Cookies, cookies, cookies!

Cookies are on everyone’s lips. The DSGVO is supposed to be to blame for the fact that these annoying cookie banners pop up everywhere now, when you just want to look at the website.

I would like to clarify here what a cookie actually is, that it is not (only) about cookies and what this has to do with Sachertorte.

What is a cookie?

A cookie consists of name, value and expiration date and can be up to 4096 bytes in size. Many websites state “Cookies are small text files…”. That hasn’t been true for a long time. A cookie can be stored in the web browser of the terminal device that visits the website. The storage of the cookie is initiated by the visited website. Once the expiration date is reached, the cookie is automatically deleted or you delete it manually.
Cookies can be used, for example, to save the contents of a shopping cart during a visit to an online store or to store items in the watch list of an online store so that they are available again the next time you visit. Such cookies are often referred to as necessary or functional cookies.
For such functional cookies, consent in the form of a cookie popup is also not required!

Why are cookies evil?

Cookies are not evil and cannot do any harm on their own.
However, cookies are often used to recognize the visitor and in most cases this is used for advertising or to measure advertising activities.
Remarketing or retargeting cookies used to work like this:
When visiting a website of an online store for shoes, a cookie of an “advertising tracker” integrated into the website is set, which contains an ID, i.e. a number generated by the advertising tracker. Now, days later, the potential customer visits the website of an online magazine and suddenly, as if by magic, receives advertising for EXACTLY the shoes he already liked so much in the online store. This is not magic, however, but actually quite simple: the exact same advertising tracker is integrated into the magazine’s website that was already integrated into the shoe online store’s website. It finds the cookie and reads the ID that is inside. To the ID he has noticed that the potential customer has looked at the very longest just this one pair of shoes and therefore he now shows him exactly this advertisement.
Even though 3rd party cookies are slowly disappearing because more and more browsers don’t allow them anymore, cookies are still used to recognize the website visitor, e.g. to measure where he comes from, if he has been there before, etc.
But not only by means of cookies can data be stored in the user’s browser beyond the session, there is also the “local storage”, “session storage” and other possibilities that fall under the same legalities.
But even without storing data in the browser, the trackers of the advertising networks try to recognize the visitors and form “profiles”.

So it’s all about cookies after all?

No, in the example described, not only a cookie is used, but also the aforementioned advertising tracker. So what is an advertising tracker? An advertising tracker is a program/tool that is integrated into a website, which has exactly this purpose: To collect data about the behavior of the website visitor in order to be able to display advertising that is as tailored as possible elsewhere and at a later time.

What does the Sachertorte have to do with it?

The Sachertorte comes from Vienna , but not only the Sachertorte, but also the NGO Noyb(https://noyb.eu) of Max Schrems, Austria’s most prominent data protection activist. However, Max Schrems is from Salzburg, so you could also add a Mozartkugel .
Until July 2020, the Privacy Shield agreement regulated free data traffic between the EU and the USA. Due to the fact that U.S. surveillance laws such as FISA and the Cloud Act allow U.S. authorities extensive access rights to data stored at U.S. companies, Max Schrems filed a lawsuit and the European Court of Justice declared the Privacy Shield agreement invalid in its decision on July 16, 2020. Since then, the US has been an unsafe third country in terms of data protection from a GDPR perspective.

So, how does this all play together now?

In our example with the advertising tracker, we now have several components:

• The cookie, which is stored on our hardware to recognize us.
• The advertising tracker, a software that processes our data for a specific purpose.
• The company that operates the advertising tracker and is based in the USA.

Which laws now regulate what?

Cookies are regulated by the E-Privacy Directive (implemented in Austria by the TKG, in Germany by the TTDSG).

• The processing of data for a certain purpose is regulated by the GDPR.
• Data export to an unsafe third country is regulated by the GDPR.

In our example, this means that we need to indicate that we want to use a cookie for marketing purposes. We process data for marketing purposes that are not necessary to show the user the website, but solely to promote products. Then we also send the data for this processing to a US company, which not only uses the data for this purpose, but also collects information from thousands of websites and builds up a huge knowledge database about the user and who knows what else with it.
All this goes (if at all) only with consent.
And the GDPR regulates very strictly how consent has to look like.
It must be voluntary and set by a conscious act, it must be easily revocable, it must be understandable, it must be verifiable, one must not be pushed to consent (nudging), refusing must be as easy as agreeing, etc.

Conclusion: What does this mean for my website?

This means that if you want to use analytics, advertising trackers or similar on your website/webstore, you cannot get around consent and this must meet all criteria, otherwise it is invalid. Good cookie popups cover all of these aspects, bad ones only some of them and the really bad ones do ask for permission and the trackers are already included beforehand.
Even “cookieless tracking”, which is being propagated more and more often, only solves one of the problems, because the processing of the data, possibly in a third country, is still subject to consent.