Regulation.
The EPrivacy Regulation (2018? and on)
The EPrivacy Regulation is still pending but will completely replace the EPrivacy Directive and because it is a regulation, it will be implemented across the EU in a harmonised fashion. Individual countries will not be allowed to "interpret it". The (pending) EPrivacy Regulation is meant to work with the GDPR. It has taken many twists and turns, but the current most recent proposal states that:
Simpler rules on cookies: the cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The new rule will be more user-friendly as browser settings will provide for an easy way to accept or refuse tracking cookies and other identifiers. The proposal also clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies used by a website to count the number of visitors.
Interpreting this proposal is still strewn with landmines. On the face of it, it sounds like Google Analytics might indeed be safe to use - but that's going to depend on how you're using it. Google Analytics records the IP address of visitors. Under the GDPR, an IP address is now considered as personal data, because it could be used to identify someone. Secondly the GDPR is uncompromising on the question of users being able to "withdraw consent as easily as they have given it". Thirdly, if you're using it, say in conjunction with Adwords for remarketing, then that's going beyond the scope of just "counting the number of visitors".
My view would be that to use Analytics safely, you need to anonymize IP addresses (guidance on doing this here: https://developers.google.com/analytics/devguides/collection/analyticsjs/ip-anonymization), and you need to offer your website visitors a way to disable analytics if they don't want to be recorded as part of your visitor statistics. It would be a good idea to try and detect if your visitor's browser is set to Do Not Track, and turn off Analytics if that's the case. And lastly I think it's crystal clear that between the GDPR and the EPrivacy Regulation that no matter what technology you're using, you're going to need opt in consent if you're using tracking technology to remarket to your website visitors.
Yes you can. However most browsers are set to accept Third Party cookies by default and many users don't know how to adjust their browser settings. There is an additional problem in that some Third Party cookies perform multiple functions so by refusing them, you may lose wanted functionality. You can also use the Do not track setting on your browser, which is becoming more universally accepted - that's the equivalent of using a private browsing window for all your browser activity. Try it, and what you'll see is certain parts of websites blocked out - eg Youtube videos, Facebook streams and so on.
If you included any copy/paste scripts from other companies - eg embedding the code to make a Google map appear on your website - the browser will access the required resources from the domains of those other companies. These domains are different from yours! As the browser retrieves the images, scripts, videos, stylesheets and so on from these other domains, it will also happily store and access cookies on their behalf. These are the so-called Third Party cookies that have come under scrutiny from the European legislators as some of them are involved in tracking visitors across multiple websites.
Here's a list of things we love to do on websites which can lead to Third Party cookies being set:
- Embedding social media buttons
- Embedding videos
- Embedding maps
- Embedding slideshows
- Embedding discussion/comments
- Display advertising
- Remarketing/Behavioural Targetting
Yes, there is a known way of fingerprinting without cookies using the HTML5 Canvas Element which is available on all modern browsers. See https://en.wikipedia.org/wiki/Canvas_fingerprinting. By forming certain requests to your browser, a unique fingerprint can be generated and stored. When next you appear on the internet using this same browser, they can predict with a fair accuracy that it's YOU!! Hey ho. Read the article linked to gain insight in how to prevent your browser blabbing your settings.