Simply put, a cookie (HTTP cookie, web cookie or browser cookie) is a small data file that is placed (or ‘dropped’) on a user's device (e.g. PC, phone or tablet) by a user’s web browser when a user first visits a website, that is then used to recognise and store information related to that user's device.
Cookies may be classed in a number of different ways, the most common of which are by the entity who drops the cookie on the user’s device, by their duration, and by their purpose.
First-Party vs Third-Party Cookies
Cookies may be classified by the identity of the entity or website dropping the cookie on the user’s device.
First-party cookies are those created and placed on the user’s device by the website being visited. They allow the website to personalise the user’s website experience by remembering things like: a user’s language or location preferences, usernames or passwords to keep users logged in; payment details; or items in a shopping cart; or to manage the performance of the website
Third-party cookies are, as the name suggests, placed on a user’s device by a third party (that is, not the owner of the website being visited). The third party supply content (such as images or advertisements), plug-ins or services (such as analytics) to the website being visited.
Cookies classed by Duration
Cookies may be temporary and last only as long as a single browsing session on a website, known as "session cookies" - or they may remain on a user's device after the browsing session is closed known as "persistent cookies". Persistent cookies send information back to the browser with subsequent sessions across the website or different websites until they expire at the time set by their creator, or are manually deleted by the user (for example, by the user clearing cookies in their browser).
Cookies classed by Purpose
Cookies can also be classified as those that are essential, which are sometimes referred to as strictly necessary, and those that are not.
“Strictly necessary cookies” or “essential cookies” are those without which a website and its features cannot function. For example, cookies that allow websites to remember during a browsing session that a user is logged in, or to remember items in a user’s shopping cart, are strictly necessary so that the website does not require the user to continually log in to access content or so the website knows which items the user is looking to purchase. Strictly necessary cookies are generally first-party cookies.
However, not all cookies (including first-party cookies) are essential or strictly necessary. Examples of “non-essential cookies” include:
- preference (or functionality) cookies, which allow websites to remember user preferences, such as for language or location;
- performance (or analytics or statistics) cookies, which allow website owners to understand how users interact with websites (the pages visited, links clicked on etc.) and thereby improve website functionality. These types of cookies may be first-party or third-party (where provided by third-party analytics services); and
- marketing / advertising cookies, which are generally a type of persistent third-party cookie that track a user’s online activity, often across networks of websites, to allow advertisers to increase the relevance of advertising presented to users through the creation of an algorithmic profile for the user (see online behavioural advertising).
Regulation of cookies
The origins of cookies were to perform a number of functions for organisations many of which are crucial to the operation of websites. However, the evolution of “non-essential cookies”, particularly those used to track and target users with specific advertising have generated concern as they can be highly intrusive: raising the question of whether, how and when users can manage and control cookies on their devices.
Web browsers generally contain settings that allow users to manage cookies and the information they collect and store: for example to enable, disable and (in some instances in respect of third party cookies) block certain cookies and view and delete stored information.
The position on whether websites are required to notify users, and/or obtain consent to, or allow users to opt-out before they drop cookies on user devices and how information collected may be used varies between jurisdictions. We have set out below the current position in Australia, and how that compares with some overseas jurisdictions.
The position in Australia can be contrasted with that in other jurisdictions. Many users in Australia will likely have encountered pop-ups when visiting a website asking them to accept or decline cookies. These pop-ups are sometimes known as “cookie consent banners” and their appearance stems from requirements in the European Union.
The ePrivacy Directive (2009/136/EC), which was originally introduced in 2002 and updated 2009, concerns EU users’ right to privacy and freedom of communication. The ePrivacy Directive focuses on the storing or retrieving of information from an end-users device (including cookies) and requires that websites:
- provide clear and comprehensive information to users about the purpose of the storage and retrieval of data (this includes, in the case of “essential cookies”, why they are essential); and
- other than in respect of “strictly necessary cookies”, provide a clear right for the user to refuse (that is, consent to each cookie’s use) and allow users to access the website and its services even if users declines their use.
The above obligations apply irrespective of whether or not the user’s data is personal information or data.
The standard for consent under the GDPR is high. It must be freely given, specific, informed and unambiguous (Art. 4(11)). It therefore cannot be implied, must be able to be withdrawn at any time, and it be as easy to withdraw consent as it is to give (Art. 7). Websites are therefore not able to rely on implied consent, such as the user closing the cookie consent banner and continuing to browse the relevant website.
Further, where consent is required, websites are not permitted to pre-select checkboxes giving consent to non-essential cookies by default, as a 2019 judgement by the Court of Justice of the European Union made clear.
Cookie regulatory change on the horizon
The different laws on consent when it comes to cookies across jurisdictions (including as to the different types of cookies) has led to the emergence of cookie management platforms which offer a service to websites that enables the presentation of cookie consent banners to users that are allegedly in line with that jurisdiction’s laws, allows users to manage their cookie preferences and configures the website to run aligned to a user’s consent (for example if the user has consented to essential cookies only then all targeted advertising would be turned off). However, the prevalence of “cookie walls” (that is, websites obliging users to accept cookies in order to access websites), “cookie consent fatigue”, the use of dark pattern techniques to influence a user into giving their consent, and the dominance of invasive practices involving tracking cookies, such as in online behavioural advertising, has for some time suggested a need for regulatory reform.
In the EU, the ePrivacy Regulation, which has been in draft since 2017, was originally intended to come into play at the same time as the GDPR, superseding the ePrivacy Directive to create a binding harmonised law across all EU member states. One of the key objectives of the ePrivacy Regulation is to allow for more user-friendly and streamlined means for users to provide consent to non-essential cookies (such as through consenting to white-list cookie providers at the browser level to reduce the number of cookie pop-ups). However, traction on the bill has been slow and as the EU seeks to regulate the AdTech sector more heavily, some matters may be addressed through other legislation such as the Digital Services Act (see for example on dark patterns and online behavioural advertising and the Digital Markets Act.
Authors: Tim Gole and Jen Bradley