A Guide to Understanding Cookies - Part 1

The European Union’s approach to protecting its residents online has undergone significant changes in the past years. This approach, outlined by Directive 2009/136/EC,  is famous for being perhaps the most robust and restrictive among other countries. As the EU undoubtedly aims to enhance users' privacy and control over their personal data, these rules occasionally confuse businesses and users. If you struggle to understand how to keep your business compliant or what cookie banners are used for, this post is made for you. 

What are cookies? 

Many websites use tools designed to track users' behavior on the website, analyze their activity, help deliver targeted content, ensure security, and do many more useful things to keep the website running, such as keeping the items you picked in your shopping cart. Some of these tools need to recognize a unique user to work correctly, and in order to be able to do so, websites that have implemented these tools make use of cookies. There are different types of cookies, that differ based on their mechanism and purpose, though most often when we use the word ‘cookie,’ we mean an HTTP Cookie. 

Every time a user accesses  a website page, a short code is sent to their web browser, which is stored for one or more browsing sessions. The website stores cookies locally on the user's device and works as a hook, which is used to create a name-value pair and identify a unique user. If a web browser does not delete cookies after the session, and the website script intends to remember name-value for longer than a session, when the user returns to that site in the future, it will remember them by accessing the cookie stored on the user's device. 

Other terms used often in relation to cookies are ‘first-party’ and ‘third-party’ cookies, so let’s clarify what these terms mean. 

First-party cookies - also called ‘on-site cookies,’ are pieces of code created directly by the website that the user is visiting. Such cookies are often used to manage the website, log in, and keep information about user’s choices, language preferences, etc. 

Third-party cookies - also called ‘off-site cookies,’ are generated by a third party and intend to trace and recognize a unique user through multiple websites. For example, three websites would still generate three different cookies and would be stored separately. While each website most likely won’t be able to obtain more information about the user than usual, a third party could recognize a unique user on three different websites by combining information from all three. This is how advertising platforms, for example, collect more information about the buyers by analyzing their activity on different websites and adjusting their ads to match targeted profiles. 

The Cookie Directive 

Directive 2009/136/EC, also known as the EU Cookie Directive (informally), strengthened user protection online by making it mandatory to obtain informed consent before placing anything or accessing any information on a user’s device. The requirement applies to all types of information, including cookies. 

When a user visits a website for the first time, informed consent must be obtained before a cookie can be placed. Often information about the cookies and data processing would be presented in a Privacy Notice and Cookie Policy, while consent for data collection is obtained with the help of a banner. Unless a user provides consent or opts in, the website is not allowed to place any cookies on the device. However, back in 2012, the Data Protection Working Party (a predecessor of the European Data Protection Board) released an Opinion on Cookie Consent Exemption: 

Criterion A: The cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; 

To ensure that you are qualified to place the cookies without consent, transmitting communications is impossible without using cookies. As a part of the opinion, the Data Protection Working Party stated that there are at least 3 elements that can be considered as strictly necessary for communications to take place over a network between two parties:

1. The ability to route the information over the network, notably by identifying the communication endpoints.
2. The ability to exchange data items in their intended order, notably by numbering data packets.
3. The ability to detect transmission errors or data loss. 

Criterion B: The cookie is strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. 

To make sure that you are qualified to place cookies without consent, a cookie matching Criterion B has to pass simultaneously two following tests:

1. The information society service has been explicitly requested by the user (or subscriber) who performed a positive action to request a service with a clearly defined perimeter. 
2. The cookie is strictly needed to enable the information society service: if cookies are disabled, the service will not work. 

For example, an online newspaper can offer free access to everyone; however, only “logged-in” users have the ability to leave comments on articles. In turn, these additional functionalities may operate with their own cookies. In this particular context, the Working Party considered that an information society service should be viewed as the sum of several functionalities and that the precise scope of such a service may thus vary according to the functionalities requested by the user (or subscriber). 

In both cases, it is recommended that the life cycle of a placed cookie should be limited to what is necessary to fulfil the purpose it is used for. 

In the second part, we will discuss some cookie use cases and how they differ.