惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Apple Machine Learning Research
Apple Machine Learning Research
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Security @ Cisco Blogs
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Cisco Talos Blog
Cisco Talos Blog
Cyberwarzone
Cyberwarzone
SecWiki News
SecWiki News
Webroot Blog
Webroot Blog
L
LINUX DO - 最新话题
V
Vulnerabilities – Threatpost
T
Troy Hunt's Blog
Cloudbric
Cloudbric
L
LINUX DO - 热门话题
Google DeepMind News
Google DeepMind News
H
Heimdal Security Blog
S
Schneier on Security
NISL@THU
NISL@THU
The Hacker News
The Hacker News
Attack and Defense Labs
Attack and Defense Labs
A
Arctic Wolf
V2EX - 技术
V2EX - 技术
Security Latest
Security Latest
AWS News Blog
AWS News Blog
Scott Helme
Scott Helme
W
WeLiveSecurity
S
Secure Thoughts
Y
Y Combinator Blog
GbyAI
GbyAI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
博客园 - Franky
量子位
人人都是产品经理
人人都是产品经理
雷峰网
雷峰网
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
T
Tenable Blog
The GitHub Blog
The GitHub Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
J
Java Code Geeks
Vercel News
Vercel News
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
小众软件
小众软件
Engineering at Meta
Engineering at Meta
宝玉的分享
宝玉的分享
C
CERT Recently Published Vulnerability Notes
Security Archives - TechRepublic
Security Archives - TechRepublic
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Palo Alto Networks Blog

Blog of Simple Analytics

The EU wants to kill cookie banners Google is tracking you (even when you use DuckDuckGo) German court rules Meta’s tracking tech violates GDPR Closing the data gap - Simple Analytics x Usercentrics The EU-US data deal may be dead in the water You are missing 20% of your website data with GA4 How a reverse trial will push Simple Analytics to the next level Google will start tracking all your devices (WTF?) Big Tech Fails EU’s Digital Services Act: Only Wikipedia Passes the Test Meta fined $102 million by the Irish Data Protection Commission Europeans spend 575 Million hours per year clicking cookie banners The most interesting GDPR fines GDPR and fines: all there is to know Google loses key antitrust case Web Analytics for Crypto Companies Web analytics for publishers Google pulls Uno Reverse card: Rolls back decision to kill third-party cookies Privacy Monthly July 2024 Privacy Perspectives June 2024 Privacy Monthly June APRA fumbles targeted advertising Privacy Monthly May Meta loses key privacy battle Google delays cookie phase-out once again Privacy Monthly April 2024 Web Analytics and Consent Privacy Monthly March 2024 German authority cracks down on cookie banners Google Tag Manager vs Google Analytics Google search alternative Data retention in Google Analytics Guide to Google Analytics and Cookie consent What are Google Analytics' identifiers? How to export data from Google Analytics Privacy Monthly February 2024 The Criteo case: a big deal for Big Tech Privacy Monthy January 2024 What the Digital Markets Act means for privacy Google Settles in $5B Incognito Mode Lawsuit Legal troubles for Adobe Analytics Web analytics for nonprofits HIPAA and mental health Why Meta subscriptions are under attack, and why it matters for privacy Privacy Monthly: December Simple Analytics AI Host analytics on Cloudflare Zaraz Add Google Analytics to Convertkit Google Analytics Pricing - Paid vs Free Road to 1 Million ARR - October update CCPA and Data Protection: all there is to know Analytics without a cookie banner Enterprise Analytics Privacy Monthly: November 2023 Delete Act: all you need to know Mobile App Tracking Under Fire The road to 1 Million ARR - September Update Privacy Monthly: October 2023 HIPAA violations First challenge to the EU-US data transfer framework Direct Marketing under GDPR Road to 1 million ARR - August Update CCPA vs CPRA: what is new? Privacy Monthly: September 2023 A/B Testing with Simple Analytics Dobbs v. Jackson ruling is a privacy mess Privacy Monthly: August 2023 What are your rights under the CCPA? When does the CCPA apply? How does the HIPAA compare to the CCPA and GDPR? Why Meta is in a world of trouble CJEU: cookie-based analytics collects sensitive data Road to 1 million ARR - July update All about the new Data Transfer Framework Road to 1 Million ARR - June update What is PHI under HIPAA? Sweden declares Google Analytics illegal Searching for GA4 Alternatives? Top 10 Reliable Options for Google Analyticss Ultimate HIPAA Compliance Checklist: Essential Steps for Healthcare Providers Privacy Monthly: June 2023 More troubles for Google Analytics The path to 1M ARR - May Update Data Processing Agreements Minimal Product Analytics Facebook data transfers declared illegal Is Google Analytics CCPA-compliant? Help us with your input Cookie banners: How to stay GDPR compliant? GDPR Compliance Checklist Privacy Monthly: May 2023 Simple Analytics: Privacy-first website analytics Improve your e-commerce performance with analytics European Facebook blackout is closer than we think Know your website’s Carbon Emissions - and how to reduce it The path to 1M ARR - April 2023 How to add video tracking using Google Tag Manager? How to track form submissions using Google Tag Manager? Why is my Simple Analytics data different from Google Analytics? Debug Simple Analytics script How to Import Google Analytics Data to Simple Analytics
Cookies 101
Carlo Cilent · 2024-03-12 · via Blog of Simple Analytics

When people discuss online privacy, cookies always come up. But how do cookies work, and what rules apply?

You might think that cookies need consent. After all, so many websites annoy you with cookie banners! But the rules are more complex than that and not all cookies are treated equally by the law. So, let’s shed some light on cookies and their legal requirements in the EU.

  1. What are cookies, and what are they for?
  2. How are cookies regulated in Europe?
  3. What types of cookies are there?
    1. First-party vs. third-party
    2. Essential vs. non-essential
    3. Unique vs. non-unique
  4. How are cookies regulated?
    1. Non-essential cookies require consent…
    2. … but essential cookies do not
    3. Extra rules from the GDPR may apply
    4. What if I use cookies for multiple purposes?
    5. Consent is opt-in
  5. What about apps?
  6. Are cookies good for web analytics?

Michelin chose Simple AnalyticsJoin them

What are cookies, and what are they for?

Cookies are small files stored inside your browser that exchange information with the server whenever you browse a website.

While cookies are often associated for web analytics, they are used for all sorts of different purposes. Plenty of websites use cookies for anti-fraud, web security, and automated log-ins. The purpose of cookies matters because not all cookies are treated the same under EU law- more on that later.

How are cookies regulated in Europe?

Cookie rules are somewhat complex in the EU, so here is a short tl;dr to make it less confusing:

  • If your cookies are essential for your website to function, then you do not need consent.
  • If your cookies are not essential, then you need opt-in consent for using them. This typically means displaying a cookie banner.
  • If your cookie has a unique identifier, then you have some duties under the GDPR. You may still be able to place those cookies without consent, if they are essential.

Again, this blog will refer to EU law only. Different legislations regulate cookies differently: for instance, the UK and Brazil are closely aligned with European laws, while US regulations are typically more permissive.

What types of cookies are there?

While all cookies function in a similar way, there are some distinctions between them, some of which matter for the law.

First-party vs. third-party

First-party cookies can be read only by the domain that wrote them in your browser, while third-party cookies can be read by different domains as well.

For instance, if you visit Facebook and accept Meta’s third party cookies, other websites will be able to read those cookies as well. This allows Meta to “personalize your experience” (read: serve targeted advertising based on invasive profiling, both on Facebook and on browsing other websites that rely on Meta for placing ads).

On the other hand, if you accept first-party cookies from www.coolwebsite.com, the site will be able to read them- _but a different domain such as www.awesomewebsite.com won’t.

Third-party cookies are highly invasive. This is why so many Internet users go out of their way to install ad blockers, and why many browsers block third party cookies or limit the snooping in other ways (such as the cookie jars in Mozilla Firefox). This general backlash against cookies has been dubbed the biggest boycott in human history and is making third-party cookies increasingly ineffective as a retargeting tool.

Essential vs. non-essential

Essential cookies are cookies that an app and website needs in order to work properly. For instance, cookies that are used to prevent DoS attacks against websites are essential, while web analytic cookies are non-essential.

This is the main distinction from a legal point of view because non-essential cookies always require consent under EU law (more on that later). In fact, non-essential cookies are sometimes referred to as optional because of their generally stricter regulation under the law.

Unique vs. non-unique

Finally, let’s take a look at a third and often overlooked distinction. Some cookies include a unique identifier- that is, a string of numbers that identifies an individual user (or more exactly, their browser). This identifier allows a website to monitor an individual user because no two cookies are the same.

Common web analytics tools like Google Analytics and Adobe Analytics use identifying cookies to track people around the Internet and profile them based on their browsing habits. So, these are the kind of cookies privacy advocates (rightly) complain about. But identifying cookies have different, less invasive uses as well: for instance, many websites use them for anti-fraud, and e-commerce platforms often use them to track the products in your cart.

Unique identifiers are relevant from a legal viewpoint because they count as personal data. So, cookies with unique identifiers are always personal data and fall under the GDPR while cookies without unique identifiers do not.

How are cookies regulated?

Cookies rules are mainly found in two legal sources: the GDPR and the ePrivacy Directive. The regulation of cookies is somewhat complicated because the two laws differ in terms of criteria, terminology, and scope.

As we anticipated in our td;dr:

  • Non-essential cookies always require opt-in consent.
  • Non-essential cookies do not require consent at all.
  • Some cookies come with other requirements under the GDPR- whether they are essential or not.

Let’s break these rules down bit by bit.

The ePrivacy Directive (more exactly, Article 5(3)) requires consent to access data stored on a user’s terminal equipment. This means that cookies can only be used with consent- but there are carve-outs, as we will see-

The Article also applies to technologies other than cookies because it is worded very broadly. For instance, built-in trackers in mobile apps also require consent, as do advertising identifiers for mobile devices such as Google’s AAID or Apple’s IDFA.

This mandatory consent rule is stricter than those found in the GDPR. The notion that the GDPR is all about consent, is misleading, as there are absolutely legitimate ways to collect data without consent (as we explained here).

… but essential cookies do not

The Directive includes a carve-out for data which are “strictly necessary to provide an information society service” at the user’s request.

This carve-out is interpreted quite broadly by regulators and covers all the data which websites and apps need in order to function. This is why essential cookies do not require consent, as we anticipated.

For instance, let’s say you visit an ecommerce website and change the language to Spanish. Your language preference is probably stored through a cookie. This is an essential cookie: if you are to browse the website, then the website needs to display its content in a language that you can understand. So, the website does not need your consent in order to place that.

But if the same website wants to use Google Analytics cookies, it needs your consent. This is because web analytics and retargeting are extra things that the website wants but does not need to do.

(On a side note, the ePrivacy Directive includes a second carve-out for data which are strictly necessary to make communication possible. This carve-out doesn’t typically apply to cookies but is still worth mentioning)

The GDPR and the ePrivacy Directive do not have the same scope: the GDPR applies to personal data, while the ePrivacy Directive (and Article 5 specifically) applies to all communication data whether they are personal data or not. This makes things a little complicated because some cookies fall under both the ePrivacy Directive and the GDPR, while others only fall under the ePrivacy Directive.

Explaining it all in detail would make this blog too long, but in a nutshell:

  • The cookies that fall under the GDPR are, again, the ones that contain a unique identifier.
  • If the GDPR applies, some general rules also apply (for instance, legal bases, duties of information, the right to access data, and so on). . Just because the GDPR applies, does not mean that you need consent! Cookies with unique IDs can still be used without consent if they are essential. In the example above, the unique cookies used by e-commerce websites to track the items in your cart, are essential cookies and are exempt from the consent requirement.

What if I use cookies for multiple purposes?

Sometimes cookies are used for multiple purposes. For instance, you may use the same cookie for both anti-fraud and web analytics.

You can see why multiple-purpose cookies are problematic. Non- essential cookies require consent while essential cookies don't. What about cookies that fulfill both essential and non-essential purposes?

Thankfully, the European Data Protection Board chimed in on this a while ago: as long as any individual purpose is not essential, the cookie requires consent. This important clarification closes dangerous loopholes that would otherwise allow for non-consensual tracking.

The practical takeaway is to avoid using the same cookies for essential and non-essential purposes. This allows you to respect user choice and still be able to write all the essential cookies that make your website work.

Consent is a complex subject. We can only scratch the surface here, but it is worth pointing out that only active, opt-in consent is valid. There is no such thing as an implicit or opt-out consent under the GDPR!

The rule of opt-in consent has important consequences for web analytics:

  • Your cookie banner must use affirmative wording such as “I accept cookies” or “I consent to the use of cookies”. Avoid ambiguous language like acknowledging cookie use.
  • Your website should not write non-essential cookies until the user makes a choice. Ignoring the cookie banner and scrolling on is not a choice, and the same goes for clicking a “close/X/dismiss” button.

There is a lot more to say about consent and cookies, especially with regards to web analytics, and we may soon come back to the topic.

What about apps?

App tracking is different from cookie-based tracking in that trackers are typically built into the app directly. But, Article 5 of the ePrivacy Directive is very broadly worded and the trackers commonly found in apps fall within its scope.

Long story short, the rule is the same: if the tracking is not strictly necessary, then it requires consent.

But this requirement is largely ignored. Most of the app industry uses third-party software development kits (SDKs) which arepacked with trackers. These kits collect data to the benefit of the kit’s developer and frequently ignore or circumvent consent rules. The end result is illegal tracking on a planetary scale.

To make things worse, you have less control over your apps than you do over the websites you visit, because you can’t install an ad blocker or check and delete trackers the way you would manage cookies from your browser. This is why every company under the sun is trying to force a crappy app on you.

Tl;dr: apps follow the same rules as cookies but companies play dumb.

Are cookies good for web analytics?

It depends. Cookie-based analytics services such as Google Analytics and Adobe Analytics can collect fine-grained data, but that data comes at the cost of user privacy. This is an ethical issue and it can become a practical issue in jurisdictions with strict consent requirements such as the EU, because cookie banners lead to high opt-out rates and inaccurate analytics.

Simple Analytics can solve the problem. We build our service to provide you with all the insight you need without using cookies and without collecting personal data. Simple Analytics is a great, privacy-focused alternative to Google Analytics as well as a perfect complement to it- as a means to mitigate the loss of data from cookie banners.

If you are curious, feel free to give us a try!