Have you ever wondered why (in the last few years) you’ve been barraged with “cookie” notices on many websites you visit? Well you’re not alone. Today’s blog post will explain more than you really wanted to know about cookies. (Note that this post assumes a basic understanding of the way the internet works … which may be assuming a lot. Additionally – if you do this stuff for a living, you’ll find this semi-remedial.)
At its core, this is about privacy. Why? Because a cookie is a file placed on your computer by a website you visit, which it then also retrieves when you return to the site using the same browser. It can contain any text based information, but it cannot be used to spread viruses or other malicious software. It can, however, be used for a wide variety of purposes – many that could be considered terribly invasive to your personal privacy. (To find more about cookies, have a look at Cookiepedia – a leading resource on the subject.)
Although cookies are in many ways essential to the modern internet, ever since they were created a debate has been going on about their impact on the privacy of web users. They are basically a way for a website, and the people who own that site, to store and retrieve data about the user or their interaction with the site. They do this, generally speaking, to either alter what that person sees, or record their activity (which is to say, the pages they visit, how long they spent on a site, etc…). Cookies are central to the modern web experience. So although they are not inherently ‘bad’ there do engender valid privacy concerns.
This all started in the 90’s in the European Union (“EU”). The European Commission (“EC”) promulgated a data protection directive that regulated the processing of personal data within the EU. The intent behind the directive was to increase the options available for consumers to protect their data privacy. Both then and now, many websites collect(ed) user data without any user awareness, and every day more and more companies are learning to exploit the value of that data.
The directive hoped to enable consumers to strike a new bargain with these businesses – requiring businesses to inform consumers of what is being gathered, and enabling them to choose to participate in this or not, at their discretion. We should note here that the EU directive does not simply apply to cookies. It includes Flash cookies, HTML5 local storage, etc… indicating that it isn’t good enough to just re-implement the tracking some other way outside of cookie storage.
Now that we understand the what and the why, to whom does this directive apply? The answer – any website available in the EU. (Or in legalese – the “…processing of personal data by any person whose activities are governed by Community law”.) Given the “messy” nature of the EU, the EC left it up to each member country to legislate and enforce this directive. To say that enforcement and legislation across the EU has been … spotty … is an understatement.
So where does that leave us – the users of the internet and the beneficiaries of the EU’s privacy directive?
(I would be remiss if I failed to note that there will be serious revisions of the EU privacy directive in the coming months. I could have gone into them here, but perhaps that’s another blog post…)