what are cookies
- Cookies are text files with small pieces of data — like a username and password — that are used to identify your computer as you use a computer network.
- With the browser as the bridge, Cookies are stored in RAM while the browser is running (called Session Cookies). Once the user logs out of the site or server, Cookies can be stored on the user's local hard disk (called Persistent Cookies).
How do Cookies generally work?
- Data stored in a cookie is created by the server upon your connection. This data is labeled with an ID unique to you and your computer.
- When the cookie is exchanged between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.
What are Cookies used for?
- Session management. For example, cookies let websites recognize users and recall their individual login information and preferences, such as sports news versus politics.
- Personalization. Customized advertising is the main way cookies are used to personalize your sessions. You may view certain items or parts of a site, and cookies use this data to help build targeted ads that you might enjoy.
- Tracking. Shopping sites use cookies to track items users previously viewed, allowing the sites to suggest other goods they might like and keep items in shopping carts while they continue shopping.
cookies types
Technical Cookies
Technical cookies are important to the proper operation and experience of these websites. For example, these cookies allow users to navigate between different parts of a website and use certain functions. If you reject these cookies, some parts of your site may not function properly.
Profiling Cookies
Profiling cookies (also known as functional cookies) allow websites to remember users' choices (such as language choices) and behavior trajectory, allowing websites to personalize the user's subsequent experience.
Third Party Cookies
It comes from a third party other than the site owner, such as Google Analytics, can help the site owner measure the user's interaction with the site's content.
information security riskS
Cookie validity period
The cookie validity period refers to the length of time that a cookie data can be retained in the browser or the client, which has nothing to do with closing the browser.
Learn More
Cookie Authorization mode for collecting information: explicit and implied
Currently, the authorization method of cookie in the industry is mainly through agreements and statements, which are issued separately or embedded in user agreements or privacy policies. The former is explicit authorization consent, and the latter is implied authorization consent.
"Same-origin Policy" for Cookie transmission message
The same-origin policy was introduced to browsers by Netscape in 1995. Originally, it meant that the Cookie set by page A could not be opened on page B unless the two pages were "cognate". The so-called "same origin" refers to the "three same" : the same protocol, the same domain name, and the same port.
Learn MoreIllegal Attacks
Cookie theft and session hijacking
Network eavesdropping
Traffic on a network can be intercepted and read by computers on the network other than the sender and receiver (particularly over unencrypted open Wi-Fi).
Learn More
Cross-site scripting(XSS): cookie theft
Cookies can also be stolen using a technique called cross-site scripting.
Learn More
Session Hijacking: Cookie Poisoning
Cookiejacking is an attack against Internet Explorer which allows the attacker to steal session cookies of a user by tricking a user into dragging an object across the screen.(the attacker attempts to steal the ID of a victim's session after the user logs in.)
Learn More
Cross-site request forgery(XSRF)
An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
Learn MoreREGULATIONS
【Amended in 2009】 The ePrivacy Directive is commonly referred to as the “cookie law.” It is a piece of EU legislation that regulates how your website is allowed to use cookies and process personal data from visitors inside the European Union.
Read More
【May 25, 2018】 Like the cookie law, Under the General Data Protection Regulation (GDPR), a website must obtain explicit consent from users before it can store cookies on user devices. Since GDPR treats cookie identifiers as personal data, the emergence of GDPR cookie consent was inevitable.
Read More
【may be effective before 2025】 The EPD’s eventual replacement. The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.
Read More
【Amended on December, 2018】 The PECR covers the use of cookies and similar technologies for storing information, and accessing information stored, on a user's equipment such as a computer or mobile device.
Read More
【January 1, 2020】 The US law requires websites to follow an opt-out approach rather than opt-in for collecting personal information. That is if your business requires you to collect personal information of users (in this case California residents), you must ensure that they have a choice to opt out of it. In short, under the CCPA, a website does not require consent to use cookies.
Read More
【July 9, 2021】 The updated guidelines addressed cookie categorization, consent through scrolling, cookie walls, privacy by design and policy, and cookie banner and policy recommendations. Websites had six months to comply with the new guidelines, which took effect January 10, 2022.
Read More
【November 1, 2021】 China’s newest data protection law, the PIPL, is the latest in a procession of laws meant to protect the personal data of individuals in China.
Read Morewhich regulations to apply on cookie consent
typical cases
[USA] DoubleClick Inc. Privacy Litigation
Rule: An Internet company does not violate the Electronic Communications Privacy Act’s prohibition on unauthorized access to stored electronic communications if the company stores and accesses cookies placed on an Internet user’s hard drive.
Learn More3/31/2001[USA] Pharmatrak, Inc. Privacy Litigation
Intentionally intercepting website users’ personal information without consent violates the Electronic Communications Privacy Act.
Learn More5/9/2003[China] Illegally obtaining data by Cookie attacks may lead to Crime of Illegally Obtaining Computer Information System Data
Valid cookies during user login and access belong to identity authentication information protected by criminal law, and the behavior obtained by the defendant illegally is suspected of a crime. Crime of illegally obtaining computer information system data According to judicial interpretation, the data to be protected should be identity authentication information.
Learn More5/2/2014[China] Privacy Dispute between Baidu Netcom Technology Co., LTD and Zhu Ye
Nanjing Intermediate People's Court approved the practice that cookie collection policy can be embedded in privacy policy in the case of anonymous information and other non-sensitive information.
Learn More5/6/2015
[USA] GOOGLE COOKIE PLACEMENT CONSUMER PRIVACY LITIGATION
Internet users brought actions against internet advertising providers, alleging that providers placed tracking cookies on users' browsers in contravention of browsers' cookie blockers, and asserting claims for violation of the federal Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFFA), and for privacy claims and various statutory violations under California law.
Learn More11/12/2015United States of America v. LAI Systems
The Federal Trade Commission (FTC) brought a complaint against LAI Systems, LLC (LAI) , alleging that LAI violated the Children’s Online Privacy Protection Act of 1998 (COPPA).
Learn More12/17/2015[USA] Facebook Internet Tracking Litigation
Internet users brought putative class action against operator of social networking website, alleging that website embedded “cookies” in users' internet browsers which tracked their personal information and internet activity.
Learn More6/30/2017France fines Amazon $42M for dropping tracking cookies without consent
Amazon’s French site displayed a banner informing arriving visitors that they agreed to its use of cookies. CNIL said this did not comply with transparency or consent requirements — since it was not clear to users that the tech giant was using cookies for ad tracking. Nor were users given the opportunity to consent.
Learn More5/19/2019France Fines Google $120M For Dropping Cookies Without Consent
The French Data Protection Authority (Commission Nationale de l’Informatique et des Libertés) (CNIL) carried out investigations of the websites over the past year and found tracking cookies were automatically dropped when a user visited the domains in breach of the country’s Data Protection Act.
Learn More3/16/2020German Federal Supreme Court Issued Cookie Decision in Planet 49 Case
The decision confirms much-anticipated and relevant principles regarding the use of consent for the processing of personal data and the use of cookies. Notably, it confirms that pre-ticked boxes do not constitute a legally valid consent, in line with the General Data Protection Regulation (GDPR).
Learn More5/28/2020[EUR]NOYB files 422 formal GDPR complaints on nerve-wrecking “Cookie Banners”
As part of a one-year project on "deceptive designs" and "dark patterns", noyb aims to scan, warn and enforce the GDPR on up to 10.000 websites in Europe. After sending a written warning and a “draft complaint” to more than 500 companies on May 31st, 42% of all violations were remedied within 30 days. However, 82% of all companies have not fully stopped violating the GDPR. Accordingly, noyb filed 422 complaints with ten data protection authorities.
Learn More8/10/2020Meta agrees to pay $90 million to settle lawsuit over Facebook tracking users' online activity
Facebook (FB)-parent Meta has agreed to pay $90 million to settle a decade-old class action lawsuit over a practice that allowed the social network to track users' activity across the internet, even if they had logged out of the platform.
Learn More2/15/2022Thanks for visiting
Information Security Issues and Regulations on Web Cookies
