Cookies are small text files that are saved on a user’s local computer when browsing and sent back to the server when the user visits the same sites again. They are largely used in online marketing to better understand user behavior on the web. Increased data protection awareness resulting from the EU General Data Protection Regulation and the e-Privacy Regulation now means that many cookies now require the express consent of the user. Some browsers now even block unnecessary cookies by default. Ultimately, these stringent restrictions are likely to mean the end of cookies.
What are cookies and why are they used?
Cookies are small text files that are transferred from the server to a user’s device when they access a website. These files usually have an expiry date and a randomly generated unique ID. This ID is made up of numbers and is used to identify the user. If the user visits the website again, the cookie file is transferred back to the server.
The data contained in the cookie can be used to make purchases from online stores, to store passwords or user preferences for the next time they visit a site, or to collect additional information about user browsing behavior.
Cookies have a predefined expiry date that can vary from a session cookie that is deleted as soon as the website is closed – used for online shopping, for example – to marketing cookies that remain valid for several years.
What types of cookies are there?
In the General Data Protection Regulation (see next chapter), which has been in effect since May 2018 following a transition period lasting several years, the European Union has divided cookies into two areas. Although users do not have to give explicit consent for websites to transfer technical cookies that are essential for page function, users must give their explicit prior consent for all non-essential cookies.
- Essential cookies: these are all the cookies that are required for the website to work properly and to ensure that users can access certain page functions. These cookies might be required to process online purchases in a shopping cart or to store the user’s cookie settings. Technical cookies do not require the user’s explicit consent for them to be transferred to the user’s device. In a nutshell:
- Session cookies that store user settings (e.g. shopping cart, language settings or login data)
- Cookies that are set by integrated payment service providers such as PayPal or Visa, provided they are only used to set up or legitimize an online payment.
- Opt-out cookies and cookie content settings are used to store a user’s cookie settings for a website and can be changed if necessary
- Non-essential cookies: cookies that are not used solely to ensure the website functions properly, but also to collect other data are referred to as non-essential technical cookies. They would include, for example, analysis cookies and marketing cookies which are used primarily to track user browsing behavior and interests. Legal experts are generally in agreement that these non-essential cookies, which are usually integrated by third-party sites, require the explicit consent of the user before they can be transferred. Some examples of non-essential cookies include:
- Statistics cookies: for web analysis services such as Google Analytics or Google Tag Manager
- Marketing cookies: cookies from affiliate services, remarketing services or retargeting services
- Social media cookies from Facebook, Instagram, LinkedIn, Pinterest or Twitter
- Cookies from video embedding applications such as YouTube or Vimeo
- Cookies from Scalable Central Measurement Methods
Cookies in the General Data Protection Regulation and the e-Privacy Regulation
While cookies can certainly be used to customize websites so that they meet the needs of their users, they also allow webmasters collect more information about users, their browsing behavior and their interests.
Before the introduction of the GDPR, many users were not aware that cookies were being stored on their devices. In some cases, this led to enormous volumes of data being collected for online marketing purposes. Both legislators and browser providers reacted swiftly in the face of increased data protection awareness.
By introducing the General Data Protection Regulation (GDPR), the European Union has laid the foundation for greater data privacy online. Users are now required to give their express consent before any non-essential cookies can be transferred to their devices. In individual cases, however, the law is not clear on when explicit consent for cookies must be obtained from the website user. Equally, Art. 6(1) ff. of the GDPR does not give a clear-cut definition of “legitimate interests” on the part of the website operator.
The European Union is currently working on the new e-Privacy Regulation, which no longer bases cookie regulations on the location of the website, but on the location of the user. This means that US industry giants such as Google, Facebook or Amazon would have to change the way they deal with cookies to comply with new European legislation.
Will cookies soon become a thing of the past?
In the medium term, cookies will no longer form part of the online marketing model. The writing has been on the wall for some time, with relevant policymakers introducing strict data protection regulations, users becoming increasingly aware of data protection issues and browser providers slowly phasing cookies out.
Apple’s Safari browser and Mozilla’s Firefox, for instance, now block all third-party cookies by default. This means that the majority of cookies that are not technically necessary, especially for online marketing, are automatically useless because they come mainly from third-party providers.
Google also intends to follow suit and by 2022 block all third-party cookies in the Chrome browser by default. Given the significant proportion of earnings that comes from (remarketing) advertising, however, Google will have no choice but to change its own advertising platforms accordingly.