What are cookies and how to protect your personal data when using cookies?

If you are an Internet user, chances are you have seen a number of websites asking you to “Accept cookies” as soon as you enter the website and they require you to accept cookies before you can access the content of the website. If you are not familiar with the concept, you probably wondered what the term “cookies” means, and despite not knowing that you probably still pressed “Accept cookies” so that you can access the content behind the prompt. It is such a mundane task that most of us do not even notice, but should it be that way? What are “cookies”? Why do they do? And what are we agreeing to every time we press “Accept cookies”? This article aims to answer such questions.

What are cookies?

The origin of “cookies” can be traced to the term “magic cookies” which is an old computing term which refers to packets of information that are sent and received without changes. Such cookies would be used for login to computer database systems, such as an internal network. The “cookies” as we know them today is a bit different. The full term is “HTTP cookies” which are a repurposed version of the “magic cookies” built for internet browsing. The main functions of modern cookies include tracking, personalizing, and saving information about the activities of internet users during their time on a website. In other words, cookies are mainly used by websites to personalize the experience of the user by studying what the users viewed in the past[1].

What types of cookies are there?

Regarding the origin of the cookies, there are two main types of cookies that are most common on the internet which include: first-party cookies and third-party cookies. First-party cookies are stored by the website that you are visiting. You can imagine them as a sort of record that keeps track on your activities on that website that the website owner can then use as reference to customize your experience on the website to better suit your needs. Third-party cookies on the other hand are created by domains other than the one the user is visiting. They are used to track users across different websites for retargeting and advertisements[2].

First-party cookies are often harmless and lead to a better user experience on that specific website. Third-party cookies on the other hand are often used for advertising which, in some cases, could make the user feel uncomfortable. For example, website A wants to know what users are doing on website B so that they can advertise to such users better. Website A would pay website B to include their cookies on website B. If the users of website B “accept cookies”, they would be accepting website A’s cookies as well. Now, website A can know what users are doing on website B. This is why users often find advertisements for products that they just searched for on a different website.

While third-party cookies may sound bad, they are not always harmful. Simple third-party cookies used for advertisement, while maybe annoying, are not harmful to the users. However, in some cases, there are third-party cookies that secretly track your internet activities without your knowledge to sell such information and make a profit. However, for the purpose of examining the legal aspect of cookies, the article will not focus on explicitly illegal cookies.

Regarding the operational length, there are two types of cookies: session cookies and persistent cookies. Session cookies used only while you are in a website and are stored on the RAM (random access memory) and not the hard drive. When the session ends, the cookies are deleted. Persistent cookies, on the other hand, can remain on the computer indefinitely, however, most of them have an expiration date and shall be removed when the date arrives[3].

Regarding the purpose of the cookies, we have a number of different types of cookies which include: Strictly necessary cookies, preference cookies, statistic cookies, marketing cookies. In brief, strictly necessary cookies are essential for you to browse the website. For example, cookies that allow online stores to remember items you selected are necessary cookies. Preference cookies allow the website to remember your choices in the past in order to help you or customize your experience. Statistics cookies collect information about you such as how you use a website, what pages you visited, none of which can be used to identify you, the sole purpose of these cookies is to improve website functions. Marketing cookies track the user’s online activities to help advertisers to put out more relevant ads or limit the how many times the user sees a particular ad. These are persistent cookies and almost always third-party cookies[4].

How are cookies regulated?

To see how cookies are regulated, the most efficient place to examine would be EU’s regulations on the matter considering EU’s data protection regulations are some of the strongest and most advance in the world. Specifically, the article would examine the General Data Protection Regulations (GDPR) of the EU which went into effect in 2018 and the ePrivacy Directive which was first passed in 2002 and amended in 2009 which details confidentiality of electronic communications. The ePrivacy Directive is commonly referred to as the “cookie law” due to its effect on cookie consent. The Directive woks in tandem and even overrides the GDPR in some cases. The Directive will soon be replaced by the ePrivacy Regulations in the future[5].

In Recital 30 of the GDPR, it is stated that: “Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” From this, it is possible to infer that cookies, to the extent that they can be used to identify users, are considered personal data and therefore within the scope of GDPR.

To comply with both GDPR and the ePrivacy Directive, the following conditions must be met[6]:

– Consent must be obtained from the users before any cookies are applied. Strictly necessary cookies as defined above are exempted from this principle;

– Data contained within the cookies must be communicated to the users accurately and in a manner that is easy for the general populace to understand. Such information must be presented to the users before consent requests are made;

– Results of consent requests must be stored;

– Withdrawal of consent must be made readily available and easy to execute for users. The act of withdrawing of consent must be as easy to execute as the act of giving consent;

– Allow users to access your service even if they refuse to allow certain cookies to apply.

Regarding the duration of the cookies, the ePrivacy Directive states that websites should renew cookie consent at least once a year since consent is not going to last forever. However, countries within the EU have different stances on how long cookie consent should last. For example, the Irish Data Protection Commission and the French Data Protection Authority support the notion that cookies consent should only last six months. As such, for proper compliance, it is best for websites owners to look up the consent duration as stipulated by each specific country[7].

Regarding the territorial scope of the regulations, any website, regardless of location or origin, must comply with the ePrivacy Directive if the website collects and processes personal data, and there are EU residents among its visitors[8]. This means that people who browse the web from within the EU would receive the protection of the ePrivacy Directive.

The case Planet 49 and EDPB’s guidance

In October 2019, a decision was made by the Court of Justice of the European Union (CJEU) – the highest legal body of the EU regarding the case Planet 49. This is a a milestone case that dealt directly with the consent relating to website cookies and tracking and has long lasting impacts on the cookie regulations in the EU. The summary of the case is as follows: Planet 49 was an online gaming company based in Germany. The company organized a lottery program in 2013 in which participants must enter their personal information to participate in the program. The input fields were accompanied by checkboxes with one of them pre-checked. The German Federation on Consumer Organizations objected this practice. The case eventually went to the CJEU and on 1 October 2019, the CJEU ruled that the only valid form of consent is valid consent (i.e. consent that is actively given and not by default). Consent is also only valid if the users have been fully inform about the nature of the cookies such as the duration of the cookies and whether the cookies are first or third-party cookies[9].

To compliment the CJEU’s ruling, the European Data Protection Board (EDPB) passed guidelines on valid consent in the EU. The guidelines support the ruling but also cover other aspects regarding valid consent under the GPDR. In short, the guidelines state that[10]:

• No pre-ticked checkboxes are allowed on consent banner.
• Scrolling and continued browsing is not valid consent.
• Cookie walls (where the content can only be accessed after accepting cookies) is not valid consent.

Regulations on Cookie in Vietnam

Vietnam is a developing nation. The integration of Vietnam into the global market began quite late compared to western nations. As such, while Vietnam has made considerable progress in the effort to catch up to the modern cyber landscape such as with the drafting and adoption of the 2015 Law on Cyber-information Security and the 2018 Law on Cyber-security, there are still many aspects of the cyber-space that has not been thoroughly addressed, including the usage and regulation of cookies and internet tracking.

How to protect your personal data regarding cookies

Cookies are a part of almost every website, as such, avoiding cookies altogether on the internet is impossible. In some cases, they can be quite useful, for example, they can keep you logged in on pages you usually visit. Even the more unsavory cookies are used for advertisement purposes and would only result in scarily accurate ads. That is why most people don’t seem to bother with them. However, if you are cautious and value your own online privacy, there are ways to be vigilant and protect yourself against cookies.

The best case scenario is that the website you are accessing has cookies options. Normally cookies options would include a list of different types of cookies that are embedded into the website and you can select the cookies you want to allow. Most of the time, the cookies would be classified according to their purposes which include: Strictly necessary cookies, preference cookies, statistic cookies, marketing cookies. Strictly necessary cookies could be implemented without the consent of the users since they are necessary for the website to function properly. The other cookies, on the other hand, could be opted out without affecting the users’ ability to access the website.

In cases where the website does not offer cookie options, there is not much the average user can do. Should you want to be sure of what cookies the website is using and their purposes, you can employ the use of third-party applications that would scan the website, detect cookies and determine their purposes. From the cookies report, you can examine the cookies being used and make a decision about whether to continue browsing that website or not.

A more encompassing method of avoiding cookies is browsing the Internet in “private mode” or “incognito” mode. Your ISP (Internet Service Provider) and web server can still see what you are doing online but cookies would not work. However, this also means that you would have to manually log into pages that would have been logged in otherwise[11].

However, you might not like having to log into websites every time you visit them. There is an option to filter out third-party cookies which prevent your data from being shared with third parties. To do this, you would first need to clear all cookies from your browser and select the option to block third-party cookies in your browser’s privacy settings. Most popular browsers such as Google Chrome, Firefox, and Safari support this function[12].

How to change cookies settings on Google Chrome

1. Open Google Chrome;
2. Click the settings icon at the top right corner of the screen;
3. Select the “Settings” tab;
4. Select the “Privacy and security” tab on the left side of the screen;
5. Select the “Cookies and other site data” tab under “Privacy and Security”;
6. Select the option you want: Allow all cookies, Block third-parties cookies in Incognito, Block third-party cookies, Block all cookies.

How to change cookies settings on Safari

*On your mobile devices :

1. Go to Settings;
2. Scroll down and select the Safari app;
3. Scroll down and turn on the option “Block all cookies”.

*On your computer:

1. Open the Safari app on your computer;
2. Choose Safari => Settings => Privacy;
3. Check “Block all cookies” box.

(Note: Blocking all cookies could result in some websites not working properly)

PrivacyCompliance

[1] Kaspersky, ‘What are cookies’ (Kaspersky) <https://www.kaspersky.com/resource-center/definitions/cookies> accessed 25 December 2022.

[2] Michal Wlosik and Michael Sweeney, ‘What’s the Difference Between First-Party and Third-Party Cookies?’ (Clearcode, 21 November 2022) <https://clearcode.cc/blog/difference-between-first-party-third-party-cookies/> accessed 25 November 2022.

[3] Kaspersky (n 1).

[4] GDPR.EU, ‘Cookies, the GDPR, and the ePrivacy Directive’ (GDPR.EU) <https://gdpr.eu/cookies/> accessed 26 December 2022.

[5] ibid.

[6] ibid.

[7] Cookies Script, ‘How long does cookie consent last?’ (CookieScript) <https://cookie-script.com/knowledge-base/how-long-cookie-consent-lasts> accessed 5 January 2023.

[8] Cookie Script, ‘Cookie Law Explained’ (CookieScript, 16 April 2022) <https://cookie-script.com/blog/cookie-law> accessed 27 December 2022.

[9] Cookiebot, ‘Active consent and the case of Planet 49’ (Cookiebot) <https://www.cookiebot.com/en/planet49/> accessed 6 Janaury 2023.

[10] ibid.

[11] Allen St. Jonn, ‘How to control web cookies and boost online privacy’ (ConsumerReport, 4 December 2017) <https://www.consumerreports.org/privacy/how-to-control-web-cookies-and-boost-online-privacy-a7606763344/> accessed 28 December 2022.

[12] ibid.