What is the privacy impact of web cookies?
There are two main reasons why people are concerned about web cookies:
- End-users are concerned because they feel that cookies can be used to track their activities on the web (behavioral profiling). For example, if you search for "Camels" today on your favorite search engine, you might continue to see cigarette related advertisements on other, unrelated websites for the next month or so. It's the profiling network that worked here and decided that you might be interested in cigarette ads. In more sophisticated, future schemes you might get a higher health insurance premium once the network becomes suspicious that you're smoker :)
- Because of these concerns European Union has enacted new law regulating storage of data on consumer devices. The scope of this directive is rather wide and it is not limited to classic HTTP cookies but any kind of data (see Evecookies below). As result, if you are a website owner in Europe, you just became a "data controller" and as such should comply with a number of regulations related to cookies.
From privacy and compliance point of view there are three main types of cookies:
- Session cookies — used for purely technical purposes, like storing your session over multi-step processes etc. These cookies are usually considered harmless (and it doesn't necessarily mean that the others are harmful). These cookies are usually forgotten when your browser is closed.
- Permanent cookies — allow the website to recall your preferences or presence for longer time. This can be used to keep things like your color preferences but also identify you as a returning customer, that has purchased X, Y and Z in the past, even if you did not register. These cookies can be stored in your browser for months or years.
- Third party cookies — these can be set by ExampleBookstore.com, but with instructions to send them also to ExampleAdvertising.com, a completely separate company. If you searched for pizza books, and then go to ExampleFoods.com the latter will display pizza components in the first place, because the advertising company they both use told it so. These cookies cause most controversies, especially that they are usually permanent at the same time.
An example of a session cookie:
Set-Cookie: sessionid=0c3ca1b85524d571454b2cf22c62fb34; httponly; Path=/
An example of a permanent cookie:
Set-Cookie: csrftoken=NUZeWttMIijbs7OQrVNm0k1pIknjLyPW; expires=Thu, 27-Feb-2014 22:55:03 GMT; Max-Age=31449600; Path=/
An example of a third party cookie (and it's permanent at the same time):
Set-Cookie: GAD=0c3ca1b85524d571454b2cf22c62fb34; Domain=hub.com.pl; Path=/; Expires=Wed, 30 Aug 2017 00:00:00 GMT