If you spend any amount of time browsing the web, you’ve probably encountered the term “cookies” as it relates to data privacy and browsing habits. While not nearly as delightful as the type you eat, like actual cookies, these little guys leave their mark.
What are Cookies?
Unlike the stealthy pixels and invisible gifs that are web beacons, cookies are completely undetectable on the front end. They are micro files of text in a site’s code. They’re ‘marked’ or ‘stamped’ with personal information like usernames and passwords, and combined with html specific to the server from which they’re generated. In plain language, they’re lines of code that sometimes come in handy by imprinting preferential settings like login info. So you can do the things you typically do on any given website faster, without jumping through the necessary hoops.
Regulatory Bodies and Cookies
It’s important to note that cookies often serve crucial functions. Especially when it comes to being able to navigate a site the way the developers and designers intended. But this isn’t to say that cookies are completely benign. Their storage of personal data; not simply sensitive login information – but broader sets of data. Such as browsing habits, preferences, purchases, etc, easily pose security risks to consumers.
Which is why cookies have become subject to so much regulation. Those obnoxious pop-ups you’re constantly batting away when you visit a new site for the first time? Those are dictates of the ePrivacy directive, which since 2009 has been the standard bearer for consent around cookies. It both predates the GDPR (The General Date Protection Regulation, published in 2016) and is typically applicable in more cases.
Interestingly, The EU’s regulations around data privacy are enforced much more strongly than the United States. The GDPR and ePrivacy directive were both authored as EU dictates and are enforced there. From one consumer to another, this is an area where the globalized nature of commerce actually works in our favor. Article 3 of the GDPR defines its territorial scope. It covers companies operating outside the territory of the EU/EEA (European Union or European Economic Area) who serve or track EU/EEA residents. This means that if a U.S. company offers goods or services (not limited to commercial transactions) to EU/EEA residents, or monitors the behavior of these residents via cookies, they are subject to the regulations of the GDPR.
To better understand web cookies, it’s notable that they can be classified by three distinctions of their characteristics. Their purpose, their duration, and their provenance.
Cookies can have three purposes, which we touched on earlier. Strictly necessary; which means they’re necessary for the site to function as intended. Examples of this would be cookies that hold items in an online shopping cart while you continue to browse. No consent is necessary for this type of cookie. Cookies can have a functionality purpose, which means they remember your preferences. The earlier example of keeping your login credentials stored in their code would fit this bill. And lastly, that thing we’re all bombarded with nonstop in the 2021 version of the internet: marketing. They track your activity and browsing habits so that they can deliver relevant data to advertisers, and then play into how many times you see an ad, or which version of the ad you see. Understandably, functionality cookies and marketing cookies require the most consent from the end user.
In terms of duration, there are two types. Session cookies, and persistent cookies. Session cookies are temporary. They die at the end of a session or when the browser is closed out. Typically necessary cookies are session cookies, since getting around a site proves difficult without them, but past the point of use the info is released. Then there are persistent cookies, which remain on a drive until manually erased by the end user. Persistent cookies have expiration dates written into their code, and notably, these dates vary. The ePrivacy directive dictates that they shouldn’t last longer than 12 months, however, in practice, their code could dictate that they last indefinitely if you aren’t being an informed enough consumer to take action and clear them out yourself.
Lastly, like wine and fine art, these sophisticated little rascals have a provenance. Which simply means their point of origin. Cookies can be first party, meaning that the site or server that writes them puts them on, or third party, meaning that an advertiser or analyst placed them on top of a site with the site’s consent. As you might have guessed, strictly necessary cookies are typically first party cookie, and marketing cookies are typically third parties, although there are obvious variations on these themes.
It’s our sincere wish here at #teamASAR that this article helped clarify the sometimes mystifying concept of cookies. That being said, this author is both hungry, and exhausted from the restraint it took not to fill this article to the brim with terrible cookie puns, like chocolate chips in a….. ok, you get the point.
As always, we love to hear from you regarding our topics and content, so feel free to leave any questions or comments below.