Cookies, Tracking and GDPR – What Do They Mean?

HTTP cookies share their name with a popular baked treat. Picture by Lisa Fotios, licensed under CC0

What Are Cookies, Tracking and GDPR?

Back in the 1990’s a programmer called Lou Montulli, an employee of the first mainstream web browser, called Netscape, created a method of placing a very small file on the user’s computer. The purpose was to store information about what was in the user’s (on-line) shopping cart, so that when the user then went to the “checkout”, the content of the cookies could be read, just like going to the checkout desk in a supermarket with a basket of shopping.

Now the goal, back then, was to store what was termed “state information” on the user’s personal computer. Why would someone want to do that?

Well, back in the 1990s, the web servers and databases that hosted all the applications you accessed via your web browser were very expensive pieces of hardware. And storing data on them, like user information (let’s say online shopping cart details), meant the servers’ hard disks could become full. Storing the data on the user’s computer saved all that very expensive storage space!

Subsequent Developments

What has happened since Lou Montulli invented this concept? From Lou’s patent1 being used to store on-line shopping cart information (the so-called “state information”) to governments and lawmakers being concerned about potential invasion of user privacy? That state information could be the user’s subscription information, to access say an online newspaper or magazine. This would save the user from repeatedly entering their credentials, such as login name, password, magazine details etc.

The cookie would not normally store the user’s actual ID and password as this could then be stolen, i.e. read by an unscrupulous website or program. Instead, the cookie creates a unique ID, that identifies you to the website and the details of the service or information you access. 


Imagine that a website can store information, about the pages and content you access, via this cookie / small file? It still helps the users because you do not need to keep entering your credentials, but because the stored information (cookie) can be read by many different web services, all those cookies build up a picture of what websites we access. But more importantly what content we access across the whole internet.

Lou described it in these terms:

“Accordingly, when the user, during the browsing process, desires to view another publication (e.g., from the same or different publisher) this state information will be transmitted back to the Web server to provide the necessary subscription information. (thereby entitling the user to view the publication) without requiring the user to re-enter the necessary subscription information”.

However, it now also enables your online habits to be tracked, analysed and targeted.

Cookies and Tracking Create Targeted Advertising

TrustArc, a provider of tools to gather consensual user data, quotes that over 1 trillion megabytes of data are created every day. Within all that data there is a vast amount of user information that companies can use to learn about you, your browsing habits and what you buy. The market for targeted advertising is in excess of $300 billion US dollars.

So, how does this targeted advertising work?

All that data, held in all those cookies files, can be shared by all websites. This enables many cookie files, from when you access a website, to be stored on your computer or smartphone and then collected.

Imagine going shopping and having a whole bunch of folks follow you from store to store? Now imagine the same folks can peek at what books and magazines or web articles you read? They write down what you browse, what you purchase, and what you do not buy.

Then all this is used to build a profile of you, what you like and do not like. So, one year later, after having this team of people follow you around, what do they know about you?

First-Party Cookies Are Fine

Let us take a step back. We understand that the cookies or files are stored on your computer, tablet or smartphone, and are placed there by websites. We know they make our lives easier by allowing simple information like shopping cart contents or details that let them identify you, or personalisation information such as web page layout or colour. We call these “First-party cookies” as they are installed by the website you visit. 

Third-Party Cookies… Meh!

But we now have this big question about privacy! In the examples above we assume that the website we visit uses the cookie to personalise your browsing experience. But in reality what can happen if a website installs up to 800 cookies (yes, I said 800!) onto your machine.

What do these other cookies do? They collect additional information about you. These cookies are known as “Third-party cookies”. They are installed via the website you visit.

Example of Third-Party Cookie; graphic by Tizio, licensed under CC BY-SA 3.0

These can collect data that enables advertisers to target you better, and analytics that measure how long you read an article on a web page and uniquely to identify you. Websites allow these third-party cookies to be installed as it helps them financially, and can help them identify how many unique visitors they receive per day, and which country or region the user comes from. And even that you have used your Apple MacBook/iPhone/Samsung tablet to access their site!

How Does Amazon Know?

It could be a third-party cookie related to a shopping site. Let’s call that shopping site Amazon. Now suppose we visit several sites, such as when we are searching for a gift for a friend or partner, and these sites install a cookie that relates to Amazon. Now we decide to visit Amazon, and we now see advertisements for a pair of shoes very similar to those we searched for earlier in the day.

How did that happen? Well, when you visited all those websites, they all installed a third-party cookie. The same third party shares your data with Amazon, and they aggregate all the information collected and refine it. By processing the data Amazon works out you are shopping for shoes, in black, that are between £40 and £100.

Now Amazon could say they are helping you by providing you tailored information. You could also say that they are invading your privacy by tracking your internet browsing activity.

What can website cookies collect? Here are some examples:

  • What “referring” sites – the sites you browsed – led to you to making a buying decision.
  • What are the most popular shoes being purchased by users in the UK with a specific range of disposable income.
  • What advertising is performing well, and what is not, that leads to purchases.
  • What are the typical interests of buyers, like you, that purchase specific products.

From sifting through the data above, you are now identified, and will receive more specific advertising aimed at you. The goal is to tailor content to help advertisers sell to you, drive their brand awareness, and what social channels they should use that match your viewing habits.

What Is GDPR?

While the use of cookies to tailor web page preferences might be considered a useful feature for a web user, the gathering of content from across the web, without asking for the user’s consent, which then enables users to be targeted, is less welcome. This personalisation without explicit authorisation is a concern for many nation states and their governments.

The European Union produced a set of regulations under the title of “General Data Protection Regulation” (GDPR) to increase the privacy and security for its citizens by allowing a user to opt out of being tracked.

Interestingly one of the GDPR aims is to protect the interest of its citizens even when they are accessing sites outside of the EU. It mandates that external sites follow its regulations as it refers to how they use, collect, and store user data and their information. If a user in France was to access a website in the USA, then it is beholden on the website owners to ensure GDPR compliance and allow the user to opt out of being tracked.

The GDPR legislation has “teeth”, with fines for breach of GDPR, equivalent to £17.5M Sterling or 4% of company turnover. But does GDPR work and does it deliver the promise of privacy?

Well, what users now have is a barrage of cookie consent notices. When you surf to a website that you have not visited before you will now have a GDPR compliant consent notice. It may say “Accept”, and allow you to continue, or you have to click on another option that says “Manage settings”, or something similar.

The problem now is that many users want to remove the intrusive banner and simply click on “Accept”, rather than change the rather complex set of cookie settings on the web page. Many websites are either partially compliant or simply non-compliant.

Where Do We Go From Here?

Users are confused by the myriad of “Accept” and “Manage settings” options that are presented when they attempt to access a website.

With the easy button being to simply accept, which effectively gives away your privacy, GDPR can effectively be side-stepped for those that seek to monetize the collection of user data for advertising and analytics.

1 US Patent # US5774670A: “A method and apparatus for transferring state information between a server computer system and a client computer system. In one embodiment of the method, an http client requests a file, such as an HTML document, on an http server, and the http server transmits the file to the http client. In addition, the http server transmits a state object, which describes certain state information, to the http client. The http client stores the state object, and will typically send the state object back to the http server when making later requests for files on the http server. In a typical embodiment, the state object includes a domain attribute which specifies a domain or network address, and the state object is transmitted from the http client to a server only when the http client makes an http request to the server and the server is within the domain. In one embodiment, the apparatus includes a processor and memory and a computer readable medium which stores program instructions. In the case of the client system, the instructions specify operations such as receiving and storing the state information; in the case of the server system, the instructions specify operations such as sending the state information to a client system”.