Skip to the content

So, what do you know about cookies?  Not the chocolate chip kind, but the “widget” kind that gets into your browser (computer, smartphone or similar) and speeds up your experience, remembers your shopping basket contents and suggests what you would like to wear.  Do you know the difference between session cookies, permanent cookies, 3rd party, 1st party, flash and zombie cookies?  Potentially baffling if you are not tech-savvy, so let’s have a look at it in simple terms...firstly, from the human perspective and then, from the organisational or controller’s point of view.

Taking one cookie with which all of you will no doubt be familiar – reCAPTCHA.  reCAPTCHA is Google’s “bot detector”, in simple terms a cookie that can tell the difference between a human and a bot, between malicious or risk free.  In its early forms this cookie asked you to identify trees, shop fronts, or traffic lights in a street image, or to recognise some squiggly and fuzzy letters.  Nowadays, in its latest iteration, it can be invisibly embedded in every page of a website and collect data about every page that you visit on the internet – it can snapshot your browser window pixel by pixel, it knows where you go with every click of your mouse, it can look at your interests and preferences, and theoretically based on this, it could target you with advertising.  This therefore begs the question, what exactly are Google doing with the data that this cookie is collecting?

Recent case law from Germany tells controllers that they need to think about their cookie policies and behaviours very carefully – RIP pre-ticked check-boxes for consent to cookies.  If you are using cookies on your website then you need to be transparent about this in the text of your privacy and cookie policies.  You need to make sure that you are able to obtain and prove active user consent to the use of their data by cookies – and in order to enable an informed user decision on this, you need to have been open to your users about the data you are collecting and how you are using it, including naming any 3rd parties who have access to it.  Significantly, it does not matter whether the cookie is collecting personal data or not – the rules apply to the capture of any information from a user’s device, thus protecting users from any risk that there is a cookie (or other identifier) hidden in their device without them knowing about it.

With this in mind, is your cookie policy up to scratch?  Does it tell your users about the cookies that you use?  How long the cookies last?  Third parties who may have access to the data collected by the cookies?  Can your users freely give or deny consent to your use of cookies?  If they deny that consent, can they still use your website?  Some food for thought…

About the author

Kerry Berchem

Kerry has worked as an in-house lawyer/Head of Legal in a number of organisations across both the public and private sectors.  Through these roles Kerry has been tackling data protection head-on, developing an effective approach to managing personal data. Find out more...