Busting Data Protection Myths - Cookies

In my previous blog, I addressed a number of data protection myths. In this blog, I will examine myths around cookies. Most of the issues concerning cookies do not involve privacy or data protection but rather whether they are malicious, slow down your computer or cause pop-ups. Nevertheless, there are some issues concerning privacy and data protection that some people misunderstand. Many fear that cookies make them personally identifiable and track all of their on-line activity, which they make available to the companies that manage websites. Neither of these is true always. It is important to understand what cookies are, how they work and what risks they pose.

What is a cookie?

A cookie is a small text file that a website places on your hard drive for different purposes when you access the website. Some cookies are limited to your one browsing session and disappear automatically when you exit your browser. These cookies do not appear on your hard drive and do not collect information from your computer. Other cookies are permanent, in that they do not disappear when you close your browser. They can identify individual users and track their surfing activities on a particular website. They also track information such as the total number of users, the average time users spend on a page and the overall performance of the website.

Normally, the website you are visiting will place the cookies on your hard drive. These are call ‘first-party’ cookies.  They remember what you have added to your shopping basket or data you have put into on one of their forms. Other companies, such as Google Ads, may also put cookies on your hard drive. These are ‘third-party’ cookies. They are responsible for you seeing adverts for the same thing popping up repeatedly on different sites.

The webserver sets the information contained in the cookie and the server can use it whenever you visit the site. Cookies make your user experience faster and easier by remembering details, such as your preferences, registration details or the contents of a shopping cart. Without cookies, you probably would have to re-enter data every time you returned to the same webpage. They are not computer programmes and they cannot disseminate viruses or malware.

Cookies and data protection

The EU provides additional regulation regarding the use of cookies under the E-Privacy Directive (the EPD) which the UK transposed into its domestic legislation by way of the Privacy and Electronic Communications Regulations 2003 (PECR). PECR requires organisations to provide clear and comprehensive information about their use of cookies and to obtain your consent for any cookies that are not necessary for their website.

Jersey does not have equivalent legislation, and neither the EPD nor PECR apply in Jersey, but most websites that Jersey residents use will likely conform to these requirements. Moreover, this regulation duplicates requirements that already exist in the Data Protection (Jersey) Law 2018 with respect to notification and fair processing of personal data.

What we are interested in from a data protection perspective is to what extent cookies pose a threat to privacy. With respect to personal data, cookies only collect what users input directly to a website, such as when shopping, or indirectly through their user activities, such as what pages they view. They do not surreptitiously access other information stored on the hard drive of a computer.

The privacy issues relating to cookies involve the information you give the website or what you do while you are on the website and how transparent the companies are about processing it. The website company must be able to demonstrate that they have a lawful basis under the Data Protection Law that authorises them to collect this personal data and use it (including to share with third parties). This is one reason many websites ask for consent to use non-essential cookies and the personal data that users provide.

Browsers enable you to control the use of cookies with a variety of settings. Use the one that is right for you. The Data Protection Law will govern how the website owner processes your data with cookies. If you believe that a website owner has processed your personal data unlawfully, you may make a complaint to our office. It is important to note that it is possible for web adverts to reflect the browsing history of the web browser without actually collecting personal data. It will take a detailed investigation to determine whether personal data has been involved and if there has been a contravention of the Law.