Simply put, a cookie (HTTP cookie, web cookie or browser cookie) is a small data file that is placed (or ‘dropped’) on a user's device (e.g. PC, phone or tablet) by a user’s web browser when a user first visits a website, that is then used to recognise and store information related to that user's device.

Cookies may be classed in a number of different ways, the most common of which are by the entity who drops the cookie on the user’s device, by their duration, and by their purpose.

First-Party vs Third-Party Cookies

Cookies may be classified by the identity of the entity or website dropping the cookie on the user’s device.

First-party cookies are those created and placed on the user’s device by the website being visited.  They allow the website to personalise the user’s website experience by remembering things like: a user’s language or location preferences, usernames or passwords to keep users logged in; payment details; or items in a shopping cart; or to manage the performance of the website

Third-party cookies are, as the name suggests, placed on a user’s device by a third party (that is, not the owner of the website being visited). The third party supply content (such as images or advertisements), plug-ins or services (such as analytics) to the website being visited.

Cookies classed by Duration

Cookies may be temporary and last only as long as a single browsing session on a website, known as "session cookies" - or they may remain on a user's device after the browsing session is closed known as "persistent cookies".  Persistent cookies send information back to the browser with subsequent sessions across the website or different websites until they expire at the time set by their creator, or are manually deleted by the user (for example, by the user clearing cookies in their browser).

Cookies classed by Purpose

Cookies can also be classified as those that are essential, which are sometimes referred to as strictly necessary, and those that are not.

“Strictly necessary cookies” or “essential cookies” are those without which a website and its features cannot function. For example, cookies that allow websites to remember during a browsing session that a user is logged in, or to remember items in a user’s shopping cart, are strictly necessary so that the website does not require the user to continually log in to access content or so the website knows which items the user is looking to purchase. Strictly necessary cookies are generally first-party cookies.

However, not all cookies (including first-party cookies) are essential or strictly necessary. Examples of “non-essential cookies” include:

• preference (or functionality) cookies, which allow websites to remember user preferences, such as for language or location;
• performance (or analytics or statistics) cookies, which allow website owners to understand how users interact with websites (the pages visited, links clicked on etc.) and thereby improve website functionality. These types of cookies may be first-party or third-party (where provided by third-party analytics services); and
• marketing / advertising cookies, which are generally a type of persistent third-party cookie that track a user’s online activity, often across networks of websites, to allow advertisers to increase the relevance of advertising presented to users through the creation of an algorithmic profile for the user (see online behavioural advertising).

Regulation of cookies 

The origins of cookies were to perform a number of functions for organisations many of which are crucial to the operation of websites. However, the evolution of “non-essential cookies”, particularly those used to track and target users with specific advertising have generated concern as they can be highly intrusive: raising the question of whether, how and when users can manage and control cookies on their devices.

Web browsers generally contain settings that allow users to manage cookies and the information they collect and store: for example to enable, disable and (in some instances in respect of third party cookies) block certain cookies and view and delete stored information.

The position on whether websites are required to notify users, and/or obtain consent to, or allow users to opt-out before they drop cookies on user devices and how information collected may be used varies between jurisdictions. We have set out below the current position in Australia, and how that compares with some overseas jurisdictions.

Australia

Currently in Australia, there is no specific regulation of information collected via cookies. Information collected by cookies is not, without other means to identify an individual, considered “personal information” under the Privacy Act 1988 (Cth) (Privacy Act). To be within the scope of the Privacy Act, information collected must be “information or an opinion about an identified individual or an individual who is reasonably identifiable”. Consequently, browsing-history information collected via cookies will generally not, on its own, be subject to the Privacy Act. However, where a website or network owner is able to identify users by combining the information collected via cookies with information collected from other sources, the information collected via cookies may be personal information. In such cases, the collection would be subject to the obligations under the Privacy Act, such as to take reasonable steps to notify individuals about the information being collected (APP 5). While consent may be required where the information is used or disclosed for a purpose other than that for which it was collected or a reasonably expected secondary purpose (APP 6), there is no requirement for users to expressly consent to the use of cookies, the purposes for which the information is used, or to have a right to opt out of cookies.  

The position in Australia can be contrasted with that in other jurisdictions. Many users in Australia will likely have encountered pop-ups when visiting a website asking them to accept or decline cookies. These pop-ups are sometimes known as “cookie consent banners” and their appearance stems from requirements in the European Union.

European Union

ePrivacy Directive

The ePrivacy Directive (2009/136/EC), which was originally introduced in 2002 and updated 2009, concerns EU users’ right to privacy and freedom of communication. The ePrivacy Directive focuses on the storing or retrieving of information from an end-users device (including cookies) and requires that websites:

• provide clear and comprehensive information to users about the purpose of the storage and retrieval of data (this includes, in the case of “essential cookies”, why they are essential); and
• other than in respect of “strictly necessary cookies”, provide a clear right for the user to refuse (that is, consent to each cookie’s use) and allow users to access the website and its services even if users declines their use.

The above obligations apply irrespective of whether or not the user’s data is personal information or data.

GDPR

In addition to the ePrivacy Directive, organisations who use cookies may also have to comply with the GDPR which regulates the processing of “personal data” . Recital 30 of the GDPR makes it clear that “cookie identifiers” are a type of “online identifier”, and as such where the information collected via cookies is used to identify users (or linked to identifiable data), cookies expressly fall within the definition of “personal data” under Art. 4 of the GDPR and therefore requires a lawful basis of processing under the GDPR.  For “essential cookies”, a website processor may be able to rely on a legitimate interest, however, where this is not the case, the consent of the user to process the user’s personal data is required (Art. 6(a)). 

The standard for consent under the GDPR is high. It must be freely given, specific, informed and unambiguous (Art. 4(11)). It therefore cannot be implied, must be able to be withdrawn at any time, and it be as easy to withdraw consent as it is to give (Art. 7). Websites are therefore not able to rely on implied consent, such as the user closing the cookie consent banner and continuing to browse the relevant website.

Further, where consent is required, websites are not permitted to pre-select checkboxes giving consent to non-essential cookies by default, as a 2019 judgement by the Court of Justice of the European Union made clear.

California

California is another jurisdiction that seeks to specifically regulate certain cookies, although differently from the EU approach. Under the California Consumer Privacy Act (CCPA), “unique personal identifiers” are defined as ‘persistent identifiers that can be used to recognize a … device that is linked to a consumer or family, over time and across different devices…including…cookies’ (emphasis added) (Section 1798.140(x)). It has not yet been determined what “persistent” is for the purposes of the CCPA, and currently it is therefore unclear whether “session cookies” would be viewed as personal information. However “persistent cookies” are likely to be a form of “personal information” (Section 1798.140(o)(1)(A)) irrespective of whether the consumer or family can be personally identified. The CCPA requires that notice be provided by businesses before the collection of personal information at or before the point of collection (Section 1798.100(b)). As the International Association of Privacy Professionals has noted, while this might be accomplished by websites implementing “cookie consent banners” that contain links to the businesses’ privacy policies, there is generally no requirement under the CCPA for websites to give notice as to the use of cookies in real time as part of a cookie banner, or for websites to obtain prior consent or an opt-out facility in relation to their use (Section 1798.135).

Cookie regulatory change on the horizon 

The different laws on consent when it comes to cookies across jurisdictions (including as to the different types of cookies) has led to the emergence of cookie management platforms which offer a service to websites that enables the presentation of cookie consent banners to users that are allegedly in line with that jurisdiction’s laws, allows users to manage their cookie preferences and configures the website to run aligned to a user’s consent (for example if the user has consented to essential cookies only then all targeted advertising would be turned off).  However, the prevalence of “cookie walls” (that is, websites obliging users to accept cookies in order to access websites), “cookie consent fatigue”, the use of dark pattern techniques to influence a user into giving their consent, and the dominance of invasive practices involving tracking cookies, such as in online behavioural advertising, has for some time suggested a need for regulatory reform.

In the EU, the ePrivacy Regulation, which has been in draft since 2017, was originally intended to come into play at the same time as the GDPR, superseding the ePrivacy Directive to create a binding harmonised law across all EU member states.  One of the key objectives of the ePrivacy Regulation is to allow for more user-friendly and streamlined means for users to provide consent to non-essential cookies (such as through consenting to white-list cookie providers at the browser level to reduce the number of cookie pop-ups).  However, traction on the bill has been slow and as the EU seeks to regulate the AdTech sector more heavily, some matters may be addressed through other legislation such as the Digital Services Act (see for example on dark patterns and online behavioural advertising and the Digital Markets Act.

Here is Australia, the current review of the Privacy Act ongoing and with recommendations from the OAIC and ACCC to strengthen notice and consent requirements, there is a strong possibility that Australia’s position on cookies will change in the future.  Regulation in a number of jurisdictions is likely to influence the future transparency and use of cookies, including here in Australia.

Authors: Tim Gole and Jen Bradley