What is a Cookie?
A cookie is a small chunk of data placed on a user’s computer when they visit a website.
Cookies are not new—they’ve been around since the beta version of the first web browser—but there has been more discussion of cookies lately due to privacy concerns and legislation to address privacy concerns.
Cookies can make a site easier to use. For example, sites can use cookies to remember information you entered the last time you visited the page. But cookies can also be used for tracking, which raises privacy concerns and legal concerns.
First Party vs. Third Party Cookies
First party cookies are set by the site you visit and are not shared elsewhere. These cookies are often functional, meaning their purpose is to make the site easier to use. Blocking these cookies can cause some features of a page not to work. Most cookie walls do not give you the option to block cookies that are strictly functional in nature, though you can turn them off via browser settings.
Third party cookies are set by a third party, i.e. not directly by the site you are visiting but by a company like Google or Microsoft etc. Most privacy concerns are related to third party cookies.
Most users are unaware of third party cookies and have no idea that visiting the web site of the local animal shelter, for example, could result in sharing their data with thousands of corporations.
Privacy and Legal Considerations
Most legislation focuses on third party cookies as these are the ones that tie together your identity and behavior across multiple sites and sessions, building up a profile of browsing habits and demographic information.
The European GDPR regulation requires all sites to offer users the choice to opt into or out of non-essential cookies such as those used for analytics and advertising purposes. It must be at least as easy to opt out as to opt in, and no penalties can be applied when a user opts out.
The US has no federal laws relating to cookies at the time of writing but several states have their own legislation, such as the California Consumer Privacy Act (CCPA). The CCPA does not require opt-in consent for cookies, but it does require notification that cookies are being used and requires user consent before any associated data may be sold to any third party. However, the US does have a federal law for medical data, HIPAA, which comes into play when cookies and health care mix.
Virginia’s Consumer Data Protection Act (CDPA) requires consent for the processing of sensitive data, and also includes other obligations to safeguard any such data including but not limited to cookies.
The Colorado Privacy Act (CPA), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), and Utah Consumer Privacy Act (UCPA) also require sites to disclose data collection and in some cases get consent to use or sell personal data.
Privacy laws apply only to users within the jurisdiction of the laws, which interacts awkwardly with the world wide web. Compliance is complicated.