We’re all familiar with cookie notices. Those little messages that pop up when you visit a new website are ubiquitous, and can be rather annoying. As a legal obligation in many countries, they’re also increasingly unavoidable. So how can you manage them on your own website?
It’s worth remembering that website cookies are pieces of unencrypted HTML, lodged in a web browser’s memory. Designed to streamline return visits by storing information specific to that browser, they’re fairly harmless when used benignly. Cookies were invented to store basket contents or login credentials, though they can capture most non-personal data such as browser languages and the time spent on each page. Many cookies only last as long as a browsing session, vanishing when the browser is closed.
Some cookies are stored in the web browser for future reference, identifying returning visitors and mapping their behavior. More controversially, this information can even be captured and sold on by third parties. This results in targeted advertising that can feel intrusive, or even embarrassing if several people are using the same device. Conversely, since cookies are browser specific, two web browsers on the same device can deliver very different website experiences if only one of them has cookies stored from a previous visit.
All You Need to Know About Cookies:
Although they exist in many forms, website cookies can be broken down into three main types:
- Session cookies, deleted when the browser closes because there’s no expiry directive.
- Tracking or persistent cookies, which can live on in the browser for up to six months.
- Third-party cookies, which remotely monitor site visitors’ behavior and profile.
Session cookies are fairly innocuous, tracking each user’s movements around a single website until they depart. If someone revisits the same site later, they’ll be treated like a first-time visitor again. Session cookies are most commonly used for shopping baskets, so an unregistered guest doesn’t lose the items in their basket every time they visit a new page. Web browsers have session cookies enabled by default, and even the privacy-oriented Tor browser supports their use.
Tracking cookies last for a time period specified by their creator, not exceeding six months. Because they embed information into each individual visitor’s web browser, they can build up a far clearer picture of long-term user activity. They report on the number and length of site visits, navigation patterns and specific products or services that were viewed. This data can be used to identify user preferences like language or currency, making subsequent site visits easier. Although it can be convenient not having to repeatedly log into an account or website, there’s obvious potential for private information being revealed if more than one person uses that web browser.
Third-party cookies are the most contentious, since there’s rarely an explanation of who the third party in question might be or why they want to acquire user information. Belonging to a different domain than the host website, they’re commonly associated with external advertising. Companies using these data gathering tools include Facebook, Google, Twitter and YouTube. Third-party cookies can monitor activity across multiple websites, and they serve no useful purpose from the consumer’s perspective.
Another privacy issue involves session hijacking, where unencrypted cookies are stolen or duplicated before being used to impersonate the victim. This can be done by intercepting network traffic on unencrypted channels, or using a variety of cross-site scripting techniques. Cookies have historically been vulnerable because they weren’t distributed via encrypted channels, though Google’s enthusiasm for HTTPS Everywhere will help to reduce the risk of session hijacking in future.
Tracking Files and Customer Behavior
A 2012 survey found that America’s top 50 websites used a total of 3,180 tracking files between them, scrutinizing every aspect of their audience’s behavior. That’s clearly excessive, particularly in an age of growing privacy concerns. As we migrate away from social media posts towards encrypted communications, the Orwellian nature of third-party cookie tracking seems increasingly outmoded.
Companies therefore have to weigh up the advantages of deploying cookies against the negative PR connotations they carry. It’s advisable to avoid third-party advertising cookies unless the revenue stream is essential to your company’s survival, and it’s also recommended not to sell on user data. Whether you run a bankruptcy advice website or an adult toys retailer, it’s easy to see why site visitors might resent targeted advertising. Furthermore, with most modern web browsers offering the option to block third-party cookies, it’s becoming increasingly difficult to track customers too closely.
Finally, companies trading overseas should be aware that laws may vary significantly from one nation to the next. Websites in Europe are legally bound to outline cookie usage on the homepage, through a direct request for approval. That means cookie policies can easily become confusing, unless they’re simplified and streamlined as far as possible.