Data Privacy Myths: Cookies

Most of the issues concerning cookies do not involve privacy or data protection but rather whether they are malicious, slow down your computer or cause pop-ups. Nevertheless, there are some issues concerning privacy and data protection that some people misunderstand. Many fear that cookies make them personally identifiable and track all their on-line activity, which they make available to the companies that manage websites. Neither of these is true always. It is important to understand what cookies are, how they work and what risks they pose.

What is a cookie?

A cookie is a small text file that a website places on your hard drive for different purposes when you access the website. Some cookies are limited to your one browsing session and disappear automatically when you exit your browser. These cookies do not appear on your hard drive and do not collect information from your computer. Other cookies are permanent, in that they do not disappear when you close your browser. They can identify individual users and track their surfing activities on a particular website. They also track information such as the total number of users, the average time users spend on a page and the overall performance of the website.

Normally, the website you are visiting will place the cookies on your hard drive. These are call ‘first-party’ cookies.  They remember what you have added to your shopping basket or data you have put into on one of their forms. Other companies, such as Google Ads, may also put cookies on your hard drive. These are ‘third-party’ cookies. They are responsible for you seeing adverts for the same thing popping up repeatedly on different sites.

The webserver sets the information contained in the cookie and the server can use it whenever you visit the site. Cookies make your user experience faster and easier by remembering details, such as your preferences, registration details or the contents of a shopping cart. Without cookies, you probably would have to re-enter data every time you returned to the same webpage. They are not computer programmes, and they cannot disseminate viruses or malware.

Cookies and privacy/data protection

What we are interested in from a privacy/data protection perspective is to what extent cookies pose a threat to privacy. With respect to personal data, cookies only collect what users input directly to a website, such as when shopping, or indirectly through their user activities, such as what pages they view. They do not surreptitiously access other information stored on the hard drive of a computer.

The privacy issues relating to cookies involve the information you give the website or what you do while you are on the website and how transparent the companies are about processing it. The website company must be able to demonstrate that they have a lawful basis under the privacy/data protection laws that authorises them to collect this personal data and use it (including to share with third parties). This is one reason many websites ask for consent to use non-essential cookies and the personal data that users provide.

Browsers enable you to control the use of cookies with a variety of settings. Use the one that is right for you. Privacy/data protection laws will govern how the website owner processes your data with cookies. If you believe that a website owner has processed your personal data unlawfully, you may make a complaint to our office. It is important to note that it is possible for web adverts to reflect the browsing history of the web browser without collecting personal data. It will take a detailed investigation to determine whether personal data has been involved and if there has been a contravention of the Law.