Cookies are a much-discussed topic when it comes to data protection. Many articles explain what cookies are, but inaccuracies often lead to misunderstandings on this topic. In this blog post, we take a closer look at technically necessary cookies and try to shed light on the small but important nuances.
What are strictly necessary cookies anyway?
Cookies are small text files that are stored on your device to ensure the basic functions of a website. This is a widely used definition, but it cannot be left as it is. Although cookies are actually stored in the computer's file system, they do not come directly from the Internet as text files. Rather, they are transferred to the computer as part of loaded HTML or other files or set by executing JavaScript code - often by the JavaScript libraries of external services such as Google Analytics.
However, the exact purpose of a cookie - and therefore its necessity - cannot be readily identified. Whether a cookie is used for tracking purposes or to save the selected language can only be guessed at. Only technical properties such as the name, content and storage duration of a cookie and, in some cases, the domain of the server from which it was set are visible. The actual purpose is determined by how the program code processes the data stored in the cookie. All cookies are therefore technically the same, and their purpose is determined by what the programmer does with them.
Are session cookies always technically necessary?
A session cookie is used to establish a session and to chronologically sequence activities. However, the property "session cookie" or "permanent cookie" only says something about the storage period and not about the intended use: a session cookie is deleted after the browser is closed, whereas a permanent cookie is stored for a period of time specified when it is set.
In many cases, cookies have the task of recognizing the visitor over several page views. In this case, the cookie only contains a unique user ID. The content of the shopping cart, the selected language or the tracking data of a visitor are then stored on the server. A cookie can therefore often not be assigned a clear purpose at all.
Typical examples of the use of cookies
Strictly necessary cookies
The following areas of use are classified as necessary by supervisory authorities:
- Session cookies: these cookies are used to establish a session and to chronologically sequence the user's activities. They are deleted after the browser is closed.
- Shopping cart cookies: These cookies are used to store the items in a user's shopping cart and are essential for the online shopping process.
- Language settings: These cookies store the language selected by the user and ensure that the website is displayed in the preferred language.
- Fraud prevention: Cookies used in online stores to detect and prevent fraudulent activity.
- Prevention of cyberattacks: Cookies used to ensure security-related functions and prevent cyberattacks.
- Opt-out cookies: These cookies enable users to revoke their cookie consent and thus serve to comply with legal obligations.
- Cookies from chat tools or messenger services: These cookies are necessary to ensure the functionality of chat and messenger services on the website.
- Cookies from consent tools: These cookies are necessary to ensure compliance with data protection laws and to store user consent.
Non-essential cookies:
- User tracking for advertising: these cookies are used to track user behavior and display targeted advertising.
- Cookies from external services that are not necessary for the operation of the website: These include, for example, cookies from video or map services that merely provide additional functions but are not necessary for the operation of the website.
Practical procedure for checking cookies
How do you recognize the type of cookie?
As described above, the purpose of the cookie cannot be easily identified because it is determined by how the program code processes the data stored in the cookie.
Practical tips for assigning cookies
Recognizing and assigning cookies can be complicated. For example, it is often only possible to guess what kind of cookie it is based on the name. Cookies in which only language settings are stored are often called "language". However, the programmer of a web application (e.g. the developer of a WordPress plugin or a content tool) can assign any name for the cookies used. Therefore, external auditors must rely on the fact that a cookie with the name "language" saves a language setting, although it could have a completely different task.
Manufacturers of external services (such as Google Analytics or PayPal) sometimes document which cookies are used and what tasks they have. As a result, it is known, for example, that "_ga" is the name of a Google Analytics cookie and is used to distinguish individual users. However, it is often necessary to contact the manufacturer of the web application for a final answer.
A separate shopping cart cookie, for example, often does not exist in web stores; instead, the user is recognized via a session cookie and assigned a shopping cart stored on the server. If all cookies are deleted, the shopping cart is still retained.
The most pragmatic approach when checking a website is to focus on the cookies that are set by external services. These can be assigned by name and the purpose of the service can be used to determine whether the cookie is strictly necessary or not:
- Cookies from a consent tool are probably necessary.
- Cookies from a video service are not necessary for the operation of the website.
- Cookies from an analytics or advertising service are not necessary under any circumstances.
Outlook
Recognizing and assigning cookies is complex and requires a deep understanding of the technical background. As a data protection officer, it is important to carefully check which cookies are strictly necessary and which are not.
Relying on empirical values or regular inquiries to the manufacturer is often impractical and time-consuming for data protection officers.
This is why there are tools such as decareto, which have an extensive database and make handling cookies much easier for data protection officers. If you would like to try out decareto, then you can register for a demo via this link: https://decareto.com/de/demo/
