Read on to learn about the different types of computer cookies and how they affect your operations as a business owner.
1. What Are Cookies on Websites?
Cookies are tiny trackers that connect users and websites. They function like a combination of an online ID card and a digital Post-it Note, helping the website remember the user’s choices and activities.
Internet Cookies Definition
An internet cookie is a small piece of data that a website downloads to a user’s device in order to track their behavior on the website, and to remember their preferences.
Cookies play a role in almost everything people do on the internet — from remembering user login details and online shopping cart items, to helping companies create targeted ads.
Why Are Cookies Called Cookies?
The name “cookie” has its origins in early computer terms, when “magic cookie” was used to describe a small piece of data passed between programs. The term is still used in today’s computer lingo, but now you’ll most commonly see cookies referred to as HTTP cookies, web cookies, browser cookies, and internet cookies.
Are Computer Cookies Bad?
Cookies aren’t harmful — they can’t download a virus to a computer or read email addresses. However, cookies still pose a security risk to users because they collect personal data about browsing habits. Such information is vulnerable to data breaches and theft.
Because tracking cookies are used for targeted advertising, users often have concerns about cookies, and think they should delete them by clearing their browser cache. Nonetheless, the cookie data that websites collect is vital to creating the smooth online experience that users expect.
2. How Do Cookies Work?
When a user visits a website, a cookie is downloaded in their web browser (such as Google Chrome) and stored as a plain text file. When the user returns to the site, their browser reads the file and shares the information with the domain.
There are two different types of internet cookies. Session cookies only collect details from single browsing sessions, while persistent cookies remain on the user’s device and collect information over time.
How cookies work is the same across all devices — whether a user accesses a site from a Mac, PC, iPad, or phone.
What Do Cookies Do?
Cookies serve a wide range of functions for businesses, but most fall under the following five categories:
Essential cookies are a website’s basic form of memory, used to store the preferences selected by a user on a given site. As the name implies, they are essential to a website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to prevent users from having to log in each time they visit a new page in the same session.
Performance and Functionality Cookies
These cookies are used to enhance the performance and functionality of a website, but are not essential to its use. However, without these cookies, certain functions (like videos) may become unavailable.
Web Analytics and Customization Cookies
Analytics and customization cookies track user activity, so that website owners can better understand how their site is being accessed and used.
Advertising cookies are used to customize a user’s ad experience on a website. Using the data collected from these cookies, websites can prevent the same ad from appearing again and again, remember user ad preferences, and tailor which ads appear based on a user’s online activities.
Social Networking Cookies
Social networking cookies allow users to share content on social media platforms, and help link activity between a website and third-party sharing platforms.
The personal data that cookies collect, plus the fact that they do pose a security risk, has created a need for cookie laws and regulations. If your website deploys cookies, there are several legal requirements you need to know if you want to stay out of trouble with the law.
3. Computer Cookies and the Law Explained
Laws are cropping up around the world in order to mitigate the risks associated with cookies and data protection.
While cookie regulation is still relatively new territory, the following laws are breaking ground on providing notification and consent rights to users over the cookies they encounter online:
The General Data Protection Regulation (GDPR) and Cookies
The GDPR aims to give users greater rights over their data through stringent notification and consent guidelines. Under this law, users need to be informed of the existence of cookies on a website and then consent to their deployment. If consent is not given, the website in question cannot lawfully collect information from that user using cookies.
However, there are some exceptions. Essential cookies, performance cookies, and functionality cookies are often used on the basis of GDPR legitimate interest or for the fulfillment of a contract. Therefore, user consent isn’t necessarily mandated for these cookies to be lawfully deployed.
When it comes to the relationship between cookie use and the GDPR, it’s important to remember that data collected through cookies is considered personal data — and is therefore subject to all personal data collection guidelines of the GDPR.
The EU Cookie Law
The EU Cookie Law (or EU Cookie Directive) is an adaptation of the EU ePrivacy Directive — a cornerstone legislation that governs digital privacy throughout the European Economic Area (EEA) in conjunction with the GDPR.
The Directive will soon receive another update, and will be renamed the ePrivacy Regulation. Still in the finalization process, this regulation is set to come into effect in the next two years.
As is the case with the GDPR, the law not only applies to all businesses operating within member states of the EEA, but any business with users in the EEA — regardless of the company’s physical location.
The Cookie Law comes down to one main premise — obtain user consent to cookies.
However, the law stipulates that the opt-in requirement only applies to non-essential cookies, meaning you can deploy the cookies that are necessary for the proper functioning of your website without first getting consent.
Many popular browsers now have a do not track feature that lets users indicate they do not want their history to be tracked. Websites are under no obligation to comply with this request, but should disclose whether or not they choose to do so.
US Cookie Laws
In the US, while there is no single all-encompassing federal cookie law, there are several individual privacy rules that apply to corporate cookie usage, including:
- The Computer Fraud and Abuse Act of 1984
- The Americans with Disabilities Act
- The Children’s Internet Protection Act of 2001 (updated 2013)
- The Children’s Online Privacy Protection Act (COPPA)
Furthermore, the California Consumer Privacy Act (CCPA) also applies to cookie usage, as the act serves to safeguard the personal data of internet users in a similar manner as the GDPR.
On top of fines and penalties from supervisory authorities, the CCPA gives users the right to sue a business for breach of data – even if no monetary or physical damages are suffered.
4. Managing Cookies on Your Website
As cookie laws and their specific stipulations differ from place to place, it’s important to look into exactly which rules and regulations apply to your business, and navigate them accordingly.
Although the laws governing cookies are complex, the aim of almost all cookie legislation is essentially the same. Therefore, implementing a few simple measures can help you comply with the majority of cookie law requirements, and adhere to cookie use best practices.
How to Stay on the Right Side of Cookie Data Laws
1. Audit and Classify Your Cookies
Many websites run more cookies than they realize. If you’re not sure exactly what cookies are on your site, it’s impossible to describe your cookie practices to users. Not only should you make an effort to discover which cookies you use, but you should then classify those cookies by their purpose (for example, the six categories mentioned above).
Organizing your cookies by the purposes they serve is essential to completing the following two steps.
To find out what cookies your website uses, you can use a tool like Termly’s free cookie consent manager to scan your site and generate a detailed report.
2. Disclose Your Cookie Practices to Users
Make this policy easily available to users by linking it in your website’s footer and in the next step of your compliance plan — your cookie consent banner.
3. Get Consent Before Deploying Cookies
There are three elements of a legally valid cookie consent:
- The option for users to set their cookie preferences
- The ability to revoke consent at any time
These requirements can be easily accomplished through a cookie consent banner.
Furthermore, your banner should include a link that directs users to learn more about your cookie use and set their cookie preferences. If users choose not to consent to the use of all cookies, they should be able to give consent to specific categories of cookies.
Remember to keep records of user cookie consents and preferences stored, where you can easily access them in the event of a privacy law compliance audit.
4. Check for Cookie Consent Exemptions
According to the overseeing EU advisory body, businesses don’t need to get user consent to the deployment of all cookies under the Cookie Law. In fact, cookies that are used for the following purposes are exempt from the ePrivacy consent requirements:
- Used only for sending data over a network
- Essential for an information society service (e.g., most websites and apps) to deliver a service explicitly requested by the user.
The advisory body further outlines some common cookies that fall under these two exemptions:
- User‑input cookies (session-id): User-input cookies are used to track items that the user, themselves, input into your website. For example, a cookie that remembers the items in a customer’s shopping cart, or the answers to an online form, are user-input cookies.
- Authentication cookies: These trackers work by identifying a user through their login credentials. When a website visitor enters their username and password, these cookies will confirm that user’s identity and “remember” their account information.
- User‑centric security cookies: They detect authentication errors and abuses, such as incorrect login details. When a visitor enters incorrect login credentials, these cookies detect that and track how many incorrect entries are made.
- Multimedia content player cookies: Content player cookies enable audio or video play. Say a user is scrolling through your site and encounters an auto-play video file. Multimedia player cookies allow that video to play.
- Load‑balancing cookies: These cookies serve perhaps the most basic cookie function, in that they connect information between the user’s server and your website’s server.
- User‑interface customization cookies: These cookies store user-experience preferences. For example, if a user has selected a preferred language.
- Third‑party social plugin content‑sharing cookies: These cookies are applicable to users logged into a social media platform at the same time as their visit to your site. If a user clicks a “Share on Facebook” button on one of your blog posts, these cookies connect that post with the user’s logged-in Facebook account.
All of these exempt cookies are only meant to serve their purpose over the course of the user’s session on your website. If they follow your users around the web, collecting information that isn’t necessary for website–user interactions, they are no longer exempt from ePrivacy consent requirements.
5. Key Takeaways
Now that we have internet cookies explained in full, let’s review the main points.
Cookies are a complex yet valuable tool in operating an online business. They’re not harmful, but the information they collect about users’ browsing habits is considered personal data.
The global call for greater user privacy rights and digital transparency has paved the way for emerging data laws that now target cookie use. Complying with legislation like the GDPR and the EU Cookie Law can be difficult business — but not complying can be financially damaging.
If you want a simple solution to cookie law compliance, check out our state-of-the-art cookie consent manager.