Many companies use digital “cookies” to track the activities on their websites. Although they come in many forms, cookies are not all the same, and neither are the internet rules that govern their use.
Table of Contents
- What is a Cookie?
- Cookie Functions and Risks
- Laws and Regulations
- How to Keep Cookie Use on the Right Side of the Law
1. What Is a Cookie?
A digital cookie is a tiny bit of plain text that a website domain (the Internet address of the entity that owns the website) downloads to a computer hard drive when that user’s browser program opens a new webpage.
The cookie is used to identify both the user and the browser and can be left on the user’s hard drive indefinitely. When the user’s browser returns to that domain’s website, the cookie connects with the domain and shares with it the data it has collected or stored about that user.
Because each cookie holds such a small bit of data, many websites download more than one cookie to each browser that opens a new window.
There are two types of digital cookies:
- A “session” cookie is transient, collects no user information except for the details of the actual browsing session, and opens and closes as each browser is opened and closed
- A “persistent” cookie remains on the hard drive and collects information about the user over time by tracking what that user does on the Internet. It acts as a marker inside the browser, creating a “unique identifier” code to link that browser to the server of each specific website the user visits. When the browser accesses that website again, the cookie informs the website that this “unique identity” has been there before, then tells it what occurred in that prior interaction.
Cookies track the data about how consumers use websites and corporate information, from how often they sign in, to what products they look at or buy and how much money they spend per visit.
Using this data, companies program their software to offer that consumer only goods and services similar to those for which they’ve already searched.
The resulting “personalization” builds customer loyalty and enhances their shopping experience by showing them things similar to those they already like.
Different kinds of cookies collect different kinds of information. Some store the personal information, (i.e. bank account numbers) that the user uploads into web-based forms.
Others collect data that identifies each browser, and how that particular user accesses the Internet. Companies use this data to personalize consumer information in subsequent interactions with that person.
2. Cookie Functions and Risks
As the Internet evolved, it became apparent that these digital bites had become offensive intruders and were gathering private information that the company had no authority to obtain.
Cookies are programmed by businesses to achieve a variety of their commercial purposes, only one of which is improving their customer’s experience.
Primarily, they want to improve their market share based on what they know about their consumer’s activities.
However, as the Internet evolved, it became apparent that these digital bites had become offensive intruders and were gathering private information that the company had no authority to obtain.
Cookies present risks to both businesses and consumers because they access and store confidential information that could be compromised unless adequate security practices are in place.
The most sensitive data cookies collect is that which users themselves generate when they fill out a form for purchasing, healthcare access, or other personal purposes.
For instance, when buying online, users must provide bank account or credit card data and cookies for the sites that request that data store it within the user’s hard drive for easy access during subsequent transactions.
However, cookies used by advertising companies appear to pose the most challenges to cookie oversight authorities.
The “third party” entities whose cookies travel through advertisements on the website gain access to the private data on consumer hard drives.
Consumers aren’t usually aware that these cookies exist or that they were placed there by the advertiser, nor by the domain to which they navigated.
Google’s AdWords and Adsense ads are examples of the use of third-party cookies. When users click on these ads, they are taken to that third-party site, which then loads still more cookies onto the hard drive to track the activities of that consumer.
3. Cookie Laws
Watch out! Cookie oversight laws differ depending on where they originate.
- The Computer Fraud and Abuse Act of 1984
- The Americans with Disabilities Act
- The Children’s Internet Protection Act of 2001 (updated 2013)
- The Children’s Online Privacy Protection Act (COPPA)
And that’s just to name a few.
In Europe, laws governing cookie use popped up as early as 2011.
In 2016, the European Union (EU) tightened those rules by approving its General Data Protection Regulation (GDPR) which requires entities within its borders to get consent from web visitors to store or retrieve any of their information gathered by cookies, and permits individuals to refuse the use of those cookies to prevent access to their data.
Companies that do business online within the EU (regardless of where they originate) have until May 25, 2018 to become compliant with the GDPR Directive.
The Directive sorts cookies into four categories based on their usage so that both websites and their visitors understand how and why the digital delectables are deployed:
Category 1: Strictly Necessary Cookies
These cookies are (as their name implies) essential for the functioning of the visited website.
When the user clicks on a website’s homepage, the cookie facilitates the user’s easy navigation through its pages and services.
These cookies “remember” the user’s data so it’s not necessary to confirm consent for cookie use on subsequent visits. Cookies that automatically connect users to their social media networks like Facebook or LinkedIn are also considered essential cookies.
Category 2: Performance Cookies
Analytics and customization cookies monitor the performance of the website itself, from counting the number of page views to assessing its number of unique visitors.
Analysis of the captured data allows customization of relevant site data based on user preferences and experiences.
Web beacons are like cookies but use minute images, not text. They are embedded in websites and, when downloaded to a consumer’s site, collect data relevant to those browsing activities.
They, too, are subject to privacy rules and regulations.
Category 3: Functionality Cookies
These text files track how the website interacts with the user. They can tell whether an offer was made or a request was fulfilled, and facilitate optional functions within the browsing session, such as opening a chat window.
Category 4: Targeting or Advertising Cookies
Also known as “third-party” cookies, these bits aren’t generated by the visited website but instead belong to a third-party entity that is accessing the site through an advertisement placed on the visited site’s (first party) page.
Used by advertising networks to gather consumer information, third-party cookies can be blocked at the browser level.
There are also Flash cookies (or “local shared objects”) that use Adobe’s Flash player to store information.
They often replace other cookies because they can gather settings and preferences, as well as browsing histories. And, unlike cookies stored in browser files, Flash cookies aren’t erased by clearing the browser cache.
4. How to Keep Cookie Use on the Right Side of the Law
As the legal framework around cookie oversight is still evolving, so are the penalties for failing to comply with local cookie laws.
Cookies offer enterprises of all sizes information about their customers and consumer base. Using them appropriately and safely keeps those customers coming back and keeps your company from landing in hot water.