Cookies, cookies, cookies!


6 minutes

Cookies, Sachertorte and other sins! No! It’s not just about cookies! Cookies are on everyone’s lips. The DSGVO is supposed to be to blame for …


Cookies, Sachertorte and other sins!

No! It’s not just about cookies!

Cookies are on everyone’s lips. The DSGVO is supposed to be to blame for the fact that these annoying cookie banners pop up everywhere now, when you just want to look at the website.

I would like to clarify here what a cookie actually is, that it is not (only) about cookies and what this has to do with Sachertorte.

A cookie consists of name, value and expiration date and can be up to 4096 bytes in size. Many websites state “Cookies are small text files…”. That hasn’t been true for a long time. A cookie can be stored in the web browser of the terminal device that visits the website. The storage of the cookie is initiated by the visited website. Once the expiration date is reached, the cookie is automatically deleted or you delete it manually.
Cookies can be used, for example, to save the contents of a shopping cart during a visit to an online store or to store items in the watch list of an online store so that they are available again the next time you visit. Such cookies are often referred to as necessary or functional cookies.
For such functional cookies, consent in the form of a cookie popup is also not required!

Why are cookies evil?

Cookies are not evil and cannot do any harm on their own.
However, cookies are often used to recognize the visitor and in most cases this is used for advertising or to measure advertising activities.
Remarketing or retargeting cookies used to work like this:
When visiting a website of an online store for shoes, a cookie of an “advertising tracker” integrated into the website is set, which contains an ID, i.e. a number generated by the advertising tracker. Now, days later, the potential customer visits the website of an online magazine and suddenly, as if by magic, receives advertising for EXACTLY the shoes he already liked so much in the online store. This is not magic, however, but actually quite simple: the exact same advertising tracker is integrated into the magazine’s website that was already integrated into the shoe online store’s website. It finds the cookie and reads the ID that is inside. To the ID he has noticed that the potential customer has looked at the very longest just this one pair of shoes and therefore he now shows him exactly this advertisement.
Even though 3rd party cookies are slowly disappearing because more and more browsers don’t allow them anymore, cookies are still used to recognize the website visitor, e.g. to measure where he comes from, if he has been there before, etc.
But not only by means of cookies can data be stored in the user’s browser beyond the session, there is also the “local storage”, “session storage” and other possibilities that fall under the same legalities.
But even without storing data in the browser, the trackers of the advertising networks try to recognize the visitors and form “profiles”.

So it’s all about cookies after all?

No, in the example described, not only a cookie is used, but also the aforementioned advertising tracker. So what is an advertising tracker? An advertising tracker is a program/tool that is integrated into a website, which has exactly this purpose: To collect data about the behavior of the website visitor in order to be able to display advertising that is as tailored as possible elsewhere and at a later time.

What does the Sachertorte have to do with it?

The Sachertorte comes from Vienna , but not only the Sachertorte, but also the NGO Noyb( of Max Schrems, Austria’s most prominent data protection activist. However, Max Schrems is from Salzburg, so you could also add a Mozartkugel .
Until July 2020, the Privacy Shield agreement regulated free data traffic between the EU and the USA. Due to the fact that U.S. surveillance laws such as FISA and the Cloud Act allow U.S. authorities extensive access rights to data stored at U.S. companies, Max Schrems filed a lawsuit and the European Court of Justice declared the Privacy Shield agreement invalid in its decision on July 16, 2020. Since then, the US has been an unsafe third country in terms of data protection from a GDPR perspective.

So, how does this all play together now?

In our example with the advertising tracker, we now have several components:

  • The cookie, which is stored on our hardware to recognize us.
  • The advertising tracker, a software that processes our data for a specific purpose.
  • The company that operates the advertising tracker and is based in the USA.

Which laws now regulate what?

Cookies are regulated by the E-Privacy Directive (implemented in Austria by the TKG, in Germany by the TTDSG).

  • The processing of data for a certain purpose is regulated by the GDPR.
  • Data export to an unsafe third country is regulated by the GDPR.

In our example, this means that we need to indicate that we want to use a cookie for marketing purposes. We process data for marketing purposes that are not necessary to show the user the website, but solely to promote products. Then we also send the data for this processing to a US company, which not only uses the data for this purpose, but also collects information from thousands of websites and builds up a huge knowledge database about the user and who knows what else with it.
All this goes (if at all) only with consent.
And the GDPR regulates very strictly how consent has to look like.
It must be voluntary and set by a conscious act, it must be easily revocable, it must be understandable, it must be verifiable, one must not be pushed to consent (nudging), refusing must be as easy as agreeing, etc.

Conclusion: What does this mean for my website?

This means that if you want to use analytics, advertising trackers or similar on your website/webstore, you cannot get around consent and this must meet all criteria, otherwise it is invalid. Good cookie popups cover all of these aspects, bad ones only some of them and the really bad ones do ask for permission and the trackers are already included beforehand.
Even “cookieless tracking”, which is being propagated more and more often, only solves one of the problems, because the processing of the data, possibly in a third country, is still subject to consent.

we bake not only cookies

become legally compliant! Test now for 14 days free of charge.

Recommended articles

The role of AI in GDPR compliance

With the rise of artificial intelligence (AI) and its increasing use in various industries, it is becoming crucial for organizations to understand the role of AI in ensuring GDPR compliance.

Browser Fingerprinting and the GDPR

Browser fingerprinting is a technique used by websites and advertisers to track and identify a user’s device and online behavior based on information collected from their web browser. This information may include technical details about the device, software, and network, as well as user-specific information such as language preferences, time zone, and browsing history.

5 common GDPR myths debunked

The General Data Protection Regulation (GDPR) is a set of regulations introduced by the European Union (EU) in 2018 to ... Weiterlesen ...

Server Side Tracking GDPR compliant

How to implement server side tracking/tagging in compliance with GDPR? What needs to be considered in relation to the GDPR? ... Weiterlesen ...
Thank you for visiting, the website of legal web GmbH in Österreich. We use technologies from partners (2) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd