Loading...

Reinvent Energy
  • Romana
  • English

What is a cookie ?

GDPR – What a cookie is

A cookie is a small file, generally made up of letters and numbers, which is downloaded into the memory of a computer (or of other equipment used for online browsing - mobile phone, tablet, etc.) when the user accesses a certain website.

Cookies are created when the browser used by a user displays a certain website. The website transmits information to the browser and it creates a text file. Each time the user accesses that website again, the browser accesses and transmits this file to the website’s server. In other words, the cookie can be seen as an Internet user ID card which notifies the website every time the user returns to that site.

Example:
For a Windows XP and Mozilla Firefox user, the cookies stored on their computer are in the following location:

C: C:Documents and Settings[user_name]Application DataMozillaFirefoxProfiles[profile_name].defaultcookies.sqlite

A cookie can look like this:
PHPSESSID=qa79lq3ebfer7hauhntcdhf5s1

Cookies roles

GDPR – The purpose of cookies

Cookies can provide faster and easier interaction between users and websites. For example, when authenticating a user on a particular website, the authentication data is stored in a cookie; the user can then access the site without having to authenticate again.

In other cases, cookies can be used to store information about the activities of a user on a certain webpage so that he/she can easily resume these activities when accessing the site again. Cookies tell the server what pages it needs to show to the user, so that it does not have to remember or navigate the entire site from the start. Thus, cookies can be assimilated to “bookmarks” that tell users exactly where they left off on a website.

Similarly, cookies can store information about products ordered by the user on an ecommerce site, thus making possible the concept of “shopping cart”.

Cookies can also provide websites with the ability to monitor the online activities of users and set up user profiles that can then be used for marketing purposes. For example, based on cookies, the products and services agreed by a user can be identified, this information subsequently serving to transmit appropriate advertising messages to such user.

It is important to mention that Romanian websites have the obligation to publicly state whether they use cookies and for what purpose

Cookies types

GDPR – Cookie types

3.1. Cookies specific to an online session
Webpages have no memory. A user browsing from one webpage to another will be considered by the website as a new user. The session-specific cookies typically store an identifier that allows the user to go from one webpage to another without having to enter the identification information (username, password, etc.) every time. Such cookies are widely used by commercial sites, for example, to keep records of products added by users to their shopping carts. When users visit a certain page of a product catalogue and selects certain products, the cookie remembers the selected products and adds them to the shopping cart that will contain all the products selected when the users want to leave the page.

Session-specific cookies are stored in the users’ computer memory only during an Internet browsing session and they are deleted automatically when the browser is closed. They may become inaccessible and if the session is inactive for a certain period of time (usually 20 minutes).

3.2. Permanent, persistent or stored cookies

Persistent cookies are stored on the user’s computer and they are not deleted when the browsing session is closed. These cookies can remember the preferences of a user for a particular website so that they can be used in other Internet browsing sessions.

In addition to the authentication information, persistent cookies can also remember details regarding the selected language and theme on a particular website, the website menu preferences, favourite pages inside a website, etc. When the user accesses a website for the first time, it is presented in the default mode. Subsequently, the user selects a series of preferences, which are then remembered by the cookies and used when the user accesses the website again. For example, a website offers its content in several languages. During the first visit, the user selects English and the website remembers this preference in a cookie. When the user revisits the website, the content will be automatically displayed in English.

Persistent cookies can be used to identify individual users and thus to analyse user behaviour online. They can provide information about the number of visitors to a website, the time (on average) spent on a particular page, and generally the performance of a website. These cookies are configured to be able to track user activities for a long time, in some cases even years.

3.3. Flash cookies

If the user has Adobe Flash installed on the computer, small files can be stored in the memory of that computer by websites containing Flash elements (such as video clips). These files are known as “local shared objects” or “flash cookies” and can be used for the same purposes as regular cookies.

When regular cookies are deleted via a browser’s functions, flash cookies are not affected. Thus, a website that uses flash cookies can recognize a user on a new visit if the data specific to the deleted cookies is also remembered in a flash cookie.

Since flash cookies are not stored in the user’s computer similarly to how regular cookies are stored, they are more difficult to identify and delete. Banks and financial sites use these cookies for that very reason. As they are difficult to identify, these cookies are stored on the users’ computers to allow users to authenticate and prevent fraud, since potential offenders may have the user name and password for authentication but they do not have access to the user’s computer. Thus, cookies act as a second level of authentication, in addition to your username and password.

3.4. First party cookies vs. third party cookies

Each cookie has an “owner” - the website / Internet domain that places that cookie.

First party cookies are placed by the Internet domain / website accessed by the user (whose address appears in the browser address bar). For example, if the user visits www.apti.ro and the domain of the cookie placed on the computer is www.apti.ro, this is a first party cookie.

A third party cookie is placed by another Internet domain / website rather than the one accessed by the user; this means that the accessed website also contains information from a third-party website - for example, an ad banner displayed on the accessed website. Thus, if the user visits www.apti.ro but the cookie placed on his / her computer has the domain www.trafic.ro, this is a third party cookie.

The Article 29 Working Group (made up of the national data protection authorities of the Member States of the European Union) consider that, from a legal point of view, and taking into account European legislation, the notion of “third party cookie” refers to a cookie placed by a controller [1] that is distinct from the one that operates the website visited by the user. Third party cookies are not strictly necessary for a user accessing a website, as they are typically associated with a service that is distinct from the one explicitly “requested” by the user (by accessing the website) .

Cookie access

GDPR – Cookie access

The cookies used on our site, as well as their use, are listed in the table below:

The site is built on a PHP-type platform and the PHPSESSID cookie is the identifier of this session. By deleting or blocking it, the working method of the entire site may be affected.

It is a cookie of the Google Analytics script, which monitors and reports the traffic on this site.

It is a cookie of the Google Analytics script, which monitors and reports the traffic on this site.

It is a cookie of the Google Analytics script, which monitors and reports the traffic on this site.

It is the cookie required to display and use the site the chat module of the site, module displayed in the bottom right corner of each page accessed by the client.

Deleting cookies

GDPR – Cookie deletion

Detailed information on how to manage, deactivate and delete cookies in the settings of the browser used for Internet browsing is available at the following addresses:

8.1. Internet Explorer
Deletion and management of cookies (IE 8, 9 and 10):

Internet Explorer 8
Internet Explorer 9
Internet Explorer 10

8.2. Mozilla Firefox
Settings for cookies and cookie troubleshooting (cookie activation and deactivation, cookie removal, blocking the placement of cookies by certain sites, unlocking the placement of cookies

Delete cookies to remove information stored on your computer by other webpages

8.3. Google Chrome
Cookie management (deletion, blocking, allowing, setting exceptions, etc.)

Management of cookies and site data

8.4. Safari
Manage cookies (only in English)
Safari 6 (OS X Mountain Lion): Manage cookies

Remove cookies (only in English)
Safari 6 (OS X Mountain Lion): Remove cookies and other data

8.5. Opera
Cookie management and deletion (only in English)

Management of cookies and site data

Useful information

GDPR – Useful information

4. The cookies from the perspective of IT security and privacy

Although cookies are stored in the memory of the Internet user’s computer, they cannot access/read other information on such computer. Cookies are not viruses. They are just small text files; they are not compiled as codes and they are not executable. Thus, they cannot self-copy, they cannot spread in other networks to generate actions and they cannot be used to spread viruses.

 

Cookies cannot search for information on the user’s computer, but they store personal information. Such information is not generated by cookies, but by the user, when he/she fills in online forms, registers on certain websites, uses electronic payment systems, etc. Although the sensitive information is generally protected against the use by unauthorised persons, it is possible for such persons to intercept the information transmitted between the browser and the website. Even if they are rare, such situations may occur when the browser connects to a server using an unencrypted network, such as an unsecured WiFi channel.

In order to reduce the risks of cookie interception, there can be used the so-called “secure cookie” or “HttpOnly cookie”. The “secure” cookies are meant to limit the communication of the information stored in cookies during the encrypted transmission, notifying the browser to use cookies only via secure / encrypted connections. Thus, if the website uses HTTPS, the site’s cookies are marked with the “secure” attribute, which prevents their transmission to a non-HTTPS page, even if it is located at the same URL. For example, if google.ro uses a “secure cookie”, such cookie can only be obtained from google.ro and only via a HTTPS connection (certifying that the one requesting the cookie is Google Inc, not something else). The “HttpOnly” attribute notifies the browser to use cookies only through the HTTP protocol (which includes HTTPS). A HttpOnly cookie cannot be accessed by non-HTTP methods, such as JavaScript, and cannot be the target of cross-site scripting type of attacks.[2]

Another source of concern is the use of cookies for behavioural targeted advertising. Thus, cookies can be used by online advertising companies to monitor the user’s behaviour and online preferences in order to identify and deliver the most relevant advertising messages to the user. However, these preferences are not explicitly or consciously expressed by the user, but modelled according to the history of the user’s online browsing, the pages viewed by the user, the advertisements accessed. For example, when a user reads a webpage about cars and then moves to another page, car advertisements will be displayed on the new page, even if it is not related to cars. As the user is not informed that his/her online actions are being monitored, this raises concerns about privacy.

Thus, the use of cookies raises concerns about the use of information remembered by these cookies for the purpose of monitoring users and using spyware technologies, especially in cases where the information is stored on the users’ computers and used for their recognition without the user’s knowledge or consent in this regard.

5. Regulating the use of cookies

The use of cookies and the obligations of suppliers are regulated both in the European Union legislation and in the national legislation.

 

Thus, Directive 2002/58/EC (PDF) concerning the processing of personal data and the protection of privacy in the electronic communications sector, amended by Directive 2009/136/EC (PDF), provides:

“Article 5 (3) Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”

These provisions have been transposed into national legislation in Law 506/2004 concerning the processing of personal data and the protection of privacy in the electronic communications sector, as amended and supplemented:

“Article 4

  • (5) The storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed if the following requirements are cumulatively met:
    1. - such subscriber or user expressed his/her consent;
    2. - the subscriber or user in question was provide, prior to giving his/her consent, in accordance with the provisions of Article 12 of Law 677/2001, as amended and supplemented, clear and complete information which:
      1. - is displayed in a language that is easy to understand and access by the subscriber or user;
      2. - includes references to the purpose of processing the information stored by the subscriber or user or the information to which he/she has access to.

If the provider allows third parties to store or access information stored in the terminal equipment of the subscriber or user, the notification in accordance with (i) and (ii) will include the general purpose for processing this information by third parties and how the subscriber or user may use the Internet browser settings or other similar technologies to delete stored information or to deny third parties access to this information.

 

  • - (51) The consent provided for in paragraph (5) (a) can also be given by using the settings of the Internet browser or other similar technologies through which the subscriber or user can be deemed as having given his/her consent.
  • - (6) The provisions of paragraph (5) shall not prejudice the possibility of storing or technically accessing the stored information in the following cases:
    1. - when these operations are performed exclusively for the purpose of transmitting a communication through an electronic communications network;
    2. - where such operations are strictly necessary to provide a service of the information society, expressly requested by the subscriber or user.”

According to these provisions, the use of third party cookies is permitted under the following conditions:

 

  • - informing users, in a clear, complete and easily accessible manner, about:
    • - the placement, by a certain website, of cookies in the user’s computer memory;
    • - the purpose of using cookies (the information stored in cookies and the purpose for which it is used);
    • - the ways the user can delete the cookies or may refuse the access of third parties to the information stored by those cookies;
  • - obtaining the user’s consent to the placement of cookies and the use of the information contained therein.
  • - although user consent can also be expressed via the settings of the browser used to browse the Internet, in this case it is also necessary to inform the user in advance about the placement of cookies and their purpose.

 

The exceptions provided in the European and national legislation allow the use of first party cookies without observing the obligation to obtain the user’s consent. In addition, in June 2012, the Article 29 Working Party issued an opinion (PDF) clarifying these exceptions:

 

  • - some cookies may be exempted from the obligation to obtain the user’s informed consent under certain conditions and if they are not used for additional purposes: Such cookies include: cookies used to store information entered by a user when filling in an online form, cookies used to store the technical data needed to run video and audio content, and the cookies used to customize the webpages (for example, those that memorize preferences related to the language the content of a website is displayed in).
  • - first party cookies do not pose a risk to the privacy of users if the website provides users with clear information on the use of cookies, as well as privacy safeguards (for example, making available an easy mechanism for the user to request that his/her data not be collected) and whether the anonymization of authentication information is ensured.


6. The “Do Not Track” mechanism

As we pointed out in section 5, at European level there are regulations regarding the monitoring of the users’ online activities for marketing purposes, and it is generally necessary to obtain the consent of the user for such practices. However, such situations are less regulated in other parts of the world. Under these conditions, the World Wide Web Consortium (W3C) is currently working on a technical (and technologically neutral) Track” standard. Users will be able to use this standard to tell browsers to signal to advertisers that they do not want their online activities to be monitored.

 

W3C indicates that “users have the right to know which data will be collected and for what purpose it will be used. Having this information, they can decide whether to allow or not the monitoring of online activities and the collection of personal data. Many Internet companies use the data collected in connection with the online activities of the users to customize the content provided to users and direct them to relevant advertising messages, according to the interests identified based on the collected information. Although some users value this customization of content and advertising messages in certain contexts, others are concerned about what they perceive to be a privacy invasion.

Under these circumstances, users need a mechanism that allows them to express their preferences about the monitoring of the online activities; this mechanism must be easy to configure and efficient. In addition, websites that cannot or do not want to provide content without offering behavioural advertising at the same time or without collecting data about users need a mechanism to indicate this to users and allow them to make an informed decision.”

The goal of the “Do Not Track” standard is to “give users the opportunity to express their personal choices about the monitoring of their online activities and to communicate these options to each server or web application they interact with, allowing each accessed service to adjusts its practices according to the user’s options or to reach a separate agreement with the user, convenient for both parties. The basic principle is that the expressed monitoring preferences are only conveyed when reflecting a deliberate option of the user. In the absence of a user option, it is considered that the preference for the monitoring of online activities is not expressed.”


Do Not Track functionalities for search engines

Options to prevent the monitoring of users’ online activities are implemented today in various forms. From Internet Explorer 8, which offers the possibility to block third-party sites that leave content when visiting a website, to the new extensions, add-ons and options entered in the search engine preferences. In the absence of the standard mentioned above, the method of enabling this functionality is more obvious in some search engines, while it is more obscure in others. Instructions for setting the Do Not Track mechanism for Safari, Internet Explorer 9, Firefox and Chrome are available here

 

Being one of the last ones to introduce this functionality, the 23 Google Chrome version offers the possibility to install the extensions Do Not Track MeAVG Do Not Track or Keep My Opt-Outs which block the cookies and prevent (at present) only the American advertising companies from customizing ads according to the online behaviour of the online user.

Firefox, besides the Do Not Track Me add-on, offers the option “Tell web sites I do not want to be tracked”, configurable in the Privacy menu. Moreover, in Internet Explorer 10, Do Not Track is a default option. The decision made by Microsoft prompted some very strong reactions, and companies as Yahoo and Apache said that they will ignore the Do Not Track signals of Internet Explorer 10.

Another tool that can be installed on most search engines (and even as iOS app) is Ghostery. Ghostery scans the page you visit and notifies you about the elements installed by third-party sites to track your activity. You can then set your preferences according to the menu categories: advertising, analytics, beacons, privacy, widgets. More information is available here.

Note that not all Do Not Track functionalities block cookies. Thus, it is a good idea to check what is included in each Do Not Track extension and to choose the one that best represents the limitations you want to pass on to sites that monitor your internet activity.

An interesting overview is available here.

Complaints

GDPR – complaints and notifications

Should you wish to file complaints or notify irregularities in the use of cookies in relation to this site, please do so via the contact form, available here.

Thank you!



Are you looking for quality services for your next project?