Blog | Clym

A Guide to Understanding Cookies - Part 2

Written by Asya Minina | 15 June 2023

In the first part  of this Guide to understanding cookies we discussed what cookies are and two scenarios in which you may rely on an exemption to use cookies without the user’s consent. One of which is when a cookie is strictly needed to enable a service that has been requested by the user. In this scenario, “requested” means that a user had to perform an action in order to request a service. In this second part, we continue discussing how to make sure that cookies are set in compliance with Directive 2009/136/EC, also known as the Cookie Directive and how to categorize them. 

To put it simply, if cookies are needed to proceed with a payment for services, a secure login into one's account, or making sure that items selected by the user have been stored in a shopping cart -  those cookies that assist with the aforementioned can be placed on a user’s device without explicit consent. A cookie exempted from consent should have a limited lifespan - unless recovering the previous choices of a user is critical to delivering the services - and it is recommended that the lifespan of cookies used without the consent of the user be limited to one session. In most cases, third-party cookies won’t be considered strictly necessary and will require the user’s consent. 

Multipurpose cookies 

While it is possible to create a cookie that will simultaneously serve two purposes, for example, to identify a user, ensure secure login, and provide tailored content, such a cookie will most likely be non-compliant. It is the purpose of processing you should pay attention to, in which case tailored content provision can’t be considered necessary and can only be done based on the user’s consent. 

Cookie Categorization 

Essential cookies

This category includes examples of cookies, most likely falling into the 'Essential' category and qualifying as cookies that are exempted from consent. 

  • User-input cookies - cookies that help keep track of the user’s activity to ensure a service is provided consistently, for example, to ensure a checkout process remains consistent and stores previous replies if it is created on more than one page. These cookies are needed to provide an information service requested by the user and would be exempted from consent. 

  • Authentication cookies - cookies used to identify the user once they have logged in, for example, when logging in is necessary to provide the user with requested information marked as confidential (bank account, payment information, pre-paid content, etc.) You should make authentication cookies last for no longer than one session to qualify for a consent exemption. However, the act of authentication shall not be taken as an opportunity to use the cookie for other purposes, such as behavioral monitoring or targeted advertising. 

  • Security cookies - these refer to cookies that are used to increase security, however you should bear in mind that this would apply only to cookies that secure services requested explicitly by the user, such as those used to detect attempts to hack user’s account, to detect repeated failed login attempts, to protect the system from abuses, etc. The exemption does not apply to third-party cookies or those used for website security; those types of cookies will most likely qualify as technical cookies.

  • Multimedia player session cookies - cookies used to store technical data needed to play back video or audio content. Such cookies are also known as “flash cookies” and are usually stored for a duration of one session or less. Video or audio content should be equally a part of a service and contain related information. 

  • Load balancing cookies - load balancing is a technique that allows distributing the processing of web server requests over a pool of machines instead of just one. The technique used to achieve load balancing is based on a “load balancer”: web requests from the users are directed to a load balancing gateway, which forwards the request to one of the available internal servers in the pool. In some cases, this redirect needs to be persistent during a session. A cookie may be used to identify the server in the pool for the load balancer to redirect the requests appropriately. These are session cookies.

  • UI customization cookies - we all want our users to receive a pleasant experience, UI interface customization cookies are used to store user’s preferences, however, they shall only be set without consent when a user requests a service (by clicking a button, ticking a box, etc). UI customization cookies could be stored for longer than one session. Depending on the purpose, it could be weeks or months even. An excellent example of UI customization cookies is language preference cookies. 

  • Social plug-in content sharing cookies - social media plug-ins are used to integrate social media networks to share content with other network users. If a user consents to sign in using social media or actively requests to use the functionality to share content, a cookie is used to ensure authentication and signing in would qualify as Essential. However, you should always ensure that data disclosures are done per applicable legislation and update your privacy notice accordingly. 

Non-essential cookies 

This section includes examples of other types of cookies and their purposes, which do not qualify as 'Essential' and, therefore, will require the user’s consent. 
  • Social plug-in tracking cookies - similar to the previously mentioned content sharing plug-ins, these social media plug-ins allow user authentication and content sharing and are also used for behavioral advertising, analytics, and market research. Such cookies are not strictly necessary and will require the user’s explicit consent. 
  • Third-party advertising - cookies used for behavioral advertising. A requirement to collect user consent naturally extends to all kinds of advertising, including cookies used for frequency capping, financial logging, ad affiliation, click fraud detection, research and market analysis, product improvement, and debugging. 
  • First and third-party analytics - analytics are used as a measuring tool and often rely on cookies. In most cases, analytics are used to estimate the number of unique users and detect user activity and navigation issues. Third-party analytics will most likely imply a data exchange and therefore needs to be done in accordance with applicable data protection laws.
First-party analytics cookies are not an exemption according to the Data Protection Working Party Opinion on Cookie Consent Exemption; however, it is agreed that they are not likely to create a privacy risk and, when used carefully, with appropriate notice and with appropriate privacy safeguards, for example, anonymization, can be used based on a “soft opt-in,” where users are provided with an option to opt-out from data collection. First-party analytics should be clearly distinguished from third-party analytics, which use a standard first-party cookie to collect navigation information related to users across different websites, and which pose a substantially greater risk to privacy. 

 

 

Understanding and categorizing cookies can greatly enhance our online experiences. By being aware of the different types of cookies and their purposes, users can make informed decisions about their privacy, security and browsing preferences. Whether it's essential cookies that enable basic website functionality, analytical cookies that help businesses to measure and improve site performance, or marketing cookies that personalize online interactions, making sure cookies are used with respect to the users and in compliance with applicable legislations is a key. 
View full post