Cookies and other trackers can be distinguished according to different criteria, such as the purpose they serve, the domain that places them on a device, or their lifespan.
- Distinction according to the purpose of the cookie
Cookies can be used for many different purposes. They may be used, among other things, to support network communication (“connection cookie”), to measure the audience of a website (“audience measurement cookies”, also called “analytical cookies” or “statistical cookies”), for marketing and/or behavioral advertising purposes, for authentication purposes, to secure the website, for load balancing purposes, to personalize the user interface or to enable the use of a multimedia player (“flash cookies”).
- Distinction according to the domain that places the cookie on the device: “first-party” and “third-party” cookies
“First-party” cookies are placed directly by the domain listed in the address bar of the browser. In other words, they are cookies placed directly by the website owner. Third-party cookies” are, for their part, set by a domain different from the one visited.
This typically happens when the website incorporates elements from other websites such as images, social media plugins (such as the Facebook “Like” button) or advertisements.
When these elements are retrieved by the browser or other software from other websites, these websites may also place cookies that can then be read by the websites that placed them.
These “third party cookies” enable these third parties to track the behavior of Internet users over time and across numerous websites and to create, from this data, profiles of persons (profiling), in particular with the aim of being able to implement more precise and targeted marketing during the future browsing of these Internet users thus tracked.
- Distinction according to the duration of validity of the cookie: “session” cookies and “persistent” (or “permanent”) cookies.
“Session cookies” are automatically deleted when the browser closes, while “persistent cookies” remain stored in the device (computer, smartphone, tablet, etc.) until a predefined expiration date (which can be expressed in minutes, days or years).
Rights of Users in connection with the placement and/or reading of cookies
In most cases, a cookie or other tracer can only be installed if the user has been previously informed clearly and simply, in particular, of what these cookies do and why they are used. The obligation to inform and obtain consent applies to all cookies and other similar technologies that enable the storage of information or access to information already stored.
There are, however, two situations in which the placement and reading of cookies does not require consent:
- When cookies are absolutely necessary to provide a service (functional cookie) that the user has expressly requested (such as, for example, cookies that allow the user to remember a shopping cart or cookies that aim to ensure the security of a banking application).
- When cookies are absolutely necessary to carry out the sending of a communication via an electronic communications network (such as, for example, cookies that make it possible to display the necessary indications in encrypted exchanges and the identifiers of a transaction or performance or load balancing cookies, provided that they can only be analyzed anonymously).
Collecting the user’s consent in a valid manner
The user consent that you must provide in order to insert or read “non-functional” cookies and other similar technologies must, in order to be valid, meet the general conditions of legality of consent as set forth in the GDPR.
The consent must be manifested by a positive action of the user such as a click or the activation of a button by sliding, after the user has been previously informed of the consequences of his choice.
Consent is therefore not valid if it is collected by means of a default checkbox that the user must uncheck in order to refuse to give consent.
Nor can consent be inferred from the mere fact that the user continues to browse the site or from the fact that he has accepted the general terms and conditions of use of a site or mobile application.
Nor can the person responsible for the website or mobile application deduce consent from the fact that the user continues to browse the site or that he has accepted the general terms and conditions of use of a website or mobile application.
The person responsible for the website or mobile application cannot infer consent from the browser settings either, because currently it is not (yet) possible in the browser settings to express a choice by cookie purpose.
- Consent must be given prior to the insertion or reading of cookies
No “non-functional” cookie can be inserted or read on a computer, smartphone or tablet as long as the user has not given his consent.
- Consent must be informed
Before consent is requested, the user must have received precise information about the data controller, the purposes for which the cookies and other tracers that are going to be deposited and/or read, the data they collect and their lifespan.
The information must also cover the rights recognized by the GDPR including the right to withdraw consent.
The information must be visible, complete and prominently displayed.
It must be written in simple and understandable terms for any user.
This implies, in particular, that the information should be written in a language that is easily understood by the “target audience” to which it is addressed.
- Consent is valid only if the user can exercise a real choice
The user must be able to accept or refuse, for each application and each website, the deposit of cookies without constraint, pressure or external influence. The person who refuses a cookie requiring consent must be able to continue to benefit from the service, such as access to a website.
- The consent must be specific
GDPR requires that consent to the placement and reading of cookies be specific, i.e. it must be given for well-defined (specific) data processing.
Therefore, activating the button to participate in a game, confirming a purchase or accepting general terms and conditions is not sufficient to consider that the user has validly given consent to the placement or reading of cookies.
Nor can consent be given solely for the “use” of cookies, without further specification of the data collected via these cookies or of the purposes for which this data is collected.
Indeed, GDPR requires a more detailed choice than a simple “all or nothing”, but it does not require consent for each cookie individually. If the manager of a website or mobile application requests consent for more than one type of cookie, the user must have the choice to give (or refuse) consent for each type of cookie, or, in a second layer of information, for each cookie individually.
- The user must be able to withdraw consent
The user must be able to withdraw his consent as easily as he could have given it at any time. It is furthermore necessary that the user is informed of this possibility at the time he gives his consent.
- The lifetime of cookies
The information stored on the device (computer, smartphone, tablet) and cookies cannot be kept beyond the time necessary to accomplish the purpose.
This retention period cannot therefore be indefinite.
The information collected and stored in a cookie and the information collected following the reading of a cookie must be deleted when it is no longer necessary for the purpose pursued.
A cookie that is exempt from the consent requirement must have a lifetime directly related to the purpose for which it is used and be set to expire as soon as it is no longer needed, taking into account the reasonable expectations of the average user.
Cookies that are exempt from consent will therefore likely be set to expire when the browser session ends or even before. However, this is not always the case.
For example, in the shopping cart scenario, a merchant might set the cookie to remain after the end of the browsing session or for a few hours to account for the fact that the user might accidentally close the browser and reasonably expect to find the contents of the shopping cart when returning to the merchant’s website a few minutes later.
In other cases, the user may expressly request the service to memorize certain information from one session to another, which requires the use of persistent cookies.
Some interesting questions
- Can consent be validly inferred from the settings of your web browser?
Browser settings do not currently allow valid consent to be inferred. Indeed, you cannot (yet) give your consent according to the purposes pursued by the different types of cookies. The consent collected through your browser settings is therefore not specific enough with respect to the DPCM requirement.
Among the existing possibilities, you are invited to use the “private browsing” mode available on the main browsers on PC or mobile phones (including Edge, Internet Explorer, Chrome, Firefox, Safari or Opera).
Browsing information (passwords, cookies, forms, cached content and history) will then be deleted when you close your browser.
This possibility therefore allows you to leave no trace related to the navigation on your computer (or other mobile device), once it is finished. In particular, it does not prevent the deposit and reading of cookies during browsing, nor does it erase the traces left during your previous surfing sessions.
To do this, you can use other tools provided by browsers.
Thus, in the configuration settings of your browser, you can permanently authorize or refuse the saving and reading of cookies on or from your device in the future. The granularity of the choices offered (third-party cookies, first-party cookies, shelf life, etc.) depends on the browser and operating system used. This action does not affect information already stored. It may, however, impact connection data to certain sites, prevent the execution of certain functions and require reconnection/re-identification with these sites.
Finally, still in the configuration parameters, you will also be able to erase, on request, the navigation data already present on your device (including cookies). Depending on the browser, it will be possible to erase the data according to their age, nature and/or the site visited. Not all browsers allow you to view the stored cookies in detail or to delete them individually.
To help you manage these cookies and other tracers and limit the invasion of your privacy, you can install extensions and add-ons on your computer that are available from your browser.
- Can websites set up “cookie walls”?
The implementation of a “cookie wall” – which is a practice of blocking access to a website or mobile application for which you do not consent to the installation of “non-functional” cookies – is not compliant with the GDPR.
This practice prevents, in fact, your free consent from being obtained since you are obliged to consent to the installation and/or reading of cookies in order to access the website or mobile application.