What are cookies?

Since the GDPR came into effect in May 2018, website operators have had to ask themselves, whether cookies count as personal data or not. To answer this question, the term “cookies” must be defined.

A cookie is a small text file. Websites place these small text files in the browsing history of users, which is why we often talk about “setting cookies”. Cookies are either sent to the user by the respective server (HTTP cookie) or generated when a website is visited (scripted cookie). By setting cookies, website visits are tagged and recognized, which allows them to customize their browsing habits. Cookies are generally used to optimize a page for the user – certain cookie types are also responsible for the flawless functioning of the website (e.g. shopping cart cookies).

Generally, there are three types of cookies:

• Cookies required for the function of a website
• Performance or functional cookies
• Tracking or advertising cookies

First party cookies are those cookies that are set on the website on which a user is surfing. These cookies are not made accessible by browsers across domains, meaning you will not be passed to third parties. First party cookies mostly include: necessary cookies, performance cookies, functional cookies and advertising cookies.

Third party cookies or tracking cookies are commonly used to identify the user. These cookies are used to monitor the browsing behavior of a user over a longer period of time and are therefore used to create targeted advertisement. These cookies are set by banners that are integrated on a website and not by the website itself. This happens even without explicit user registration on a website and across multiple web offers. In doing so, third party cookies are navigating the user through links and are collecting useful information such as: the dwell time on various web pages and page views, as well as the frequency of page views.

The use of cookies enables a number of functions. The functions of cookies can be divided into three areas.

Firstly, website operators can use cookies to conduct user analysis, which records visiting times or the frequency of page views. Usage streams can be used to eliminate bugs and manage bids. Examples of these are sales and comparison portals, streaming services, search engines, etc. These match the behavior of their users and thus determine the best possible result for precise hit rates.

To enable the free use of websites for visitors, website operators often advertise. Advertising agencies as a third party advertise based on the user information generated by the cookies. Cookies can therefore contribute to the financing of a website through advertising.

By storing user information while surfing on a website, cookies process and store personal information. This information can be seen as an e-mail address, name, age, product suggestions, etc.

The biggest concern with cookies is the data theft. If cookies are not protected or even poorly protected, the stored personal data of a user is readily available to abuse and is vulnerable to hacker attacks. A further problem is the creation of personal profiles through the use of cookies. In general, profiling should only be necessary on an anonymous basis. Cross-site merging of cookies, however, can create detailed user profiles. Profiling is understood to mean the automated processing of personal data in any form by the evaluation of personal aspects of a natural person. This means that people can be clearly identified and recorded with their activities by profiling based on browser history, web searches, IP addresses, purchases, and personal account activity.

The General Data Protection Regulation regulates and restricts the processing of personal data. The processing of personal data is only allowed if it is either anonymous or used for specific purposes. Since most cookies process personal data, these are therefore also covered by the GDPR.

In short:

• If it is a technical necessity for a cookie to be set, no consent is required (e.g. shopping cart cookie).
• There are also the so-called functional and performance cookies. It depends on whether these cookies are first party or third party cookies. If functional and performance cookies are set as a third party cookie, consent is required.
• The third type of cookies are analysis, tracking or advertising cookies. User consent is required in every case.

Are cookies personal data?

Disclaimer

Usercentrics GmbH does not offer legal advice. The content of this article is not legally binding. The article represents the opinion of Usercentrics.