data.protection.law

Cookies, analytics and regulation

Cookies are delicious. They are also very useful tools when building a website. A cookie is a block of data stored on (and accessed from) your device by websites you visit. While moving between webpages or closing your browser destroys most data about your visit, cookies allow a website to store/access information across different pages or browsing sessions.

If I do something on one webpage, such as click a button, log in, type my name or add something to my shopping basket, and then follow a link to another page on the site, that new page won’t necessarily know where I’ve come from or why. If, however, when visiting the first page, a cookie is set to store information about my interaction with the site so far, the new page can read that cookie and pick up where I left off.

Rather than storing reams of information in my browser about the actions I take, it’s often easier to store a cookie in my browser to identify me (e.g. visitor number=#123) and then create a temporary (or long-term) record on the web server to record my actions. That way, while the server is generating the webpage, it can understand a little about who I am. 

Let’s say I visit an online shop and, as soon as I land, it sets a cookie labelling me visitor #123. If I then type in “vegan chocolate” and hit search, the site may send me search results, and store (on the server-side) that visitor #123 was looking for vegan chocolate. If I then close the window, and come back to the same site later on, it can access the cookie stored earlier, see that I’m visitor #123, check its records, spot I was looking for vegan chocolate, and straight away show me some of that on the landing page.

If I click add-to-basket and browse around the site, the server knows I’m visitor #123 (from the cookie) and that I’ve got chocolate in my basket (from the record on the server). If I later delete that visitor number cookie from my browser, I’ll be anonymous to the server, and my basket (and my interest in vegan chocolate) will seem to disappear from the site. In reality the server probably still has a record that visitor #123 liked vegan chocolate and had some in their shopping basket, so if I recreate the cookie in my browser, it will recognise me again and bring my basket back.

Analytics, and finding your cookies

Safari Develop menu
Getting to the Web Inspector in Safari

While fundamentally quite straightforward, cookies can be used in far more sophisticated scenarios than this. As I move around, a cookie might be used to record which different websites and pages I visit, the actions I take, the time of day I tend to do my shopping, the type of news I read and comment on, how I interact with friends, and many other types of behaviour.

Most browsers let you see what cookies are used by the websites you visit. In Safari, you can do this by switching on the Develop menu (settings -> advanced -> enable Develop menu) visiting the website you want to inspect, and opening the Web Inspector from the menu.

Once you’ve opened the Web Inspector, you can click on storage, which gives you the option of viewing cookies, local storage and session storage. In the cookies tab, you’ll see a range of information, including the name of the cookie (e.g. visitor number in the discussion above) and the value of that cookie (e.g. #123).

Cookies displayed through Safari's web inspector

You’ll notice things aren’t generally as simple as visitor numbers, but the principles are the same. In the screenshot above, some of the cookies on the website I visited (slashdot.org) are placed by Google Analytics. That’s a sophisticated suite of tools which you can plug into your website, and which uses cookies to track visitors across your website, and monitor how they interact with it.

What’s regulation got to do with it?

Web developers need to think about regulation because it often means they need to get consent from website visitors, before cookies are used. I’ll be looking at the way this works in the UK, but a lot of it is generally applicable throughout Europe.

You’ll probably have heard of the GDPR, the General Data Protection Regulation, which spans Europe and is largely replicated (following Brexit) in the UK. I’ve found that developers often refer to the GDPR when talking about cookies, and this can lead to some confusion. That’s partly because the GDPR regulates the use of personal data, and it can be difficult to see how some cookies are personal data. For instance, in the example above, I didn’t mention any name, address, location or anything like that, just an anonymous-sounding visitor number.

I won’t get into the GDPR in too much detail here, but another cause for confusion, is that the GDPR often allows you to use personal data even if you don’t get consent, and it isn’t obvious why that’s different in the case of cookies, if very little personal data might be involved.

If the GDPR were the only consideration, it would often apply, but in many cases wouldn’t require consent. That’s because:

  • Even though your name isn’t involved, an identifier like #123 still counts as personal data, because it can single you out among website visitors in general. So, the GDPR applies to it.
  • However, unless cookies are used in a sophisticated way, or to profile you and monitor your behaviour, or gather more sensitive information about you, the GDPR may allow that data to be used without consent.

The GDPR is not the only regulation which applies to cookies. There is also ePrivacy regulation which governs (among other things) confidentiality of, and access to, certain information, whether or not that information is personal.

This branch of the law generally requires web developers to get consent before they store or access information (e.g. the visitor #123 cookie) on user devices. There are some circumstances where that doesn’t apply, for example if a cookie is essential for things like security, to keep you logged-in to a service, or (using one of the examples above) to keep your shopping basket full as you browse around an online shop.

In other cases, websites need to find ways of making sure they have consent, before cookies are used. That’s why, lately, you’re likely to come across pop-ups on many of the websites you visit, asking you to confirm you’re happy for them to use cookies.

Anything else?

There’s often more to it. Cookies aren’t the only way websites, games and apps store or access information on devices, and the rules above apply to other functionality as well.

For example, you’ll need to think about this if you use an SDK or other tools in your apps to keep track of bugs, to understand how people play your games, to target adverts or to learn about where your customers are based, and what kind of phones or operating systems they are using.

Along with consent, web and other developers need to work out how to provide information about cookies and how they’re used, among other details.

If you would like to discuss anything in this post, or have other questions or comments on this blog or about data protection in general, please feel free to get in touch
.