Does your website need a cookie consent notice?

by Will Moody

A common misconception is that the use of cookies is governed by the General Data Protection Regulation (GDPR), which in fact, it is not: cookie usage and it’s related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive (Cookie law).

The Cookie Law requires users’ informed consent before storing cookies on a user’s device and/or tracking them.

This means that if your website/app (or any third-party service used by your website/app) uses cookies, you must inform users about your data collection activities and give them the option to choose whether it’s allowed or not; you must obtain informed consent prior to the installation of those cookies. The chances are that most websites will require a cookie consent notice, unless they only use cookies as listed below in the exemptions list.

What are cookies?

Web browsers create simple text files called cookies when you visit websites on the internet. Your device stores the text files locally allowing your browser to access the cookie and pass data back to the original website.

Exemptions to the consent requirement

Some cookies are exempt from the consent requirement and therefore are not subject to preventive blocking (though you’re still required to have the banner and cookie policy in place). The exemptions are as follows:

  • Technical cookies strictly necessary for the provision of the service. These include preference cookies, session cookies, load balancing, etc.
  • Statistical cookies managed directly by you (not third-parties), providing that the data is not used for profiling
  • Statistical (anonymized) third-party cookies (e.g. Google Analytics)*

*This exemption is may not be applicable for all regions and is therefore subject to specific local regulations.

Why are they called cookies?

I can find four separate theories behind the name:-

  • The Hansel and Gretel Cookie theory which also makes it easier to understand what cookies do. In the famous fairy tale, Hansel and Gretel left a cookie trail behind (well actually, it was breadcrumbs) as they made their way through a dark forest; this way they could easily see where they had been, just as a browser cookie records a user’s activity on your website.
  • The “Magic Cookie” is another internet cookie story that I came across. Programmers used the name magic cookie to refer to a token or a short piece of data that passed between programs. The contents of this cookie file could not be seen and would not usually be accessed until the a program had passed the file back to the sender at a later time. The file is often used like a ticket to identify a particular event or transaction. Sounds similar to the browser cookies we know today.
  • Some people may have heard of the Fortune Program from large Unix systems. At startup the system would present a new quote, joke or general information to the user who was logging in. The information was stored in what was called a “cookie file”. Local administrators often changed the file to add their own personal statements. So did the internet cookies we know today get their name from this Unix program?
  • After a clever programmer left his company, strange things began to happen. Every so often, the computer system would completely stop and the screen would display a message: “Gimme a cookie”. The system would not return to normal until the operator entered the word “cookie” into the system. The root cause was well hidden in the code and could not be found or removed without a complete rewrite. It was decided to leave the code in place and train users to “give the machine a cookie”!