In our recent DataChat Live, we covered “Cookie Governance from A to Z” with ObservePoint CTO, Dave Smith. Below are the highlights from that discussion. You can also download our handy Cookie Cheat Sheet.
What’s a cookie?
A cookie is a persistent piece of information that websites give to your browser, and the browser stores that cookie on your computer’s hard drive until it expires. Later, when you return to that site and the browser requests a page from the site, the browser sends that information from your hard drive to the website on your behalf. Cookies allow websites to identify return visitors.
Use cases of cookies:
Logins – authentication was first done with cookies
Preferences – configuration of settings, like a chosen language for example
Shopping carts – knowing what items were in your cart
What does a cookie look like?
At its core, a cookie is a name-value pair. They’re just pieces of text, and a value can be short like a number, or long like a series of numbers and letters. They have other metadata like expiration dates, security policies, and which websites are allowed to access the cookies.
Where are cookies stored on your hard drive?
This varies by browser. For Chrome, they are stored in a single file on your hard drive.
- On Windows, the file is located in:
C:Users<your_username>AppDataLocalGoogleChromeUser DataDefaultCookies.
- For Mac, the file is:
~/Library/Application Support/Google/Chrome/Default/Cookies.
The file is an SQLite database file and can be queried with SQL commands.
What’s the difference between a 1st-party cookie and a 3rd-party cookie?
On a purely definitional basis, a third-party cookie is a cookie with a domain that is not the same domain as the website you’re currently visiting.
This is where modern websites really need to pay attention. First-party cookies tend to serve the customer to do the thing the customer came to the site for in the first place. They can still run afoul of regulations if they’re not categorized correctly or placed without consent.
Third-party cookies can be used to identify users across websites (they can also be employed on one website alone, but placed by a third-party domain), which enables sites to know a profile about you and other sites you’ve visited even if it’s your first visit. This is because of tracking and advertising networks that exist throughout the web. This is very common; 95% of Fortune 500 websites we’ve looked at use third-party cookies, not for any malicious purpose but because they are participating in various advertising networks.
DOMAIN: One piece of technical metadata on a cookie is called “domain.” The domain is an instruction that tells your browser, this cookie belongs to WebsiteA.com. The browser then has an agreement with the world wide web, that any time your browser goes to WebsiteA.com, it will look at all of the cookies it currently has on your computer that has a domain of WebsiteA.com associated with it and send those with all the requests it makes to WebsiteA.
What are some other metadata people should be paying attention to?
SECURE/NON-SECURE: A cookie will have a secure setting that’s either on or off. This doesn’t mean that the cookie itself is secure or insecure. It means your browser will only send a secure cookie if your browser is using HTTPS, which means you’re using an SSL or encrypted channel to communicate with that website. That’s because there’s possibly sensitive data or identifying information in your cookie, so it’s a security measure to make sure that information only goes to a website over a secure channel. A number of years ago, Google made HTTPS the default protocol for their search engine results, affecting inbound traffic to your website as people click through search results from then on. As a result, many organizations now adhere to the best practice of ensuring all cookies on their digital properties now have that secure flag. If and when you discover non-secure cookies on your own website, you should investigate further to evaluate how those fit into your business’s defined standards.
HTTPONLY: This is used when you don’t want JavaScript code to be able to look at the cookie’s content. This is for protection against a class of security vulnerabilities called cross-site scripting. It’s telling the cookie to only send information over a network request. HTTPOnly is a common practice.
Cross-site scripting (XXS): These attacks inject malicious scripts into otherwise trusted websites. A web application sends malicious code in the form of a browser-side script to a different end user. The end user’s browser has no way of knowing that the script is untrustworthy and executes it.
SAMESITE: This was introduced in the last few years to prevent a category of security vulnerabilities called cross-site request forgery. Websites used to have to jump through all kinds of hoops to prevent these attacks, but now with the SameSite feature, you can block these attacks at their source.
Cross-site request forgery (CSRF): These attacks force an end user to execute unwanted actions on a web application that they’re authenticated on. The user is tricked into performing state-changing requests like transferring funds or changing their address via a link in a convincing email or chat.
EXPIRATION: All cookies have some level of declared expiration whether that’s on the session you’re in currently or over a specific number of hours, days, or years. In Europe, cookie expiration is regulated by cookie type.
What should you be testing on cookies with regard to privacy regulations?
The question of compliance is important and ObservePoint provides a platform that continuously monitors the reality of what is happening on an organization’s website with tools to compare that to desired standards. Cookie governance is a big part of privacy compliance. We see a lot of websites at ObservePoint, and the vast majority of organizations have room for improvement in terms of aligning cookies on their websites with privacy regulations.
The standard in general in the United States is you get opted into cookies by default. In Europe, it’s the exact opposite, you’re opted out by default. One of the things that’s important to test is if you opt out of cookies, are they still being set or not?
ObservePoint has a powerful setting that gives you the ability to “Clear All Cookies,” which allows you to run an audit even in an opt-in-by-default environment by first clearing any present cookies and then proceeding with the Audit to test if an opted-out state is actually preventing new cookies from appearing.
Another use case for this feature might be for Conversion Rate Optimization, where you’re doing an A/B test and you want to know if your testing is actually splitting 50/50 as expected. You can load the same experience a thousand times and clear all cookies before each run, then you’ll see if you’re getting version A or version B at or near 50% of the time.
If you go to a website and change your consent banner settings to not place any cookies, will the cookies that are already on your computer remain?
They remain because there is no mechanism on the web for a company to delete third-party cookies that belong to some other website. You cannot be untracked once you’ve been tracked. So, what Consent Management Platforms are providing you is the ability to not be tracked from this point forward. But, if you want to ensure cookie-based tracking is eliminated, you would need to delete the cookies yourself directly in your browser settings.
Is there any way to clear just third-party cookies?
No. Also, when you’re looking at a browser settings window, there is no concept of first- or third-party. When you’re looking at a certain website in your browser, then you have first- or third-party because it’s those that do or don’t belong to that website. But, if you’re just managing your data, then that concept doesn’t exist. In addition, in your browser settings, the history of who placed the cookie originally is lost, so you won’t know if it’s first- or third-party.
Are we moving to a cookie-less future or is that an overstatement?
First-party cookies are definitely not going to die any time soon – maybe ever. Some browsers are already taking a pretty hard stance against third-party cookies (Safari, FireFox). But Google, creator of Chrome (by far the most widely used web browser), has been saying they will deprecate support for third-party cookies for a while, but every time that date comes around they’ve extended it. For now, they’re indicating that by the second half of 2024, they expect to have solutions in place that will render third-party cookies obsolete.
If you’d like to see how ObservePoint can audit your website to better understand all the various cookies your organization is employing and where you can improve your governance of them, reach out for a sample audit.