- Browser Cookie FAQs
- Cookie Law — EU Cookie Regulations
- Complying with the UK Cookie Law
All internet users should understand at least the basics of what cookies are, and how they affect your browsing and privacy online.
If you run a website, it’s crucial to familiarize yourself with laws and regulations regarding browser cookies, or you could face lawsuits and fines.
This guide serves as an introduction to browser cookies, along with the EU and UK cookie laws and links to more in-depth guides, tutorials, and resources.
Use the table of contents to jump to the information you are searching for, or continue reading below.
A cookie is a small text file stored on your hard drive by web pages you visit. The file — and the information in the file — is generated by the server-side application running the web site. The server also has access to the cookie it gave you (but not to cookies created by other websites).
A cookie can be used to identify you to a website. It doesn’t reveal personal information (because the data in the cookie came from the website’s server in the first place) — just identifies you as the same browser that visited earlier.
This is helpful for session-management (keeping you logged-in over the course of a single user-session), login persistence (the “Remember Me” or “Stay Logged In” feature you see in many apps and websites), and multi-tab browsing.
A cookie is a small text file, so it looks like a text file. It will usually be named something like
[email protected]. If you were to open one of these files, it would just look like some random numbers:
HMP1 1 example.com/ 0 4058205869 384749284 403847430 3449083948 *
The strings of numbers are codes which are only meaningful to the software that generated it. Usually it is little more than a unique identifying string, although sometime they are used for data-storage.
Either way, there is usually nothing meaningful to find when viewing a cookie file.
HTTP — the primary protocol used in web browsing to communicate with a web server — is an inherently stateless, sessionless computing experience.
That means that each page load, each request, is an independent event, unrelated to the events that come before or after it.
This is fine for viewing a few documents that someone put on their server, but anything more complicated — like logging in and getting user-specific content — requires some kind of persistence mechanism, something that will alert the server that the current request from you is related to the previous one, that they are both from the same person on the same computer.
Cookies accomplish this. The server generates one the first time you visit a site. It sends it to your browser, and your browser stores it. On subsequent page loads, the browser informs the server of the relevant cookies currently being stored. The server reads them and knows that this is the same browser as before.
Yes. There are a few different types of cookies.
The most common are session cookies, which are temporary. They are used by nearly all commercial websites to manage a single browsing session. This allows thing like shopping carts to work, even if you aren’t logged in. They simply tell the server that all of your requests within a period of time came from the same computer and should be treated as a single session.
Session cookies are sometimes called transient cookies or temporary cookies. They are not stored on your hard drive, but are rather kept in active memory. They are deleted when your session closes, or after a period of inactivity (usually 20 minutes or so).
Also common are permanent cookies, also called persistent cookies. These cookies are used to identify you over multiple independent sessions. These are the ones the handle the “Remember Me” or “Keep Me Logged In” functionality of many websites and apps.
They are also used to customize content to you, especially ads.
Besides affecting your browsing experience, persistent cookies are also used for analysis and performance data tracking. They can be used to tell how long you stay on a site, how you move through the site, and other behavioral patterns. They are also used to count the number of individual, unique visitors to a site, as well as how often returning visitors come back. Website owners use all of this information to guide their decision making regarding everything from site design to image choice to page length.
Finally, there are Flash cookies. Flash cookies are generated and stored differently than “regular” (or “HTTP”) cookies — they are created and stored in the Adobe Flash browser app.
The problem with Flash cookies is that they are not deleted when you clear your browser cookies. Some websites exploit this fact and use Flash cookies as a sort of “backup” for regular cookies (even sites that don’t use Flash for any obvious interactive purposes).
Flash cookies have to be dealt with from within the Flash player settings panel.
No. Cookies are a text-based data format that cannot contain any executable code. They are not a potential security risk.
That depends on how you define “privacy,” and what you consider a violation.
Cookies cannot be used to obtain personal information from your computer. The only data in a cookie is the data put into by a website’s server. The only site that has access to it is the site that put it there.
However, cookies are used as a part of many large browser tracking schemes which create extremely detailed user profiles. Many websites use third-party ad networks — networks which span multiple sites. This allows central data aggregators to track user activity across many different domains. Cookies are not thing used to handle this tracking, but they do play a central role.
Some people consider this constant activity tracking to be a form of privacy invasion. Other people don’t mind it at all. Mostly, the only thing that data generated this way is used for is to serve relevant ads which you are likely to click on.
Cookies were invented by Netscape in 1995, as a way to solve the persistence problem in HTTP sessions.
Because the developers were American. If they had been British, they would have been called “biscuits.”
What does the law actually say?
The EU itself does not make the law. Rather, the EU creates a directive which the member nations must implement in their own laws.
While each EU member state has their own specific version of the cookie regulation, they are all remarkably similar in their effects.
The UK law was one of the first implementations of the EU privacy directive. It is found in the Privacy and Electronic Communications Regulations 2011. The relevant section is quoted here:
6. – (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment –
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.
(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information –
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
What does that actually mean?
What the law is saying is this:
A website (or app) cannot store information on a visitor’s computer (or device), or retrieve information off of it, without the visitor’s explicit consent.
This covers HTTP cookies (“regular cookies”), Flash cookies, HTML5 storage, DOM “data-” elements, and pretty much anything else that replicates a cookie-like functionality or aides with session persistence and browser identity. (From here on out, we’ll call all these things, collectively “cookies” — even though this law covers a variety of related technologies.)
Cookies which are required in order to fulfill the requests of the website visitor do not require explicit user consent. But any others — including those used for general use statistics — do require it.
The law states that user consent must be obtained before placing a cookie on their computer.
Consent is further defined by UK law as “any freely given specific and informed indication of [the user’s] wishes”.
The exact nature of this consent, and how it should be obtained, is the subject of much debate among both technologists and legal experts. There is no clear guidance to be found in the regulation, no explicit set of practices to be implemented on all websites.
Example Cookie Consent Language
Here are some example Cookie announcements.
Friendly default opt-in:
If you continue to use this site, we assume that you are okay with this.
If you want to use the sites without cookies, you may [click here].
Formal default opt-in:
Penalty for non-compliance
The maximum fine, in the UK, for not complying with user consent regulations regarding cookies is £500,000 (between $750,000 and $800,000 USD).
Websites not originating in the EU
Websites not originating in the EU (for example, the US) probably do not need to comply with the cookie consent regulation. The possible exception is when serving content to users in the EU.
While it is by no means clear that it is a legal requirement, it is probably prudent for non-EU websites to use consent-gathering disclaimers on their websites when serving content to users in the EU.
If your site is based in the UK, you are legally required to comply with the UK’s cookie law.
If your site is based anywhere else in the EU, you should comply with the general principles of the EU directives, which are well-represented in the UK law. (Not all EU countries have implemented the directives, but they all will eventually, as it is required.)
How to comply
- gaining consent before placing any cookies on the user’s computer
- informing users about what data you collect, why, and what you will do with it, and how they can delete and control cookies placed by your on their computer
Consent for placing cookies on a user’s computer must be done before any cookies are placed. This means that it must be accomplished, somehow, on the first page of your site a user sees, regardless of which page that is.
The good news is that it only needs to be done one time. You do not have to repeat the notice and consent dialogue on every page.
There are two different design approaches to cookie consent:
- an on page design, usually at the top of the page, in some type of call-out box
- a pop-over dialog box (called a “modal”)
There are downsides to each.
A modal dialogue box is separate from your page, so it is easier to “work in” as a design element. On the other hand, it might be more disruptive to the browsing experience.
An on-page banner or panel may disrupt the browsing experience less, but might interrupt your design and make your site unattractive.
You’ll have to decide for your own site which option is preferable.
While the specific directives provide by the EU and UK seem to set-up an “opt-in,” the most common approach to compliance is a sort of “soft opt-in” — that is, clearly informing users that by using your site, they are opted-in.
Typically, the language used for this type of opt-in looks like this:
It is common practice to display a message using these or similar words until the user clicks an
OK button or otherwise acknowledges the message.
Informing users of data use
You also need to inform users how to delete cookies. Since every browser does this a little differently, the easiest way to handle this is to provide a link to a page that has instructions for deleting cookies. Feel free to copy and paste our code below to comply:
<a href="https://privacypolicies.com/blog/how-to-delete-cookies/">How to delete browser cookies</a>