In this article, we will delve into the world of internet cookies and provide you with a comprehensive understanding of what they're, how they work, and the regulations governing their use.
What are website cookies?
Cookies are text files containing small pieces of data, for example, a username and password. Information about the user is saved and then tracked as they browse. For example, if you look up your local forecast on www.metoffice.gov.uk, the website cookies will remember the town or postcode you entered, and the next time you visit the site, the weather in your particular area is what you will see first.
Cookies are also used to:
- Improve website functionality
- Track users' activity
- Personalise content
- Tailor advertising more effectively, based on previous search history and web browsing behaviour, for use in targeted ads, also known as online behavioural advertising (OBA)
- Provide security, for example, in internet banking and e-commerce sales
What are the different types of cookies?
There are four different types of cookies, namely:
- Sessions cookies
- Persistent cookies
- First-party cookies
- Third-party cookies
These cover a single browsing session and are deleted when the user exits the browser. They're the least intrusive type of cookies and usually do not store personal data.
These are stored on the user's device for a limited period (this could be a few minutes or a few days). They allow a website to recognise the user and their preference when they return and tailor the browsing experience to them. They can also be used to track a user’s browsing activity across the internet to build up a profile for OBA.
By default, these are generated and stored on your website visitor's computers when they visit your site. A unique identifier is assigned to the user by setting the cookie to either the user's browser and/or their hard drive to track the user's journey on the website.
Website owners use first-party cookies for personalisation and recognition purposes. Each time a user visits the website, the cookie is retrieved, ensuring they do not have to re-enter registration details or can return to the items they previously stored in a shopping basket. The information gathered via first-party cookies is incredibly valuable to advertisers, and a website owner can sell the user data to third parties provided they have obtained consent.
These are planted by anyone other than the website owner or operator. They're generally present when a website hosts images, social media plugins or advertising from other websites, as these can also set cookies. Website owners often monetise their sites by ‘renting out’ space to advertisers, who in turn plant their own cookies. Blocking third-party cookies improves user security and privacy. Users can block first and third-party cookies through their web browser settings.
What sort of information is stored by a cookie?
Cookies are designed to collect extensive website-user information, and depending on the type, this can include:
- A unique user ID and password
- How often a user visits a particular site
- Previous links clicked on
- The name, phone number, email, and personal address of the user
- The user’s location
- The products placed in a shopping cart
- How long a user spends on the site
The above list is not exhaustive. A lot of information collected by cookies contains personal data. Therefore, website owners and operators must comply with the Privacy and Electronic Communications Regulations (PECR), the UK and/or EU GDPR (General Data Protection Regulation), and the Data Protection Act 2018 when using cookies to collect, store, and share personal data.
How long can you legally store cookies?
According to the ePrivacy Directive, they should be stored for up to 12 months.
What is a second party cookie?
When you visit a website, second-party cookies refer to the data collected from it that will be shared with another website due to a pre-arranged data exchange agreement between the two sites. These cookies gather identical information to first-party.
What is a Cookies Policy?
A Cookies Policy is a document made available on your website that sets out what type of cookies the website uses, what kind of data they collect, the purposes for processing the data obtained, and how long the user’s browser will store the cookies.
Is a Cookies Policy a legal requirement?
This is a tricky question. PECR was published in 2003 when the Internet was well-established but nowhere near as sophisticated and widely used as it is today. As such, the PERC itself does not explicitly mention cookies. However, Regulation 6 of PERC states:
(1) … a person shall not store or gain access to information stored in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Applying Regulation 6 to cookies, the law requires that website owners and operators must, therefore:
- Make clear what cookies they use
- Explain how they will operate
- Obtain user consent to store cookies on their devices
Get legal assistance from LawBite