Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial.

Cookies generally break into two categories: first-party (set and used by the same site owner) and third-party (set or used across multiple sites). Common flavors include:

  • Essential Cookies (first-party). This includes information on browser/display capabilities, whether or not a user had visited before, and user preference selections for the site (two core ones being privacy preferences and accessibility preferences). None of this necessarily includes information that would tend to identify a particular human being or household—and some of this functionality is required to make a site run properly or in compliance with the law.
  • Login tokens (generally first-party). Cookies allow users to log into a site and stay logged in to that site. These necessarily contain identifiers associated in some way with a particular person or household. In some cases, a user can elect to use the login for one site on another side (for example, signing into a another site using your Facebook account).
  • Analytics (first-party). Analytics cookies examine user behavior. They frequently assign a pseudonymized ID to a user and store that in a cookie, allowing the site to link visits from the same user (at least if that user employs the same computer and browser). More advanced versions allow sites to link visits from the same user across different devices (for example, multiple visits to the site through the same residential IP address via a computer and a handheld might point to the same person or household). Analytics can also extend to tracking touchpad/mouse movements on a site, allowing site owners to tell which parts of a site are most interesting to the user.
  • Third-party advertising (generally third-party). Advertising is the least publicly popular and most highly regulated use of cookies. Ad networks frequently use cross-site tracking to show you on Site B what Site A thought you liked. This is due to a cookie having been dropped on your computer when you were looking for, say, Acme Rockets, and if an ad network plugged into the next site sees the cookie for that, you may see an Acme Rockets ad. Advertising cookies can also trigger email on repeat visits to the same site.

In theory, at least, cookies can be cleared from web browsers—or blocked by more modern browsers. Some forms, such as Flash cookies or Internet Service Provider (ISP) “supercookies” are far more difficult for users to understand and control.

GDPR regulation and convention

It may seem that cookies are regulated by the law and handled by site owners in sweeping ways that seem disproportional to what particular cookies actually do. First, as a practical point, regulating cookies (rather than how their data is processed) is an efficient solution, particularly where on a visit, a site would have instant access to previously stored data. Under GDPR-style principles, the easiest (if not most effective) way to prevent the unauthorized processing of data is to prevent the data from being generated in the first place.

Second, the constant march of technology threatens to turn innocuous-looking data points into part of a profile or identifier. Recital 30 of GDPR illustrates the concept: data points can be correlated with each other or with external sources to identify people:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

This concern builds on Recital 66 of the preceding ePrivacy Directive (2009/136/EC), which discourages non-consensual cookies except where strictly necessary to run a site:

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes… It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access… Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.

Given this expansive language, the stakes for GDPR violations (20 million euro or 4% of global turnover), and the apparent relative ease of management, enterprises subject to GDPR almost always conclude that it is better to make broad disclosures (of wildly varying levels of details across companies) and pursue consent over all non-essential cookies, even if it may not immediately be obvious that a cookie is related to personal information.

California’s view: similar but not the same

The California Consumer Privacy Act (“CCPA”) provides a somewhat different landscape. Cookies are included in the definition of a “unique identifier” that could identifies a consumer, under 1798.140(g) and (x) and fit within the definition of personal information under 1798.140(o)(1)(F). Section 1798.100(b) requires disclosures when an enterprise collects personal information. But once something becomes a sale of information, consent becomes an issue under 1798.120. A sale is:

Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration

1798.140(t)(1). CCPA allows enterprises to transmit personal information to their own service providers for what is essentially the enterprise’s internal use under 1798.140(t)(2) without constituting a sale.

With these principles in mind, essential cookies lie at one end of the spectrum—in general, they involve personal information that at most requires disclosure. At the other end is a third-party advertising cookie, where an advertising network could be seen to exchange the use of one site’s cookies for placement on other sites, implicating consent. In the middle lie non-essential (or less-essential) first-party cookies, like logins or analytics, that create personal identifiers but are not within the definition of a sale, at least obviously.

In the short term, with CCPA’s regulatory environment still rapidly evolving, we can expect many enterprises subject to CCPA to apply GDPR-style compliance to cookies, seeking consent to any category of cookie that does not fall into an “essential” bin. This has the advantages of (1) being GDPR compliant right out of the box, allowing a single solution across geographies and (2) reducing risks by exceeding CCPA’s less stringent requirements. In the longer term, especially given the value of first-party analytics data and the risk of large-scale opt-outs, we might expect enterprises to slice things thinner, take advantages of divergences in the two regimes, and request consent in fewer circumstances.

Conclusion

Cookies are a useful but sometimes problematic phenomenon in web life. Where consent-based privacy statutes are in effect, cookies should be handled with care—though the level of care needed within the United States is not entirely settled.