Contact us
Request demo →
Contact us

Diving into the cookie jar: why cookies are used and how to set them

by Cybersprint Blog 5 Nov 2021

Cookie settings, cookie banners, cookie consent… You are asked to review and agree with a website’s cookie settings whenever you visit it for the first time. Some of that data is necessary or anonymous, some is not. And it’s not always easy to set up and manage, as we’ve recently experienced ourselves. This blog aims to clarify the different cookie settings and regulations, hopefully helping you to tackle similar challenges. What exactly do you need to keep in mind when managing your website’s cookie settings?

What are cookies used for?

Cookies are set and used for various reasons. From an end-user point of view, they help get you the right information. When you visit a web page, your requests for information are accompanied with additional data such as your browser version, your preferred language, as well as any previously set cookies. The web server can analyse this information and combine it with additional data collected via Javascript, such as your device model, screen resolution, supported fonts and more. Using this data, the server can ensure you can view the page content in the intended way. However, this data can also be used to create a unique profile and track your individual actions on the website.

When you visit a web page, you’re often met with a cookie banner requesting you to accept the different kinds of cookies. Some are always enabled, whereas other can be switched off. That usually requires a few more clicks in a submenu. So what kind of cookies can you accept or reject?

Which cookies DO NOT require consent?

As strictly necessary cookies are essential for a site’s proper performance, they do not require explicit consent from a visitor. That also means a site cannot collect, store, or distribute personal data of the visitor. Instead, it creates a random ID of the visitor, unrelated to any identifiable information. This helps to recognise the visitor for the next time they visit the site so it can load a list of previously visited products, for example.

Preference cookies store data such as your region and language settings.

Which cookies MAY require consent?

Statistic cookie data (or performance cookies) is used to monitor what web pages are visited more often, what links are clicked on the most, etc. It may provide the site owner with anonymised data to improve the experience or service they offer via the site, but often the collection and storing of this data may extend to other services as well. For instance, the data is shared with Google when using Google Analytics without the anonymisation possibilities in the settings. In these cases statistic or analytical cookies by nature may be used for tracking or retargeting purposes. Consent is required in these cases.

Which cookies DO require consent?

Finally, there are marketing, or tracking cookies. These cookies track visitor behaviour over multiple websites. This is what makes you see advertisements from company A on a webpage of company B. If you’re shopping for shoes, you’re likely to see an ad for the same shoes when on a webpage for bicycles.


How about cookie data privacy?

To protect people’s online privacy, the European Union has developed the E-Privacy Directive, which is a lex specialis to the General Data Protection Regulation (GDPR). The E-Privacy directive states that tracking cookies need “consent”, as described above. Tracking cookies are regarded as “personal data” and therefore the consequences of the GDPR apply as well when tracking cookies are placed via your website. The GDPR also sets the rules for all these cookie settings and the data they collect, and how that data is supposed to be handled. Finally, the GDPR determines the fines for organisations that wouldn’t adhere to the regulations.


Third-party cookie collection

Setting all cookies up properly is important, but not always easy. That’s mainly because of the third-party interest in the cookie data. Visitors’ data isn’t just collected by your own company, but also by other companies which use a small part of your website in order to track the visitors’ behaviours. Often, this could be a s small as a single, white pixel, invisible to the naked eye of the visitors. Alternatively, it could be embedded in the Facebook share button on your webpage or in a tool that you use to track your website’s performance, for instance Google Analytics.

We have recently experienced how tricky this can be when we embedded a YouTube livestream on our website. We were aware that we as a website owner have to ask for the explicit consent of our visitors to accept tracking cookie. However, we did not know that embedding a YouTube video places such cookies automatically by Google (Doubleclick), which would have required a cookie banner on that specific page.

We were notified of this misconfiguration by an attentive visitor, Floor Terra, after which we made the right changes to our cookie banner, implemented a cookie consent manager, set the settings right, and requested the related third parties to delete the cookie data they collected in that time.

We highly appreciate and are thankful for people sharing their insights to help us improve, learn, and grow.


How to set up and manage your cookie settings

With many different kinds of cookie settings and regulations to adhere to in your continuously changing online footprint, it can be challenging to manage your cookie settings all of the time. Here are a few tips and things to consider.

  • An obvious one: be aware of tracking cookies, especially the ones that are placed on your website by third parties. You need explicit consent from your visitors, also for those third party tracking cookies.
  • Use a tool or service to track and map your cookies. With third parties collecting data via your website, it’s important to know just what kind of data is shared with who. Such a solution will also help you set up cookies properly, and could even block certain content when visitors didn’t give the right consent, preventing an incident. This will also help you in the case of a data removal request at these third parties.
  • Review your cookie settings periodically. Your online footprint is shifting all the time. New subdomains are easily created, and third-party settings could change too.

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us