There are many definitions out there for cookies, but the one I like the most is found on the Positivo website, as well as some other websites, which clarifies that cookies are simple text files sent by the website to the browser the first time you visit it. A simple and effective definition. It’s there so that when the user visits the website again, their browser sends the data collected by the cookie, depending on its goal.
In fact, cookies have four basic purposes:
1. Session management – The cookie, as a rule, collects login and password data to expedite the user's access to the website on his next visit.
2. Customization – The cookie establishes a user behavior profile, so that ads are shown with content and frequency determined according to the user’s interests.
3. Tracking – The cookie tracks websites browsed by the user.
4. Geolocation – The cookie identifies from which country the website or service is used.
Currently, 7 types of cookies are recognized being used on the internet:
1. First-party cookies – The cookie establishes a user behavior profile, according to the websites visited, to display ads related to his preferences, and defines frequencies for displaying certain ads. Most e-commerce stores use primary data to recognize their customers.
2. Second-party data – This data essentially derives from the primary data of another person and, when transferred from one company (primary data) to another, it becomes secondary data. For example, a travel agency might sell its primary data to an airline to target its ads.
3. Third-party cookies – Third-party cookies are placed by domains other than those directly visited by the user. This can happen when a user visits a website that has a third-party cookie file arising from an ad.
4. Session Cookies – Session or non-persistent cookies, work as a temporary website memory, that is, they expire immediately after the session and browsers do not store them.
5. Persistent Cookies – Persistent or permanent cookies usually have an expiration date set by the publisher. Users' devices store them and they remember information that users have set, such as language preferences, settings, login details, etc…, providing tracking.
6. Secure Cookies – Secure cookies will only be present on a website with HTTPS protocol. This ensures an encrypted connection and prevents any data leakage, preventing cookies theft and hijacker attacks.
7. Zombie Cookies – Zombie cookies are small snippets of code, usually in the form of an image, local shared object, etc. They recreate themselves even after the browser data is erased and follow the user through websites, with the flash type being the most common ones.
And why have cookies become so relevant in recent years? Simply because of recent data protection laws that have spread 0ver many different countries. The most relevant ones for Brazilians are the European GDPR, which came into effect as of May 25, 2018, and the Brazilian LGPD, with most of its content being active as of September 18, 2020.
This being said, the question that follows is: what do cookies have to do with personal data? If cookies can establish someone’s pattern of behavior (profiling), then they can be recognized as identifiable personal data, that is, they can lead to the identification of an individual.
Prior and explicit consent must be obtained prior to any cookie activation (except cookies allowed in the whitelist).
Consents must be granular, meaning users must be able to enable some cookies and not others, and not be forced to consent to all or none.
Consent must be freely given, that is, it cannot be forced.
Consents must be withdrawn as easily as they are given.
Authorizations must be securely stored as legal documentation.
Consent must be renewed at least once a year. However, some national data protection guidelines recommend more frequent renewal, e.g. every 6 months.
So what are the trends regarding cookies for the near future? For Brazil, although cookies are not referenced in ANPD's regulatory agenda for the 2021-2022 biennium, it is expected that the ANPD will not neglect the subject, as the topic affects millions of Brazilians who access the internet.
Globally speaking, several websites such as theverge.com, reported on January 14, 2021, that in 2022 Google’s Chrome browser might follow the developers of the Safari and Firefox browsers, which already block, by default, third-party cookies.
Therefore, the trend is for third-party cookies to be extinct and replaced by another technology in the medium term, which might possibly be FLoC (Federated Learning of Cohorts), developed by Google itself, whose purpose is to hide someone among a group of people with common interests and keep a user's internet history private in their browser only. FLoC technology is based on the use of machine learning algorithms to define grouping based on the websites the user visits.