GDPR, Something Stringent Building Sway, Part VIII-b

HTTP Cookie (Web Cookie) — Web cookies icons created by Paul J. – Flaticon

Cookies And Cookie Consent Banners For GDPR

In the last issue of this GDPR series, we considered the practical implications of the General Data Protection Regulation (GDPR) for websites and website development, with respect to professional services. This time we take a closer look at “cookies” (http cookies/web cookies): its history, implementation, and the subsequent recourse to “cookie consent banners.”

What Are Cookies And How They Work

In the earliest and simplest implementation, cookies are small text files that websites store on your computer or mobile device to help track your activity and preferences. Cookies are created and sent by a website’s web server when you visit it, and stored on your browser. The browser then sends the cookies back to the server each time you visit the website again. The server uses the cookies to identify you and remember your cookie preferences.

In the present-day application of cookies, a website must gain a visitor’s permission to use cookies (see below,) it can retain a record of this by setting a persistent cookie on your browser. A persistent cookie is a cookie that lasts for a long time, even after the browser is closed. The persistent cookie can store information such as your consent status, the date and time of consent, and the type of cookies allowed. The website can then read the persistent cookie and respect your choices when using cookies.

The cookie is placed on your computer by the web server using the HTTP protocol. The web server sends an HTTP response header called Set-Cookie, which contains the name, value, and attributes of the cookie. The browser then stores the cookie according to the attributes, such as the expiration date, the domain, and the path. The browser also checks the attributes to determine when and how to send the cookie back to the server.

Here is an example of an HTTP response header that sets a cookie:

HTTP/1.1 200 OK

Content-type: text/html

Set-Cookie: consent=yes; Expires=Wed, 21 Oct 2025 07:28:00 GMT; Domain=example.com; Path=/

This header sets a cookie named consent with the value yes, which expires on October 21, 2025, and applies to the domain example.com and all its subdirectories. The browser will store this cookie and send it back to the server whenever it requests a page from example.com or its subdirectories4.

A more complex example of a cookie, in human-readable format, with various pieces of information like the user ID, browsing history, site-specific configuration, site behaviour, credentials, location, and contact information would be as follows:

Cookie Name: userSessionInfo

Unique User ID: U1234567890

Browsing History: ["home", "products", "product_12345", "about_us", "contact", "blog", "blog_post_67890", "terms", "privacy_policy", "checkout"]

Site-Specific Settings/Preferences: {"theme": "dark", "language": "en-US"}

Frequency of Visits: 14 times in the last month

Duration of Website Visits: Average of 5 minutes per visit

Login Credentials: {"username": "user123", "password": "encrypted_password"}

Geolocation: {"latitude": "10.654321", "longitude": "-61.501928"}

IP Address: "192.168.1.1"

Contact Information: {"email": "user123@example.com", "phone": "+18001234567"}

The same information stored as a string on the visitor’s computing device would look like:

History of Cookies

HTTP cookies, also known as web cookies or browser cookies, have a history that dates back to the early days of the web. In the 1990s, to address the problem of maintaining state on the stateless HTTP protocol Lou Montulli from Netscape Communications Corporation invented the HTTP cookie—a term derived from the Unix programming term “magic cookie,” which refers to a packet of data a program receives and sends back unchanged. The introduction of the cookie raised privacy concerns as user/visitor behaviour could be tracked which led to major discussions about privacy implications in 1996. In the late 90s, browsers began to introduce settings that allowed users to manage cookies. By the 2000s, cookies became a standard part of the web experience, used for a variety of purposes, from session management to personalization and tracking.

In 2011, the European Union implemented the ePrivacy Directive, which required websites to obtain informed consent from users before storing non-essential cookies on their devices. Following this, in 2018, the General Data Protection Regulation (GDPR) came into effect in the EU, further regulating the use of cookies and requiring more explicit consent from users.

Throughout their history, cookies have evolved to become more secure and privacy-focused, with modern web standards and regulations guiding their use and implementation. They have become a fundamental technology for enabling interactive and personalized web experiences.

What Are Cookie Consent Banners

On websites, consent banners are used in conjunction with HTTP cookies to obtain your consent for their use and at the same time to set cookies on your browser. So, they notify you about the use of cookies, when you first visit a website, explaining what cookies are and how they are used. They obtain your permission to store cookies on your computing device—a requirement under various privacy laws like GDPR. They enable your control by detailing the types of cookies used and their purposes, and enabling your selection; in other words, they give you control over your stored personal data and the option to accept or reject cookies; accomplished through the use of code like JavaScript or PHP, often integral to the banner. They help the website/professional service firm in record keeping of your consent for the use of cookies, which is a necessity for legal compliance; the consent information can be stored in a database on the website server. Therefore, they are a tool for transparency and user empowerment online.

The best practices for implementing a cookie consent banner include clear messaging, i.e., using simple, jargon-free language when explaining the purpose of cookies and how they will be used. Providing customization, so that you can select which types of cookies you consent to, e.g., analytics, advertising, or strictly necessary cookies. Strategic placement of banner to ensure its visibility and unobtrusiveness. An aesthetic design that is seamless and complementary to the website’s scheme. Easy dismissal. It has a “responsive web design” adaptable to the devices used by the website audience. Accessible to all users especially those with disabilities, i.e., it must consider things like language, screen reader compatibility, and keyboard navigation. It must allow you to change your consent choices on subsequent visits. It must be up to date with compliance requirements for the latest privacy laws and regulations

Conclusion

In conclusion, cookies are small text files that websites store on your computer or mobile device to help track your activity and preferences. The website must gain the user/visitor’s permission to use cookies. The use of cookies dates back to the 90s to address the problem of maintaining state on the stateless HTTP protocol. By 2011, the European Union implemented the ePrivacy Directive, which required websites to obtain informed consent from users before storing non-essential cookies on their devices. In 2018, the General Data Protection Regulation (GDPR) came into effect in the EU, further regulating the use of cookies. The use of consent banners became a staple following the implementation of the law. Webmasters must follow the best practices for implementing cookie consent banners. Next time we will consider the implications of the GDPR for email marketing and marketers.