In first article you learned what are cookies and where the name come from. Also, I briefly explained how UE treats cookies and where they see potential problem. But most important for me and you is information how to properly comply with EU cookie law.
Depending on cookie type, UE treats it in different way, so you should know all of this usages. That’s what you’ll learn in this article.
Articles in this series:
- What is a Cookie?
- >>>Types of Internet Cookies<<<
- Explicit or Implied Consent?
- When You Don’t Need User Consent?
- Proper Dataflow Infographics
- How to Properly Comply with EU Cookie Law?
How can we categorize cookies?
According to “Opinion 04/2012 on Cookie Consent Exemption” adopted on 6/07/2012 by European Commision, cookies can be categorized according to:
- whether they are session or persistent cookies
- whether they are first or third party cookies
Session cookies are those which would be deleted when you close your browser. Persistent have expiration date, and can be stored on your drive even for years.
Third party cookies aren’t so clearly defined in EU documents. So when cookie is third-party?
In the context of European data protection, the Directive 95/46/EC defines a third party as “any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data.” A “third party cookie” would thus refer to a cookie set by a data controller that is distinct from the one that operates the website visited by the user (as defined by the current URL displayed in the address bar of the browser).
However, from the perspective of browsers, the notion of “third party” is solely defined by looking at the structure of the URL displayed in the address bar of the browser. In this case “third party cookies” are cookies that are set by websites that belong to a domain that is distinct from the domain of the website visited by the user as displayed in the browser address bar, regardless of any consideration whether that entity is a distinct data controller or not.
We used to stick with first definition (which is more obvious), that third party cookies are those which belongs to data controllers not operating with website currently visited by user (for example: Google Analytics cookie).
We’ll need all of those information later, in “When You Don’t Need User Consent” part. For now let’s get to the specific cookie types.
User input cookie
User input is rather generic term, which can mean every cookie that stores user form data. Such data can be gathered due to exchanging series of messages between user and server. For example: cookie that stores your full name or last login you used on site.
Each HTTP request is stateless. It means that each page view is standalone. Because of that your sent login and password, even if correct, cannot be saved for next requests – you need to authorize each request. And that’s were authentication cookies are kicking in. They store a state of your current login session (in most cases server-side session id would be stored). Browser is sending this information with each request, so you don’t need to provide credentials every time.
Those cookies are connected with previous type. To provide higher security level, most of authentication systems are protected from abuses in many different ways. In some countries you even have law describing best practices for that. For example, application should provide a way to check last failed login attempts. Ot, after specific count of failures account is automatically blocked. User security purposes cookies are used specificaly for logging such attempts.
I’ll be covering best security practices all over the world in my next articles. If you don’t want to miss it, you definitely need to subscribe!
Multimedia player session cookie
Can you believe, that YouTube exist only for 10 years now? It was created by three former PayPal employees in February 2005. I could’ve sweared that it’s been much longer than that.
But probably you realized one of its functions where you close browser with some YouTube movie, and when you reopen it – movie continue from the point where you’e stopped. Multimedia player session cookies deserves credit here.
In order to get it working in this way, player must save cookie with current video status every few seconds. Also, those cookies are storing more technical data needed to play video, such as image quality, frame rate or other buffering parameters.
Load balancing session cookie
Load balancing is a technique which allows distributing requests between many machines realizing same function. It protects from overloading one specific server. There are many ways in which redirect to specific server can be saved. One of them is storing such information in load balancing cookie.
The cookie data contains one specific communication endpoint, and because of that it’s critical for communication purposes. Remember that, as it also would’ve special meaning in EU documents.
UI customization cookie
User interface customization is available on almost every site. Whether it’s changing language, resizing fonts or even chosing specific layout – it’s up to user. Those information can be stored in UI customization cookies, but for that user must explicitly requested it. For example, default page layout most probably wouldn’t be stored in cookie, until user explicitly changes it in the menu.
Social plugin cookie
Those are one of most spread cookies all over the world. As social media sites grow every year (biggest of it – Facebook – has 900,000,000 unique visitors every month) it has been significant part of every business. You can check Top 15 of Most Popular Social Networking Sites here.
Because all of that, almost on every website you’ll find some kind of social plugin (for example: Facebook widget). These plugins are working definitely better, when visiting user is logged in to such social site. So plugin need to store and access social media site cookies with information about “your friends that like this site” and to identify their members when they’re interacting with it.
Third party advertising cookie
Third party advertising cookies, are those which store information about user behaviour for the purpose of market analysis, ad affiliation or product improvement. Those are responsible for that, when you search in Google for “top 10 ergonomic keyboards” and next you’re on eBay you see mostly ads about newest models of keyboards. That’s because eBay is using third party (in this case Google) advertising cookies.
First party analytics cookie
Analytics are statistical data about each users behaviour on site. It’s crucial to predict how many visitors will be next month and is current server configuration sufficient for that. Cookies in this case are mostly used for identify users which’ve been previously on site (so they’re treated as returning). Also – other information that can be saved is that how user made it to the site. Was it search engine? If yes, what phrase led him here?
And that would be it. In next parts you’ll see what’s the difference between implied or explicit user consent and when you don’t need to ask for it. If you learned today something new – you can subscribe to my newsletter. You’ll be receiving information about new articles, so you’ll stay on top of knowledge about i18n and L10n.
Also, for few days now i’m pretty active on my new Twitter account. Be sure to follow me @paul_tomkiel.