1. What is a cookie?
A cookie is a small file, generally consisting of letters and numbers, downloaded into a computer’s memory (or the memory of a different online browsing device – mobile phone, tablet, etc.), when the user accesses a certain website.
Cookies are created when the user browser displays a certain website. The website sends information to the browser, and the browser creates a text file.
Each time the user accesses again that particular website, the browser accesses and sends that file to the website’s server. In other words, a cookie can be seen as an internet user ID card, notifying the website each time the user returns to that particular website.
For a Windows XP and Mozilla Firefox user, cookies stored in his/her computer are found at the following location:
C: Documents and Settings [user_name]ApplicationdataMozillaFirefoxProfiles [profile_name].defaultcookies.sqlite
A cookie may look like this:
SNID50=eR0azHquz-E32l1B7uLIasD63_ZWxrS9fkAc37Z4CQ=Q4levhdDnydqiJGNgoogle.ro/ verify 9728 2076339328 30210107 446809680 30173295 *
2. Role of Cookies
Cookies can provide a quicker and easier interaction between users and websites. For instance, when a user logs into a particular website, his/her credentials are stored in a cookie; later on, the user may access the same website without the need to log in again.
In other cases, cookies may be used for storing information related to the activities performed by a user on a particular website, so that he/she can easily resume his/her activities when accessing the website at a later time.
Cookies tell the server what pages have to be shown to the user, so that he/she does not have to remember that or resume navigating the entire website from the beginning. Thus, cookies could be compared to “bookmarks”, telling the user exactly where he/she left off on a website.
Similarly, cookies may store information regarding the products ordered by a user on an e-commerce website, thus allowing the concept of “shopping cart”.
Also, cookies may allow websites to monitor the users’ online activities and to determine user profiles that can be used later on for marketing purposes. For instance, cookies allow the identification of a user’s preferred products and services, information subsequently used to send targeted advertising messages to that particular user.
3. Types of Cookies
3.1. Online Session Cookies
Web pages have no memory. A user navigating from one web page to another will be considered a new user by the website. Session specific cookies usually store an identifier which allows the user to move from one web page to another, without the need to provide his/her credentials every time (user name, password, etc.). Such cookies are widely used by retail websites, for instance, in order to keep track of the products added by a user in his/her shopping cart. When the user visits a certain page of a products catalogue and selects certain products, the cookie memorises the selected products and adds them to the shopping cart, which will contain all the selected products, at the time when the user wishes to leave the page.
Session specific cookies are stored in the user’s computer memory only during an online browsing session and are automatically deleted when closing the browser. They might also become inaccessible if the session was inactive for a certain period of time (usually 20 minutes).
3.2. Permanent, Persistent or Stored Cookies
Persistent cookies are stored in the user’s computer and are not deleted when closing the browsing session. These cookies may store the user’s preferences for a particular website, so that they can be used during other online browsing sessions.
Besides from the login credentials, cookies may also store details related to the language and topic selected on a particular website, preferences related to a website menu, favourite pages of a website, etc. When the user accesses a website for the first time, it is displayed in the default mode. Subsequently, the user selects a series of preferences, which are later on stored by cookies and retrieved when the user accesses the website again. For instance, a website provides its content in several languages. During the first visit, the user selects English, and the website stores this preference in a cookie. When the user visits that particular website again, the content will be automatically displayed in English.
Persistent cookies may be used for identifying individual users and thus for analysing the users’ online behaviour. They can provide information related to a website’s number of visitors, the (average) time spent on a certain page and generally, a website’s performances. These cookies are configured in a manner that allows the tracking of the users’ activities for a long period of time, in some cases even years.
3.3. Flash Cookies
If the user has Adobe Flash installed on his/her computer, small files may be stored in that computer’s memory by websites containing Flash items (such as videos). These files are known as “local shared objects” or “flash cookies” and may be used for the same purposes as regular cookies.
When regular cookies are deleted through a browser’s features, flash cookies are not affected. Thus, a website using flash cookies can recognize a user during a new visit, if the deleted cookie specific data were also stored in a flash cookie.
Since flash cookies are not stored in the user’s computer in the same manner as regular cookies, they are harder to identify and delete. This is why banks and financial websites use such cookies. Since they are difficult to identify, these cookies are stored on users’ computers in order to allow user authentication and prevent fraud, as potential perpetrators may have the user name and password for login, but do not have access to the user’s computer.
Thus, cookies act as a second authentication level, besides from the user name and password.
3.4. First Party Cookies vs. Third Party Cookies
Each cookie has an “owner” – the website/Internet domain placing that cookie.
First party cookies are placed by the Internet domain/website accessed by the user (whose address appears in the browser’s address bar). For instance, if the user accesses www.apti.ro, and the cookie domain placed on his/her computer is www.apti.ro, then this is a first party cookie.
A third party cookie is placed by a different Internet domain/website than the one accessed by the user; this means that the accessed website also contains information from a third party website – i.e. an advertisement banner displayed on the accessed website. Thus, if the user accesses www.apti.ro, yet the cookie placed on his/her computer has the domain www.trafic.ro, then this is a third party cookie.
The Article 29 Working Party (composed of the national authorities for the protection of data from the European Union’s Member States) considers that, from a legal standpoint, and considering the European legislation, the term “third party cookie” refers to a cookie placed by a different operator than the one operating the website accessed by the user. Third party cookies are not strictly necessary for the user accessing a website, as they are usually associated to a service independent from the one that was expressly “requested” by the user (by accessing the website).
4. Cookies, from the perspective of IT security and privacy
Although cookies are stored in the Internet user’s computer memory, they are unable to access/read other information stored on that particular computer. Cookies are not viruses. They are simply small text files; they are not compiled as code and cannot be executed. Thus, they cannot self-replicate, they cannot spread to other networks to generate actions and cannot be used for spreading viruses.
Cookies cannot search information on the user’s computer, however, they do store personal data. This information is not generated by cookies, but by the user, when he/she fills out online forms, registers on certain websites, uses online payment systems, etc. Although usually sensitive information is protected against unauthorized access, it is possible for certain unauthorized persons to intercept the information sent between the browser and website. Although quite rare, such situation may occur when the browser connects to the server using an unencrypted network, such as an unsecured Wi-Fi channel.
However, such preferences are not explicitly or consciously expressed by the user, but rather modelled depending on the user’s online browsing history, seen pages, accessed advertising messages. For instance, when the user reads a car related web page and then moves to a different page, car related advertising messages will be displayed on the new page, even if that page is not related to cars. Since the user is not informed that his/her online actions are being monitored, this causes concerns related to privacy.
5. Regulations on Cookie Usage
Thus, Directive 2002/58/EC (PDF) concerning the processing of personal data and the protection of privacy in the electronic communications sector, amended through the Directive 2009/136/EC (PDF), provides that:
“Article 5 – (3) Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.”
These provisions have been transposed into the national legislation through Law no. 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as subsequently amended and supplemented:
“Article 4 -(5) Storing information or gaining access to the information stored on a terminal equipment of a subscriber or a user is only allowed upon the cumulative fulfilment of the following conditions:
the concerned subscriber or user has given his/her consent;
the concerned subscriber or user was provided, prior to giving his/her consent, according to the provisions of Article 12 of Law no. 677/2001, as subsequently amended and supplemented, with clear and comprehensive information which:
If the supplier allows certain third parties to store or access information stored on the terminal equipment of a subscriber or a user, the notification according to items (i) and (ii) shall include the general purpose for the processing of such information by the third party and how the subscriber or user may use the online browsing app settings or other similar technologies to delete stored information or refuse third party access to such information.
(51) The consent provided under paragraph (5) letter a) may also be given through the use of the online browsing app settings or other similar technologies through which it can be considered that the subscriber or user has provided his/her consent.
(6) The provisions of paragraph (5) shall not affect the possibility of storing or technically accessing the stored information in the following cases:
when such operations are performed exclusively for sending a communication through an electronic communication network;
when such operations are strictly required for the provision of a service by an IT company, specifically requested by the subscriber or user.”
According to these provisions, the use of third party cookies is allowed only subject to the following conditions:
the notification of users, in a clear, comprehensive and easily accessible manner, regarding: the placement, by a certain website, of cookies into the user’s computer memory; the purpose of using the cookies (the information stored in cookies and the purpose for which such information is used);
the methods through which the user may delete cookies or may refuse third party access to the information stored through those cookies;
obtaining the user’s consent for placing cookies and for using the information stored by them.
although the user’s consent may also be expressed through the use of the settings from the browser used for online browsing, in this case, a prior notification of the user is required, regarding the placement of cookies and their purpose.
The exceptions provided in the European and national legislation allow the use of first party cookies without complying with the liability of obtaining the user’s consent. Furthermore, in June 2012, the Article 29 Working Party issued an opinion (PDF) clarifying these exceptions:
some cookies may be exempted from the requirement of informed consent from the user in certain conditions and if the cookies are not used for additional purposes. Such cookies include: the cookies used for storing the information provided by a user when filling out an online form, the cookies used for storing technical data required for paying video and audio content and the cookies used for customizing web pages (i.e. those storing the preferences related to the language used for displaying the content of a website).
6. “Do Not Track” Mechanism
As show under item 5, at a European level, there are regulations related to the monitoring of the users’ online activities for marketing purposes, generally requiring the users’ consent for such practices. However, in other areas of the world, such situations are less regulated. In these conditions, the World Wide Web Consortium (W3C) is currently working on a technical (and technologically neutral) standard – “Do Not Track”. This standard will be available to users so that they can instruct their browsers to notify advertising companies that they do not wish to have their online activities monitored.
W3C shows that “users have the right to know what data will be collected and what it will be used for. Having this information, they will decide whether to allow or not the tracking of their online activities and the collection of their personal data. Many online companies use the collected data related to the users’ online activities in order to customize the content provided to users and to send users relevant advertising messages, depending on their interests, identified through the collected information. Although some users appreciate this content customization and the advertisements, in certain contexts, others are worried about what they perceive as a violation of their private lives.
Users need a mechanism to express their own preferences regarding tracking their online activities, that is both simple to configure and efficient when implemented. Furthermore, websites that cannot or do not wish to provide content without also being provided with behavioural advertising or without collecting user data need a mechanism to notify users about this and allow them to make an informed decision.”
The purpose of the “Do Not Track” standard is to provide the user with the possibility of expressing his/her personal options regarding the tracking his/her online activities and to communicate these options to each server or online app with which he/she interacts, thus allowing each accessed service to either adjust its practices depending on the user’s options, or reach a separate, mutually convenient agreement with the user. The basic principle is that a tracking preference expression is only transmitted when it reflects a deliberate choice by the user. In the absence of user choice, there is no tracking preference expressed.”
7. Do Not Track Features for Search Engines
Options for preventing tracking of the user’s online activities are currently being implemented in various forms. From Internet Explorer 8, which provides the option of blocking third party websites leaving behind content when visiting a website, to new extensions, add-ons and options introduced in the search engine’s options. In the absence of the aforementioned standard, for certain search engines, the activation of this feature is more obvious, while for others, this feature is more hidden. You can find here the instructions for setting the Do Not Track mechanism for Safari, Internet Explorer 9, Firefox and Chrome.
Being among the last ones to implement this feature, version 23 of Google Chrome provides the option of installing the Do Not Track Me, AVG Do Not Track or Keep My Opt-Outs extensions, which block cookies and only (temporarily) prevent US advertising companies from customizing ads according to the Internet user’s online behaviour.
Besides from the Do Not Track Me add-on, Firefox also provides the option “Tell web sites I do not want to be tracked”, which can be configured from the Privacy menu. Furthermore, Internet Explorer 10 comes with Do Not Track as default option. Microsoft’s decision has generated a wave of strong reactions, some companies, such as Yahoo and Apache claiming that they will ignore the Do Not Track signals of Internet Explorer 10.
Another tool that can be installed on most search engines (and even as an iOS app) is Ghostery. Ghostery scans the page you are currently visiting and notifies you of the existence of items installed by third parties for tracking your activity. You can then set your preferences depending on the menu categories: advertising, analytics, beacons, privacy, widgets. Find out more here.
It is worth mentioning that not all Do Not Track features block cookies. So it is recommended that you check the structure of each Do Not Track extension and select the one that best represents the restrictions you wish to send to the websites monitoring your online activity.
Interesting overview here.
IAB Romania Recommendations on Cookies for Webmasters
In June 2012, IAB Romania published a series of recommendations on cookie usage by websites. These recommendations were divided into two categories:
7.1. User Notification
what is their role;
why they are used by third parties;
what type of information is accessed through cookies; cookies, security and confidentiality of personal data; cookie management through browser settings; why cookies are important for the Internet; uninstalling third party cookies; what happens if the user refuses the cookies.
7.2. How This Information Is Presented
the information about cookies must be displayed on the website in a visible and accessible way for the users;
this link must be easily spotted or the user must be notified about the existence of the link
and the cookie-related information;
8. Managing, Disabling and Deleting Cookies
Detailed information regarding the management, disabling and deleting of cookies through the settings from the browser used for online browsing is available at the following addresses:
8.1. Internet Explorer
Deleting and managing cookies modules (IE 8, 9 and 10):
Internet Explorer 8 Internet Explorer 9 Internet Explorer 10
8.2. Mozilla Firefox
Cookie settings and cookie troubleshooting (enabling and disabling cookies, deleting cookies, preventing certain websites from placing cookies, unlocking cookies, etc.)
Delete the cookies to remove the information stored on your computer by other web pages
8.3. Google Chrome
Cookies management (delete, block, allow, set exceptions, etc.) Managing cookies and website data
Manage cookies (only in English)
Safari 6 (OS X Mountain Lion): Manage cookies Remove cookies (only in English)
Safari 6 (OS X Mountain Lion): Remove cookies and other data
Manage and delete cookies (only in English) Manage cookies and website data
9. Sources and additional information:
This document was created and is maintained by ApTI. Information updated on February 15, 2013. For any information or revisions, please contact us.
All About Cookies About Cookies
Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (PDF)
Directive 2009/136/EC amending Directive 2002/22/CE on the universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and the (EC) Regulation no. 2006/ 2004 on cooperation between the national authorities responsible for the enforcement of consumer protection laws (PDF)
Law no. 506/2004 regarding the processing of personal data and the protection of privacy in the electronic communications sector, as subsequently amended and supplemented, Opinion no. 4/2012 of the Article 29 Working Party on the Cookie Consent Exemption, June 2012 (PDF)
World Wide Web Consortium, Tracking Preferences Expression (DNT), W3C Working Draft, October 2, 2012
Secure Cookies Wikipedia – HTTP Cookie