What are cookies?
Internet cookies (sometimes known as ‘HTTP cookies’) are small text files downloaded onto a user’s computer (or smartphone) or held in their web browser when the user visits a website. The website can then use the information stored by a cookie whenever the user revisits that site. They’re essentially identifiers that tell the site that a user has returned.
Cookies often collect personal data (ie information about individuals from which they may be identified), so there are various legal restrictions on how cookies can be used, in order to protect people’s privacy. For example, website users must be able to opt-out of the use of cookies when they visit a website.
Most website operators place cookies on the browsers or hard drives of their users’ computers. Cookies can gather information about the use of a website or enable the website to recognise a user as an existing customer when, for example, they return to the website at a later date. A cookie file is neither a virus nor spyware.
Website users can control some aspects of cookies via their web browser settings. For example, by choosing to delete, block, or allow all cookies.
What are the benefits of cookies?
Cookies are used to make a user's web experience faster, more convenient, and better personalised. They’re used to gather the information that enables businesses to make useful websites.
For example, if a user selects a language to view a website the first time they visit it, a cookie can save this preference so that the website is displayed in this language next time they visit it. Or, cookies may remember the types of items a user was interested in when shopping on a particular website and promote similar items to them when they visit in future.
Types of cookies
Internet cookies can be categorised into different types depending on factors like how long they’re stored for and who places them on a website user’s device. Different types of cookies include:
Session cookies vs permanent cookies
Session cookies are also known as 'temporary cookies' or ‘transient cookies’. They only retain information about a user's activities for as long as the user is on the website. Once the web browser is closed, the cookies are automatically deleted. Sometimes they’re also deleted automatically after a specified period of time. Session cookies are commonly used on shopping websites or e-commerce websites.
Session cookies typically help websites to recognise users and the information provided as a user navigates the website, enabling the user to move between website pages with their settings maintained (eg without having to re-add items to a shopping basket, login repeatedly, or reset search filters).
Session cookies typically help websites to recognise users and the information provided as a user navigates the website, enabling the user to move between website pages with their settings maintained (eg without having to re-add items to a shopping basket, login repeatedly, or reset search filters).
Permanent cookies are also known as 'persistent cookies’ or ‘stored cookies’. These are cookies that remain stored even after a web browser has closed. They identify specific individuals, so higher privacy requirements apply.
Permanent cookies might, for example, remember login details and passwords so that a website user doesn't need to re-enter these every time they use a site.
These cookies can be useful for providing website owners with information about who is visiting their website, when they’re returning, and what they do on the website (eg which pages they click on).
Permanent cookies must not be stored indefinitely. Data protection law requires that personal data – including cookies – is only stored for as long as necessary to achieve a purpose and then deleted. As an alternative to simply deleting cookies, a website could periodically ask its users to provide fresh consent to cookie use. Often, six to twelve months will be an appropriate timeframe after which consent should be renewed or cookies deleted. For more information, read Data retention and document destruction and Data privacy and cookies.
First-party cookies vs third-party cookies
First-party cookies are installed directly by the website (ie domain) that the user is visiting (ie the URL shown in the browser's address bar). These cookies enable website owners to collect analytics data, remember language settings, and perform other useful functions that provide a good user experience.
Conversely, third-party cookies are installed by third parties (ie websites other than the website the user is visiting) like advertising platforms or social media extensions. They collect certain information from web users to carry out research into, for example, behaviour, demographics, or spending habits. They are commonly used by advertisers who want to ensure that products and services are marketed towards the right target audiences.
Flash cookies and zombie cookies
Flash cookies, also known as 'super cookies' or ‘local shared objects (LSOs)’, are independent of the web browser. They are designed to be permanently stored on a user's computer. They’re stored and accessed by Adobe Flash player.
These types of cookies remain on a user's device even after all cookies have been deleted from a web browser. They can be used to backup data that’s stored in a regular cookie so that, if a user deletes regular cookies from a browser, a website may still recognise the user when they return to it.
Zombie cookies are a type of flash cookie that can be stored in multiple places (eg on a browser and outside of it, on the user’s computer). A zombie cookie can automatically recreate a regular cookie version of itself (ie one stored on a web browser) after it’s deleted, utilising a version stored elsewhere (eg outside the browser).
Zombie cookies are often used in online games to prevent users from cheating, but have also been used to install malicious software onto users’ devices. Zombie cookies can be difficult to detect or manage. They can be detected and managed using specialised software.
Like other cookies, a website should obtain a user’s informed consent before using any flash cookies on a browser or computer.
What is the law on using cookies?
The main legal rules on cookie use in the UK are set out by The Privacy and Electronic Communications Regulations 2003 (PECR) and general data protection legislation.
The basic rules applicable to cookie use are that websites must:
-
tell website users that cookies are used and what cookies cookies are being used
-
explain what the cookies are doing and why, and get the user's consent to store cookies on their browser and device
Information about cookies can be set out in a Website privacy policy with an integrated cookie policy or in a separate Cookie policy. Cookie banners and specific methods of providing consent should be used.
There are various aspects of providing information about cookies and obtaining consent that should be considered to ensure compliance with the law on cookies. For more information, read Data privacy and cookies.
What counts as consent for cookies?
Consent must be freely given, specific, and informed. It must involve the website user performing some form of unambiguous positive action. For example, ticking a box or clicking a link.
The user must fully understand that they are giving consent and understand what they are consenting to. Users must fully understand that their actions will result in specific cookie use. Consent cannot be considered valid if the information about cookies is only provided as part of a privacy policy that is hard to find, difficult to understand, or hardly ever read.
Consent can be explicit, but it does not need to be. However, it must be provided by a clear positive action (eg not just by the user not unselecting a pre-ticked box or simply continuing to use the website).
Additionally, users should be able to easily disable cookies should they wish to.
For more information, read Data privacy and cookies.
Can cookies be erased or blocked?
Most cookies can be erased or blocked. To erase cookies a user needs to find the folder or file where the relevant cookies are stored on their device and delete them. Session cookies will automatically be deleted when you close your web browser.
You can also block a website's cookies by configuring your browser settings.
You can use specialist software that protects against malicious cookies. These applications can be customised to let you change the content of the cookies you will allow to be stored on your device.
Enforcement and penalties for cookie non-compliance
The Information Commissioner's Office (ICO) is responsible for ensuring organisations comply with the law on cookies in the UK. They take a practical and proportionate approach to enforcing the rules on cookies and data protection in general. Where a business fails or refuses to comply with the rules, the ICO can take specific actions depending on the circumstances, including serving:
-
information notices – requiring organisations to provide the ICO with specific information within a certain time period so that the ICO can assess aspects of the organisation’s information and data security systems and policies
-
enforcement notices – issued when the ICO reasonably believes an organisation has not complied with a data protection obligation (this can include not complying with an information notice). Enforcement notices instruct the organisation to take specific actions. For example, to start obtaining consent for cookies
-
monetary penalty notices – requiring an organisation to pay a monetary penalty of an amount determined by the ICO, up to a maximum of £500,000. These will generally be used after an enforcement notice has been issued and unreasonably not complied with. A monetary penalty notice is most likely to be issued if an organisation has seriously contravened the law and the breach is likely to cause substantial damage or distress
