What are cookies?
Cookies are small text files saved on a device when a person browses a website. They are processed and stored by the web browser. Cookies can be saved on a personal computer, a mobile device, or any other type of device which can store information. Information stored in cookies can include IP addresses, usernames, Unique Device Identifiers, e-mail addresses, language settings, types of device, and other types of information.
Application of the GDPR and the e-Privacy Directive
The placing of cookies is regulated by the e-Privacy Directive, which should be transposed into national legislative acts by EU member states. Among other issues, the e-Privacy Directive regulates the confidentiality of communications and tracking and monitoring in an online environment. The Directive requires that the user’s consent is obtained for the placing of any cookies that are not strictly necessary to ensure a website’s functioning. As a rule, the consent mechanism must meet the requirements of the General Data Protection Regulation (GDPR), as cookie identifiers that can be associated with a natural person qualify as personal data.
What are the different types of cookies?
Cookies can be classified based on how long they endure, their provenance and what purpose they serve.
- Session cookies: cookies are temporary and expire once the browser is closed or the session expires. These cookies process information relevant to the actions directly required by the clients (for example, a list of items in a shopping cart).
- Persistent cookies: these are cookies that remain on the hard drive until they are erased by the user or the browser, depending on the expiration date. According to the e-Privacy Directive, the expiration period must not be longer than 12 months.
- First-party cookies: cookies that are placed directly by the website. The website directly processes the data collected by first-party cookies.
- Third-party cookies: these cookies are placed on the device by third parties. A third party (e.g. an advertiser) processes the data collected by these cookies.
- Strictly necessary cookies: these cookies allow users to browse the website, platform or app and use their features. They are necessary to ensure the website’s functioning and management, allowing a website to provide its features and services – for example, to control data flow and communication, hold items in a cart while a user is shopping, process payments, or prevent fraud. They are generally first-party cookies. Consent is not required. However, please note that first-party analytics cookies are not exempt from consent as such. The purpose of the cookie, rather than its technical features, should always be the basis for evaluating if the exemption can be successfully applied.
- Preference cookies: these cookies allow the website to remember information about users’ past preferences in order to provide users with personalised services. Information of this kind could include languages, regions, usernames or passwords for automatic login. Consent is not required if these cookies are used for services that the users directly require (for example, when users select a language by clicking on the relevant button); otherwise, consent is necessary.
- Analytics cookies: analyse and track how users use a website, and can be divided into two categories:
1) marketing cookies, which are used to develop more relevant advertising
2) statistics cookies, which collect statistics regarding the use of the website. Their purpose is to improve website functions, and users cannot be identified
User consent is always required for using analytics cookies.
Recent updates in the Baltic countries
The Data State Inspectorate requested that the data controllers in question eliminate the deficiencies.