Cookies are ubiquitous and their regulation has been the topic of debate for several years. In simple terms, cookies are used by websites to store information about a user's activity and preferences on their device. Cookies can be set by the website being visited – first-party cookies – or by a party other than the website – third-party cookies.  

The use of cookies, especially third-party cookies, is regulated by many privacy laws and regulations around the world and the proposed ePrivacy Regulation in the EU seeks to enhance privacy rights and protections for electronic communications, including the use of cookies.  

What are cookies? 

Cookies are small text files that are stored on a user's device by a website. These text files contain information about the user's preferences and activities on the website, allow websites to remember information about a user’s activity across multiple visits, and improve the user experience by enabling personalized content. Cookies are also used for tracking and analytics purposes. 

What are the four types of cookies? 

Modern cookie banners on most websites give individuals the option to accept or decline four different types of web cookies. Some are necessary for the proper function of the website being visited, while others are used to obtain information about an individual.  

Strictly Necessary - Essential for the correct functioning of a website, strictly necessary cookies allow users to navigate and use website features.  Typically, these cookies cannot be disabled as they are required for basic website functionality. 

Performance - These cookies collect information about how users interact with a website. Performance cookies track which pages have been visited, whether any errors occur, and loading times. These types of cookies are typically used to improve user experience and website performance. 

Functional Cookies – Websites can set functional cookies to remember user preferences to help build a more personalized experience on return visits. This includes information such as language, font size, and other customizable elements. 

Targeting Cookies – Also known as advertising cookies, cookies of this nature help website operators to deliver advertisements that are more relevant to the user. Targeting cookies set information that allows advertisers to display content based on a user’s browsing history and online behavior. They are also used to limit the number of times a user sees a particular advertisement and targeting cookies are often set by third-party advertising networks.  

How are third-party cookies regulated?  

Privacy laws and regulations across the world place requirements around the use of third-party cookies. Many of these laws require website operators to obtain consent – conditions of which vary from jurisdiction to jurisdiction –from users before collecting and processing their personal data, including the use of third-party cookies. In recent years, particularly in the EU, several data protection authorities have weighed in with guidance relating to capturing valid cookie consent.  

In addition to consent requirements under the GDPR and other similar privacy and data protection laws, many organizations are bound by the ePrivacy Directive. The ePrivacy Directive was enacted in 2002, with the purpose of protecting the privacy of personal data in the electronic communication sector. The ePrivacy Directive complements the GDPR, however, the ePrivacy Directive specifically addresses the processing of personal data in the context of electronic communications, including the use of cookies and other tracking technologies, among other things. The ePrivacy Directive was updated in 2009 leading to calls for the directive to be overhauled in line with the digitization of society. 

What is the ePrivacy Regulation?  

The ePrivacy Regulation is a proposed piece of privacy legislation in the EU that aims to enhance privacy rights and protections for electronic communications – building upon the foundation set by the ePrivacy Directive. The ePrivacy Regulation would impose specific rules on the use of cookies and valid consent.   

The ePrivacy Regulation is still awaiting adoption adopted remains under discussion in European Parliament and the Council of the EU.  

Follow OneTrust DataGuidance on LinkedIn to keep up to date with upcoming webinars, insights, and more.