The Future of web Cookies and GDPR
These days, citizens feel that advertisers and other companies that use third-party cookies are tracking us when we browse the Internet. Many of us think that the risks of collecting data on us by these companies outweigh the rewards received.
In this context, Google recently announced that it was going to ban third-party cookies in its Chrome browser. This announcement has caused some panic in the ad tech industry, while some believe it is a good step towards a more secure Internet.
To understand what third-party cookies are, we must first know the difference between own and third-party cookies.
Own cookies are generally generated and placed on the user’s device by the website that the user is visiting. These cookies are often used to facilitate the user experience and some basic functionalities of the site. For example Own cookies can identify a returning visitor so that they do not have to use the username and password to log in on successive visits. They are usually harmless as they do not “spy” on users. Some analysis tools use their own cookies to collect analysis data. These, however, may sometimes require permission.
On the contrary, third-party cookies are generated and placed on the user’s device by a different website than the one the user is visiting. Most third-party cookies are used for analytical or marketing purposes. For example, cookies placed by an e-commerce site will show ads on another website about a product that you searched for just moments ago. These cookies track user online activity and search history on the website and follow them on other websites to get personalized advertisements. Another example of third-party cookies are those placed by social media plug-ins on other websites to log in or share content.
Third-party cookies are often considered privacy intruders. The absence of third-party cookies does not usually affect the main functionality of the website. And for this reason, they are subject to privacy regulations.
Data privacy legislation, such as the General Data Protection Regulation (GDPR) and the Electronic Privacy Directive, as well as the California Consumer Protection Act (CCPA) have regulations that affect the use of third-party cookies.
While laws like GDPR and CCPA don’t specifically mention third-party cookies, they do have certain standards that will apply to websites that use them. If a website needs to collect and use personal data, such as information that can be used to identify a person, it must inform users about it and obtain their consent. A website can collect user data through cookie identifiers. Therefore, cookies, especially those in the third-party category, are subject to data privacy regulations.
The Electronic Privacy Directive (or the recently announced Electronic Privacy Regulation) has specific guidelines and standards for cookies. This is why it is also known as the EU Cookie Law. The Electronic Privacy Directive obliges a website to obtain the informed consent of users for the use of tracking or third-party cookies. Without consent, the website cannot place cookies on the user’s device.
Some other data privacy laws make consent mandatory for the use of tracking cookies.
In January 2020, Google announced that it will phase out support for third-party cookies in Chrome by 2022. They stated: “Users are demanding greater privacy, including transparency, choice and control over how their data is used, and it is clear that the web ecosystem must evolve to meet these growing demands. “
Google Chrome is not the first Internet browser to do this.
Previously, Apple’s Safari and Mozilla Firefox also phased out support for third-party cookies. Banning third-party cookies is part of Google’s broader scheme to improve privacy, as was done after the launch of its new initiative known as Privacy Sandbox on August 22, 2019. Privacy Sandbox sets new privacy standards on the web and introduces five browser APIs. to protect user privacy and make content open and accessible at the same time, without the use of third-party cookies. These APIs will assist websites with ad targeting (no cross-site tracking), conversion measurement, and fraud prevention, while maintaining user anonymity. Privacy Sandbox proposes to track a group of people rather than an individual.
Google’s announcement is undoubtedly the result of the application of the General Data Protection Regulation (GDPR) of the EU.
Google’s decision to remove third-party cookies received a mixed reaction. While this was a welcome step in protecting user privacy, it will negatively affect ad tech companies, especially smaller ones.
The future of the cookie consent banner will remain intact even if third-party cookies are out of the picture. It is essential to note that Google is not removing all cookies. Chrome will allow cookies that do not belong to the category of third parties. It will only delete cookies that are generated by a different domain than the one the user is visiting. That means that if your website generates cookies that will collect personal data, you must still obtain the informed consent of the user. As mentioned above, some websites may use their own analysis system that uses its own cookies to collect user data. Unless it is aggregated statistical data, you will need the consent of users to place it on your device.
Unless the cookie is “strictly necessary”, you may still need your consent to use it.
The fact is that, regardless of the cookies that your website generates or uses, you must inform users about it. A cookie banner is perfect for this. Also, you still have a year before Google Chrome completely removes third-party cookies. That is, one more year to use those cookies with care and in accordance with data privacy regulations. In addition, one more year to seek alternatives that guarantee safe practices and better privacy.
We will see what more news big technology brings us in relation to data protection regulations from now on. For now, cookie consent banners are here to stay for a long time.
To expand: https://gdpr.eu/cookies/