When you browse the web, sites use cookies to collect information about your online activity. These trackers can raise privacy and security concerns because they may be used to collect sensitive information about users.
What is a cookie?
A cookie is a small file stored automatically on a user’s device (computer, tablet, or smartphone) by the web browser. It is associated with a domain — the full set of pages on a website — and typically ends with extensions like .com or .fr. On future visits to the same domain, the cookie is sent back to the server to save the user from having to re-login each time.
Originally, cookies were created to ensure session continuity. For example, they allowed an online store to remember the contents of a shopping cart. This use quickly evolved into advertising tracking, making cookies a widely used technology in digital advertising.
Today, cookies serve many purposes:
- recognize visitors through stored user identifiers;
- enable targeted advertising;
- support tracking for advertising purposes;
- collect statistical data;
- collect personal data to track user behaviour;
- analyse traffic;
- remember shopping cart contents.
Some of these uses are necessary for core site functionality or communication, and are therefore exempt from requiring consent. Others, not essential to basic operation, require clear user consent before reading or writing cookies.
Different types of cookies
Third-party cookies
First-party cookies serve only the site that placed them. In contrast, third-party cookies are placed by domains other than the one the user is visiting.
Third-party cookies can:
- track users across multiple sites;
- collect or infer information about them — age, residence, habits;
- build and enrich detailed, potentially intrusive user profiles;
- serve ads that are likely to interest users and drive purchases.
They are created by other websites and stored on domains different from the main site. Third parties can therefore access some of the page’s content (ads, images).
Session cookies
Session cookies are temporary trackers that live in the browser’s memory and expire at the end of a session, once a user leaves or logs out of a site. Some browsers restore sessions after restart, so session cookies may persist longer in those cases.
This type of cookie is mostly used by online shops to remember products added to a cart during a single shopping session.
Persistent cookies
Persistent cookies (or permanent cookies) remain stored on the device’s hard drive for a set period. They stay active even after the session ends and may contain login details, account numbers, contact info, etc. They save users time by avoiding re-entry of information on future visits.
Their operation is based on a defined expiration date or period, which is renewed with each new session. Users can delete these cookies manually via browser settings or extensions.
Supercookies
Supercookies, sometimes called “zombie cookies,” use third-party techniques like fingerprinting. They can regenerate identifiers used to track users even after removal.
Supercookies can be removed:
- voluntarily by the user;
- by browser privacy protection measures.
How does fingerprinting work?
Also known as “device fingerprinting,” this probabilistic technique identifies users uniquely by gathering many technical attributes from their browser — screen size, operating system, and more.
If there are enough unique parameters, they can distinguish one visitor from another and track them similarly to cookies. Unlike cookies, fingerprinting is hard to block without advanced tools, such as extensions that randomize browser parameters.
Laws and regulations on cookies
GDPR
Under the GDPR, cookie usage must be clearly explained to users at the moment they make their choice. A first layer of information may be a concise description of cookie purposes, followed by a more detailed explanation later.
Users must give clear, affirmative consent before non-essential cookies are stored. A cookie banner with a button such as “I accept” can obtain this consent. Silence should be interpreted as refusal. No non-essential cookie may be placed on a user’s device without this clear consent.
You may include a “Reject all” button that is as accessible and prominent as the “Accept” button to give users a clear choice. You may also allow users to refuse cookies by closing the banner.
ePrivacy directive
Still in development, the ePrivacy regulation aims to:
- protect the rights and freedoms of citizens in electronic communications (phone, internet, TV), especially privacy and personal data;
- protect legal entities’ rights when using telecommunication or internet services;
- ensure free movement of data within the EU;
- clarify and complement the GDPR;
- harmonize cookie-related rules.
ePrivacy can be seen as a specialized complement to the GDPR.
5 best practices for cookie management
1. Establish a clear privacy policy
If you collect personal data, the GDPR requires a privacy policy explaining how data is protected and used. Transparency and clarity help reassure users.
2. Obtain user consent (no forced consent)
Article 7 of the GDPR prohibits “bundling” — forcing users to consent to data processing to receive a service, especially when the data processing isn’t necessary for that service.
3. Use a clear cookie banner
Your cookie banner must be visible, prominent, and understandable. Use simple language that all users can easily grasp.
4. Respect user rights
Users whose data is collected have rights: access, portability, notification, erasure, and more. They must be able to exercise these rights with the data controller, whose contact details must be provided on the site and in agreements.
5. Re-ask for consent periodically
The CNIL notes that users can “forget” their consent or change their minds. You should regularly check whether they are still in agreement with their original decision.
The importance of managing cookies well
Since 2017, various modern browsers have limited cookie use for advertising. In 2024, Google plans to be the last major browser to ban third-party cookies in Chrome. However, this does not mean users will no longer be tracked online.
Advertising actors can use alternative targeting methods such as fingerprinting, single sign-on, unique identifiers, or cohort-based targeting.
For advertisers, anticipating a cookie-less future is essential.
Effective cookie management requires understanding the different categories of trackers and conforming to laws and directives that regulate their use. Compliance is mandatory for all organizations processing personal data, whether on their own behalf or for others.
Beyond following best practices, managing trackers requires ongoing adaptation. With the upcoming disappearance of third-party cookies, finding reliable alternatives is urgent.
Cookieless solutions from Dataventure
Dataventure offers multiple cookieless solutions such as:
- data assets
- lookalike audiences — create customised audiences based on your core customer profile, ideal for reaching prospects similar to your current clients
- retargeting — re-engage visitors who showed interest in a product or service via SMS, email, or advertising
Want to become GDPR-friendly? We support you from A to Z in developing your PRM strategy and collecting opt-in profiles. Contact us to learn more.
