Cookies 101

Image of Carlo Cilento

Published on Apr 9, 2024 and edited on Apr 16, 2024 by Carlo Cilento

When people discuss online privacy, cookies always come up. But how do cookies work, and what rules apply?

You might think that cookies need consent. After all, so many websites annoy you with cookie banners! But the rules are more complex than that and not all cookies are treated equally by the law. So, let’s shed some light on cookies and their legal requirements in the EU.

  1. What are cookies, and what are they for?
  2. How are cookies regulated in Europe?
  3. What types of cookies are there?
    1. First-party vs. third-party
    2. Essential vs. non-essential
    3. Unique vs. non-unique
  4. How are cookies regulated?
    1. Non-essential cookies require consent…
    2. … but essential cookies do not
    3. Extra rules from the GDPR may apply
    4. What if I use cookies for multiple purposes?
    5. Consent is opt-in
  5. What about apps?
  6. Are cookies good for web analytics?
Logo of MichelinMichelin chose Simple AnalyticsJoin them

What are cookies, and what are they for?

Cookies are small files stored inside your browser that exchange information with the server whenever you browse a website.

While cookies are often associated for web analytics, they are used for all sorts of different purposes. Plenty of websites use cookies for anti-fraud, web security, and automated log-ins. The purpose of cookies matters because not all cookies are treated the same under EU law- more on that later.

How are cookies regulated in Europe?

Cookie rules are somewhat complex in the EU, so here is a short tl;dr to make it less confusing:

  • If your cookies are essential for your website to function, then you do not need consent.
  • If your cookies are not essential, then you need opt-in consent for using them. This typically means displaying a cookie banner.
  • If your cookie has a unique identifier, then you have some duties under the GDPR. You may still be able to place those cookies without consent, if they are essential.

Again, this blog will refer to EU law only. Different legislations regulate cookies differently: for instance, the UK and Brazil are closely aligned with European laws, while US regulations are typically more permissive.

What types of cookies are there?

While all cookies function in a similar way, there are some distinctions between them, some of which matter for the law.

First-party vs. third-party

First-party cookies can be read only by the domain that wrote them in your browser, while third-party cookies can be read by different domains as well.

For instance, if you visit Facebook and accept Meta’s third party cookies, other websites will be able to read those cookies as well. This allows Meta to “personalize your experience” (read: serve targeted advertising based on invasive profiling, both on Facebook and on browsing other websites that rely on Meta for placing ads).

On the other hand, if you accept first-party cookies from www.coolwebsite.com, the site will be able to read them- _but a different domain such as www.awesomewebsite.com won’t.

Third-party cookies are highly invasive. This is why so many Internet users go out of their way to install ad blockers, and why many browsers block third party cookies or limit the snooping in other ways (such as the cookie jars in Mozilla Firefox). This general backlash against cookies has been dubbed the biggest boycott in human history and is making third-party cookies increasingly ineffective as a retargeting tool.

Essential vs. non-essential

Essential cookies are cookies that an app and website needs in order to work properly. For instance, cookies that are used to prevent DoS attacks against websites are essential, while web analytic cookies are non-essential.

This is the main distinction from a legal point of view because non-essential cookies always require consent under EU law (more on that later). In fact, non-essential cookies are sometimes referred to as optional because of their generally stricter regulation under the law.

Unique vs. non-unique

Finally, let’s take a look at a third and often overlooked distinction. Some cookies include a unique identifier- that is, a string of numbers that identifies an individual user (or more exactly, their browser). This identifier allows a website to monitor an individual user because no two cookies are the same.

Common web analytics tools like Google Analytics and Adobe Analytics use identifying cookies to track people around the Internet and profile them based on their browsing habits. So, these are the kind of cookies privacy advocates (rightly) complain about. But identifying cookies have different, less invasive uses as well: for instance, many websites use them for anti-fraud, and e-commerce platforms often use them to track the products in your cart.

Unique identifiers are relevant from a legal viewpoint because they count as personal data. So, cookies with unique identifiers are always personal data and fall under the GDPR while cookies without unique identifiers do not.

How are cookies regulated?

Cookies rules are mainly found in two legal sources: the GDPR and the ePrivacy Directive. The regulation of cookies is somewhat complicated because the two laws differ in terms of criteria, terminology, and scope.

As we anticipated in our td;dr:

  • Non-essential cookies always require opt-in consent.
  • Non-essential cookies do not require consent at all.
  • Some cookies come with other requirements under the GDPR- whether they are essential or not.

Let’s break these rules down bit by bit.

The ePrivacy Directive (more exactly, Article 5(3)) requires consent to access data stored on a user’s terminal equipment. This means that cookies can only be used with consent- but there are carve-outs, as we will see-

The Article also applies to technologies other than cookies because it is worded very broadly. For instance, built-in trackers in mobile apps also require consent, as do advertising identifiers for mobile devices such as Google’s AAID or Apple’s IDFA.

This mandatory consent rule is stricter than those found in the GDPR. The notion that the GDPR is all about consent, is misleading, as there are absolutely legitimate ways to collect data without consent (as we explained here).

… but essential cookies do not

The Directive includes a carve-out for data which are “strictly necessary to provide an information society service” at the user’s request.

This carve-out is interpreted quite broadly by regulators and covers all the data which websites and apps need in order to function. This is why essential cookies do not require consent, as we anticipated.

For instance, let’s say you visit an ecommerce website and change the language to Spanish. Your language preference is probably stored through a cookie. This is an essential cookie: if you are to browse the website, then the website needs to display its content in a language that you can understand. So, the website does not need your consent in order to place that.

But if the same website wants to use Google Analytics cookies, it needs your consent. This is because web analytics and retargeting are extra things that the website wants but does not need to do.

(On a side note, the ePrivacy Directive includes a second carve-out for data which are strictly necessary to make communication possible. This carve-out doesn’t typically apply to cookies but is still worth mentioning)

Extra rules from the GDPR may apply

The GDPR and the ePrivacy Directive do not have the same scope: the GDPR applies to personal data, while the ePrivacy Directive (and Article 5 specifically) applies to all communication data whether they are personal data or not. This makes things a little complicated because some cookies fall under both the ePrivacy Directive and the GDPR, while others only fall under the ePrivacy Directive.

Explaining it all in detail would make this blog too long, but in a nutshell:

  • The cookies that fall under the GDPR are, again, the ones that contain a unique identifier.
  • If the GDPR applies, some general rules also apply (for instance, legal bases, duties of information, the right to access data, and so on). . Just because the GDPR applies, does not mean that you need consent! Cookies with unique IDs can still be used without consent if they are essential. In the example above, the unique cookies used by e-commerce websites to track the items in your cart, are essential cookies and are exempt from the consent requirement.

What if I use cookies for multiple purposes?

Sometimes cookies are used for multiple purposes. For instance, you may use the same cookie for both anti-fraud and web analytics.

You can see why multiple-purpose cookies are problematic. Non- essential cookies require consent while essential cookies don't. What about cookies that fulfill both essential and non-essential purposes?

Thankfully, the European Data Protection Board chimed in on this a while ago: as long as any individual purpose is not essential, the cookie requires consent. This important clarification closes dangerous loopholes that would otherwise allow for non-consensual tracking.

The practical takeaway is to avoid using the same cookies for essential and non-essential purposes. This allows you to respect user choice and still be able to write all the essential cookies that make your website work.

Consent is a complex subject. We can only scratch the surface here, but it is worth pointing out that only active, opt-in consent is valid. There is no such thing as an implicit or opt-out consent under the GDPR!

The rule of opt-in consent has important consequences for web analytics:

  • Your cookie banner must use affirmative wording such as “I accept cookies” or “I consent to the use of cookies”. Avoid ambiguous language like acknowledging cookie use.
  • Your website should not write non-essential cookies until the user makes a choice. Ignoring the cookie banner and scrolling on is not a choice, and the same goes for clicking a “close/X/dismiss” button.

There is a lot more to say about consent and cookies, especially with regards to web analytics, and we may soon come back to the topic.

What about apps?

App tracking is different from cookie-based tracking in that trackers are typically built into the app directly. But, Article 5 of the ePrivacy Directive is very broadly worded and the trackers commonly found in apps fall within its scope.

Long story short, the rule is the same: if the tracking is not strictly necessary, then it requires consent.

But this requirement is largely ignored. Most of the app industry uses third-party software development kits (SDKs) which arepacked with trackers. These kits collect data to the benefit of the kit’s developer and frequently ignore or circumvent consent rules. The end result is illegal tracking on a planetary scale.

To make things worse, you have less control over your apps than you do over the websites you visit, because you can’t install an ad blocker or check and delete trackers the way you would manage cookies from your browser. This is why every company under the sun is trying to force a crappy app on you.

Tl;dr: apps follow the same rules as cookies but companies play dumb.

Are cookies good for web analytics?

It depends. Cookie-based analytics services such as Google Analytics and Adobe Analytics can collect fine-grained data, but that data comes at the cost of user privacy. This is an ethical issue and it can become a practical issue in jurisdictions with strict consent requirements such as the EU, because cookie banners lead to high opt-out rates and inaccurate analytics.

Simple Analytics can solve the problem. We build our service to provide you with all the insight you need without using cookies and without collecting personal data. Simple Analytics is a great, privacy-focused alternative to Google Analytics as well as a perfect complement to it- as a means to mitigate the loss of data from cookie banners.

If you are curious, feel free to give us a try!

GA4 is complex. Try Simple Analytics

GA4 is like sitting in an airplane cockpit without a pilot license

Start 14-day trial