By Ιason Chontzopoulos* and Konstantinos Kakavoulis
When we visit a website for the first time, the following message appears “this website uses cookies to ensure you get the best experience”.
But what are these famous cookies? Do they really improve our experience on the internet? And if so, do they do so with no cost?
What are cookies?
They are small files with information, created by websites while we visit them. They are equivalent to short text files, in which the information is usually codified, or has an ids form, so it does not appear to be coherent, when a human reads them. These files and the information they contain, are created by the computer, in which the server operates. Each website uses only the cookies that it has created itself.
How are cookies used?
They serve to add functionality to the websites we visit. For example, they are used for a website to recognise us. Since they are created by the website, they do not include personal information.
They usually recognise the browser we have used during our previous entry. The principle on which the websites are based is that each of our clicks is independent from the previous one. Cookies were created to denote the continuous relation between the two clicks (on the same site).
Are there different types of cookies?
Yes! We can distinguish cookies according to their functionality, in simple cookies, session cookies and tracking cookies.
1) Simple cookies serve as information storage. Online retailers use such cookies just to remember the products that we have already chosen to buy. Other information could be the technical characteristics, statistics related to how many times we have visited the website, which language we choose, which page layout we prefer etc.
2) Session Cookies: the most common are the authentication cookies, that help to identify our profile, as we previously mentioned. According to their application, they can have a limited duration (temporary cookies). Usually we can find temporary cookies in the website of banks, which expire for safety reasons after a fixed period and we have to re-insert our particulars.
In other cases, the option “Remember Me” or “Keep me Logged in”, sets them active until we explicitly choose to disconnect (permanent cookies).
It is noteworthy that authentication cookies constitute an essential privacy element on the internet and they are always dispatched codified. There are also technologies that can increase the certification’s safety and reliability and operate at the same time with cookies.
3) Lastly, there are tracking cookies. The third-party tracking cookies constitute the most frequently disputed tracking cookies category, as they focus on the service’s improvement apart from those, which are offered from the website. Advertising is included in these services. Cooperating websites obtain the right to use cookies, so as to collect information related to our Internet surfing behaviour. The fact that third services, besides the website itself, can install cookies extend their use beyond the prime reason for which cookies have been created; this is obviously the improvement of the services of the initial website and is served by the simple cookies and the authentication cookies.
There are tools that help us check the information flow we share through cookies. We can see below one of these tools, where the shared information is recorded in cooperating undertakings.
Does this seem complicated? You should try this tool to find out live with whom you share each click at any time!
So, do cookies target me?
As we mentioned above, usually cookies aim at recognising the browser we use and our IP address. Cookies rarely contain personalised characteristics, which indicate the user’s identity. The combination of these specific elements with other sources may be used for the identification of natural persons; for this reason the functioning of cookies is regulated by legislation.
What does the legislation provide for cookies?
The EU General Data Protection Regulation (GDPR) includes a provision concerning cookies.
Specifically, Recital 30 of the Regulation, provides:
“Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In simple terms, if cookies can identify a natural person, they are subject to GDPR. Of course not all cookies can identify a person, but most of them -if combined with third sources- can.
For websites to be compatible with the GDPR and not be at risk of being fined under its provisions, they must either stop collecting cookies, which can identify a natural person, or establish an adequate and lawful reason for the collection and the processing of such information.
Significant changes that the GDPR brought in cookies use
1) Tacit consent in cookies use is no longer sufficient. The website user must explicitly provide his/her consent to cookies installation from the website. This is the reason why the messages we mentioned at the beginning of the article, are displayed each time we visit a new website. These messages may seem merely embarrassing, at first sight, but having read this article, you should have a second thought before you click “I accept” next time.
2) The message “By using this website, you agree in the use of cookies” is not sufficient. User’s granted consent must be genuine and consistent with his free will; the user should really have the choice not to accept the cookies installation.
3) The user must have the possibility to withdraw his/her consent as easily as he/she provided it. Therefore, websites must give users the possibility to change their mind and change their original choice at any time, by offering them easy and rapid access in the relevant menu – equally easy and rapid with the one they had when they first visited the website.
What can I do if a website does not comply with the above obligations relating to cookies?
Take a look at the guide that Homo Digitalis has prepared on what you can do and to whom you can address if you face problems with the processing of your personal data. You have to follow the same steps in case a website infringes the legislation on cookies.
Can a website function without cookies?
Cookies obviously multiplied the possibilities of websites and in many cases increased their safety.
Their use is clearly a design choice for each website, but the use of certain cookies has purely technical nature. An example is the online shops we previously mentioned.
Cookies with technical nature are necessary. Websites are accessible through various devices and browsers. The various devices and browsers require particular treatment for technical reasons; therefore, the use of simple cookies with technical data is considered necessary. In this way, the website’s layout changes so as to fit in requisite needs, as for example the adaptation of the website to mobile phones and small screens.
This does not apply to tracking cookies. The use of tracking cookies has attracted world-wide interest in recent years, in particular related to the purpose for which the collected data is exploited. For this reason, the legislation aims to help cookies’ use come into open, giving rights and an option for users to choose. At the same time, it requires transparency in the use of cookies by companies and provides for large fines, in order for companies to comply with their obligations.
Homo Digitalis, faithful to the values it represents, does not place cookies at its website visitors’ devices, in order to analyse the effectiveness of the design and the presentation of our website or identity its visitors (tracking cookies).
We don’t, therefore, make notes of your activity in our website. The only cookie that our website uses is called PHPHSESSID.
This specific cookie cannot identify any natural person and does not note user’s personal data. It is only of technical nature, serving the server’s function.
*Ιason Chontzopoulos is a data scientist based in Zurich. He is an electrical and computer engineer, having studied in National Polytechnic School of Athens and ETH Zurich.
*Source of the main photo: https://www.howtogeek.com/327268/why-do-some-websites-have-pop-up-warnings-about-cookies/