It’s almost impossible to use the internet for long without coming across a website asking if you accept cookies. That’s because of a range of laws designed to protect your data privacy.
In this guide we’ll explain what cookies are, how they work, and how you can make informed decisions about them. Let’s jump in.
What are Cookies?
A cookie is a small text file that is created by a website and stored on your computer through your browser. The idea is that the website can access the cookie at a later time and retrieve information about you. The website then customizes pages based on this information.
Many uses of cookies are uncontroversial and help the users. Examples include:
- Storing your username (but not your password) to save you having to remember it or type it in when you return to a site
- Keeping items in a virtual “shopping basket” for an online retailer website
- A site such as a weather forecast service or movie theater listings ‘remembering’ your location and automatically displaying relevant details when you next visit
Some uses of cookies, such as tracking your online activity to deliver targeted advertising, can be more controversial.
Cookies fall into two main categories: session cookies only last until you leave the website in question, while persistent cookies will last until a set expiration date.
There are a number of different types of cookies, and they each can serve a different purpose. Some stick around for a long time (years) while others, as seen above, are only there when you’re on the related website.
What are Third-Party Cookies?
A third-party cookie is one that is placed on a browser by somebody other than the operator of the site you are visiting. Specifically it is placed by a different domain (website). That’s in contrast to a first-party cookie, which is created and placed by the domain you are visiting.
The main technical difference is that a first-party cookie is only accessible to the domain that issued it. A third-party cookie can be accessible on multiple sites that include code from the third party.
A common example of a third-party cookie would be where a website hosts advertising provided through an advertising network. Once the third-party cookie is on your browser, it could be accessed whenever you visit any website that shows ads from the advertising network.
This could help the network tell advertisers how many times an average user has seen the same ad. Alternatively, the cookie could be used to make sure you don’t see the same ad repeatedly, or to make sure you see a series of ads from the same campaign in a particular order.
Some uses of third-party cookies are more controversial, particularly ones known as tracking cookies. For example, a cookie might be used to keep a record of the type of websites you visit and then deliver more targeted advertising.
Sometimes this can be very noticeable, for example if you visit a page about a product on a retailer’s website and then start seeing ads for that product on other websites you visit.
By 2022, most major browsers will block third party cookies by default. Depending on the browser, users may be able to change browser settings to accept them by default or deal with each third-party cookie individually.
Why Do Websites Warn About Cookies?
The European Union ePrivacy Directive
This is also known informally (if inaccurately) as the EU cookie law. It’s a European Union directive, which means a set of principles that individual countries build into their own domestic law.
The key principle is that a website in an EU country can’t put a cookie on your device without getting prior consent. The only exception is for a cookie that’s needed for the website’s basic functionality.
At some point this directive is likely to be replaced by a specific European Union regulation that updates the rules to take account of technological changes, but this hasn’t happened yet.
The General Data Protection Regulation (GDPR)
The GDPR covers a wide range of data protection issues. Its scope covers cookies whenever they contain information about an identifiable individual. Unlike the ePrivacy Directive, the GDPR is an EU regulation, meaning it has direct legal effect in all member states.
The GDPR applies if either the website visitor, the website or the processing of personal data is in a European Union country.
Compared with the ePrivacy Directive, the GDPR requires explicit consent to collect personal data, including through cookies. While some sites have been slow to do this, legally they must be designed so that the user must actively consent, for example by clicking a button or closing a pop-up message.