Contact us
Request demo →
Contact us
German website

Diving into the cookie jar: why cookies are used and how to set them

by Cybersprint Blog 5 Nov 2021

Cookie settings, cookie banners, cookie consent… You are asked to review and agree with a website’s cookie settings whenever you visit it for the first time. Some of that data is necessary or anonymous, some is not. And it’s not always easy to set up and manage, as we’ve recently experienced ourselves. This blog aims to clarify the different cookie settings and regulations, hopefully helping you to tackle similar challenges. What exactly do you need to keep in mind when managing your website’s cookie settings?

What are cookies used for?

Cookies are set and used for various reasons. From an end-user point of view, they help get you the right information. When you visit a web page, your requests for information are accompanied with additional data such as your browser version, your preferred language, as well as any previously set cookies. The web server can analyse this information and combine it with additional data collected via Javascript, such as your device model, screen resolution, supported fonts and more. Using this data, the server can ensure you can view the page content in the intended way. However, this data can also be used to create a unique profile and track your individual actions on the website.

When you visit a web page, you’re often met with a cookie banner requesting you to accept the different kinds of cookies. Some are always enabled, whereas other can be switched off. That usually requires a few more clicks in a submenu. So what kind of cookies can you accept or reject?

Which cookies DO NOT require consent?

As strictly necessary cookies are essential for a site’s proper performance, they do not require explicit consent from a visitor. That also means a site cannot collect, store, or distribute personal data of the visitor. Instead, it creates a random ID of the visitor, unrelated to any identifiable information. This helps to recognise the visitor for the next time they visit the site so it can load a list of previously visited products, for example.

Preference cookies store data such as your region and language settings.

Which cookies MAY require consent?

Statistic cookie data (or performance cookies) is used to monitor what web pages are visited more often, what links are clicked on the most, etc. It may provide the site owner with anonymised data to improve the experience or service they offer via the site, but often the collection and storing of this data may extend to other services as well. For instance, the data is shared with Google when using Google Analytics without the anonymisation possibilities in the settings. In these cases statistic or analytical cookies by nature may be used for tracking or retargeting purposes. Consent is required in these cases.

Which cookies DO require consent?

Finally, there are marketing, or tracking cookies. These cookies track visitor behaviour over multiple websites. This is what makes you see advertisements from company A on a webpage of company B. If you’re shopping for shoes, you’re likely to see an ad for the same shoes when on a webpage for bicycles.


How about cookie data privacy?

To protect people’s online privacy, the European Union has developed the E-Privacy Directive, which is a lex specialis to the General Data Protection Regulation (GDPR). The E-Privacy directive states that tracking cookies need “consent”, as described above. Tracking cookies are regarded as “personal data” and therefore the consequences of the GDPR apply as well when tracking cookies are placed via your website. The GDPR also sets the rules for all these cookie settings and the data they collect, and how that data is supposed to be handled. Finally, the GDPR determines the fines for organisations that wouldn’t adhere to the regulations.


Third-party cookie collection

Setting all cookies up properly is important, but not always easy. That’s mainly because of the third-party interest in the cookie data. Visitors’ data isn’t just collected by your own company, but also by other companies which use a small part of your website in order to track the visitors’ behaviours. Often, this could be a s small as a single, white pixel, invisible to the naked eye of the visitors. Alternatively, it could be embedded in the Facebook share button on your webpage or in a tool that you use to track your website’s performance, for instance Google Analytics.

We have recently experienced how tricky this can be when we embedded a YouTube livestream on our website. We were aware that we as a website owner have to ask for the explicit consent of our visitors to accept tracking cookie. However, we did not know that embedding a YouTube video places such cookies automatically by Google (Doubleclick), which would have required a cookie banner on that specific page.

We were notified of this misconfiguration by an attentive visitor, Floor Terra, after which we made the right changes to our cookie banner, implemented a cookie consent manager, set the settings right, and requested the related third parties to delete the cookie data they collected in that time.

We highly appreciate and are thankful for people sharing their insights to help us improve, learn, and grow.


How to set up and manage your cookie settings

With many different kinds of cookie settings and regulations to adhere to in your continuously changing online footprint, it can be challenging to manage your cookie settings all of the time. Here are a few tips and things to consider.

  • An obvious one: be aware of tracking cookies, especially the ones that are placed on your website by third parties. You need explicit consent from your visitors, also for those third party tracking cookies.
  • Use a tool or service to track and map your cookies. With third parties collecting data via your website, it’s important to know just what kind of data is shared with who. Such a solution will also help you set up cookies properly, and could even block certain content when visitors didn’t give the right consent, preventing an incident. This will also help you in the case of a data removal request at these third parties.
  • Review your cookie settings periodically. Your online footprint is shifting all the time. New subdomains are easily created, and third-party settings could change too.

Open directories: our research findings

In our previous blogs to this open directory series, we talked about what open directories are and why they pose a risk, and how we set up our own research into the extent of the issue. That also featured a sneak peek into the results. Now that we have presented the findings in our webinar, this article will cover the statistics and most striking examples. And most importantly: what are our conclusions and tips to make your own directories data leak free?

read more

Open Directories: A Peek Into Our Research

In our previous blog, we explained what open directories are and how they can result in a data leak. As mentioned there, we conducted research into the risks of open directories ourselves, to see the extent of the problem. We’ll go into the method and preliminary results of that research here, while leaving the most telling examples and conclusions for our webinar on Wednesday 1 December.

read more

Editorial: 6 steps to achieving zero shadow IT

Shadow IT has long been a problem for organisations. Formal IT is routed through the IT department, where it’s approved, purchased, set up, and, importantly, supported and maintained. Shadow IT falls outside this process, and is normally split into two categories: / Systems that the IT department doesn’t know about. / Systems the IT department knows about but needs to keep running as they are integral to business operations. The second category is the real Shadow IT and the biggest problem for businesses. So how can you protect your business from the perils of shadow IT? Here are Pieter's six steps.

read more

Do you have a question?

Our experts have the answers

Contact us