Website cookies: what they are and how they work

Over the last few years, legislative measures relating to a website’s privacy policy such as the Cookie law and the GDPR (General Data Protection Regulation) have focused on cookies and their ability to record navigation data. Here below, we’ll give the precise definition of “cookies” and their function.

Cookies are small text files that store certain information about a user’s online activity, they are generated by web servers and recorded in the browsers where they remain until they become inactive or are deleted.

Thanks to cookies, you can access a platform’s reserved area and your session remains active, or you can insert products in an e-commerce cart, and they remain stored. At a technical level, their main purpose is to remember user actions and preferences to provide a personalized service.

A cookie can be essential for the operation of a service. This is true in the case multiple stage features where each step must be registered.

Following the example of online shopping, the necessary steps could be product selection, order and payment. Cookies allow you to keep track of it so that you can get to the checkout without losing essential data for the completion of the operation.

There are also cookies useful analyzing use characteristics, e.g., as geographical location or type of device, and others to obtain more detailed profiling. These are used in marketing for personalized advertising.

Cookies are not all the same, so we can distinguish them according to purpose and operation.

A useful yardstick for classifying cookies is the duration. Here, we mean their period of validity. There are three types of cookies:

• session cookies
• permanent cookies
• routine

Session cookies are characterized by the shorter life cycle, their duration is in fact linked to the time spent on a website or the use of its functionality and are however deleted when the browser is closed.

Persistent cookies store some user data and may have an expiration date. They are used, for example, in login procedures to prevent users from having to repeat authentication whenever they wish to interact with a site. Think for example of the platforms of the Google network (Gmail, Drive or Google Search).

Routines, today used less because of privacy regulations, have long been the prerogative of plugins (e.g., video players) and self-replicate to work even if the browser cache is emptied.

You can further distinguish cookies by ownership. Who owns browser-generated cookies?

So here we have:

• first party cookies – saved on the domain where the user is browsing
• third-party cookies – stored on a domain different from the one visited by the user.

First party cookies are managed by the web server and aren’t accessible from other websites. One example is the cookies used so that you can set the language you use for site content.

Closely related to the quality of the user browsing experience, they can be session or permanent cookies depending on the service they provide.

Third-party cookies are visible from several websites and allow you to perform tracking activities. For this reason, they are often used for marketing purposes.

Their main purpose is usually user profiling. This has created concerns regarding the privacy protection. As a result, Google, a developer of Chrome, has plans to stop supporting them. Instead, it plans to introduce an alternative technology in the future, called FLOC (Federated Learning of Cohorts). Instead of profiling the individual user, this creates user sets with similar characteristics.

The distinction of cookies according to the cookie law

The cookie law, European legislation that established the obligation to obtain the informed user consent for certain types of cookies, has introduced new categories distinguishing cookies based on their purposes.

These categories allow is to distinguish between:

• technical cookies
• analytical cookies
• profiling cookies

Technical cookies are those essential for website operation or the service for which the site was created. The shopping cart of an e-commerce store requires, for example, cookies to store products, otherwise users could not purchase them. In this case, however, the data collected should be limited what is needed for this operation.

Analytical cookies, on the other hand, store more data because they provide information and metrics useful for formulation of statistics. With them, a website owner can understand, for example, what days of the week the most traffic is generated, find out in what geographical areas its visitors reside, what pages generate longer stay times or are discarded more frequently and various other useful information to maximize productivity.

Finally, profiling cookies are those that collect enough data to allow the creation of detailed user profiles. They allow a high level of customization of both the service and the content, including the display of commercial proposals tailored by user preference, habit and behaviors.

Specifically, the cookie law mainly deals with profiling and third-party cookies. Since they aren’t needed to provide a service, the user must be allowed to express informed consent.

According to European legislation and the recent guidelines on consent of the EDPB for legitimate use of cookies, in general, the following are needed:

1. users are provided with appropriate information on their use;
2. in the absence of specific user consent, only technical cookies are activated
3. the activation of analytical and profiling cookies takes place only after the user has granted specific consent
4. access to site services and functionalities is not affected by the user’s consent to what is known as the cookie wall, i.e., the screen (wall) that appears to visitors to a specific site and which requires them to accept all cookies before access the web service you want

With reference to point 3, we should also point out that actions such as scrolling a page – in comparison to before the above guidelines were issued – can no longer be interpreted as consensus, and therefore acceptance. These actions may in fact be difficult to distinguish from other activities that a user performs on the site and therefore cause confusion on the actual granting of consent. So, we need a positive, unequivocal activity such as, for example, clicking an “Accept” button.

Cookies are a tool used by websites to collect information about visitors. Knowing how they work helps users protect their privacy and those conducting an online activity choose the best ways to acquire the information they need for their work.