Cookie 5 13 Summary

The Thirteenth Cookie (Scene opens in bakery with BOOMTY in the shopwith SLINK. BOOMTY is calling out to a customer who has just left.) BOOMTY. Another wonderful day! We have sold all our cakes and breads and almost all our cookies. The most buttery cookies! Bread that floats on the air! The heaviest and richest cakes in New. Cookies are small text files which are transferred to your computer or mobile when you visit a website or app. We use them to: Remember information about you, so you don’t have to give it to us. This is the delightful story of a kitten named Cookie who gets into mischief each and every day. The text is simple and repetitive. Each day stars with: 'On (Monday, Tuesday, Wednesday.), Cookie (falls into the toilet, knocks a plant of the windowsill, climbs the curtains.)'.

Cookies are small text files that websites place on the computers and mobile devices of people who visit those websites. A Cookies Policy is the policy used to inform users about the use of cookies by a website or an app. These files are then read by the website each time you return to the site. These text files allow a website to remember your device and how you interacted with the website. This bar cookie is an old fashioned favorite. Chocolate chips, nuts and coconut are set in a caramelized layer on top of a graham cracker crust.

This document describes how Google Analytics uses cookies to measureuser-interactions on websites that use analytics.js and gtag.js. For cookies used as part of Google Analytics 4, read this document

Overview

Google Analytics is a simple, easy-to-use tool that helps website owners measure how users interact with website content. As a user navigates between web pages, Google Analytics provides website owners JavaScript tags (libraries) to record information about the page a user has seen, for example the URL of the page.

The Google Analytics JavaScript libraries use HTTP Cookies to 'remember' what a user has done on previous pages / interactions with the website.

Note: Read the Google Analytics privacy document for more details about the data collected by Google Analytics.

Google Analytics supports three JavaScript libraries (tags) for measuring website usage: gtag.js, analytics.js, and ga.js. The following sections describe how each use cookies.

gtag.js and analytics.js - cookie usage

The analytics.js JavaScript library is part of Universal Analytics and uses first-party cookies to:

  • Distinguish unique users
  • Throttle the request rate

When using the recommended JavaScript snippet cookies are set at the highest possible domain level. For example, if your website address is blog.example.co.uk, analytics.js will set the cookie domain to .example.co.uk. Settingcookies on the highest level domain possible allows measurement to occur acrosssubdomains without any extra configuration.

Note:

5 13 Movie

Cookie gtag.js and analytics.js do not require setting cookies to transmit data to Google Analytics.

gtag.js and analytics.js set the following cookies:

Cookie NameExpiration TimeDescription
_ga2 yearsUsed to distinguish users.
_gid24 hoursUsed to distinguish users.
_gat1 minuteUsed to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.
AMP_TOKEN30 seconds to 1 yearContains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, inflight request or an error retrieving a Client ID from AMP Client ID service.
_gac_<property-id>90 daysContains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. Learn more.

Customization

Read the gtag.js Cookies and user identification guide to learn all the ways these default settings can be customized with gtag.js.

Read the analytics.js Domains & Cookies developer guide to learn all the ways these default settings can be customized with analytics.js.

Read the Security and privacy in Universal Analytics document for more information about Universal Analytics and cookies.

ga.js - cookie usage

The ga.js JavaScript library uses first-party cookies to:

  • Determine which domain to measure
  • Distinguish unique users
  • Throttle the request rate
  • Remember the number and time of previous visits
  • Remember traffic source information
  • Determine the start and end of a session
  • Remember the value of visitor-level custom variables

By default, this library sets cookies on the domain specified in the document.host browser property and sets the cookie path to the root level (/).This library sets the following cookies:

Cookie NameDefault Expiration TimeDescription
__utma2 years from set/updateUsed to distinguish users and sessions. The cookie is created when the javascript library executes and no existing __utma cookies exists. The cookie is updated every time data is sent to Google Analytics.
__utmt10 minutesUsed to throttle request rate.
__utmb30 mins from set/updateUsed to determine new sessions/visits. The cookie is created when the javascript library executes and no existing __utmb cookies exists. The cookie is updated every time data is sent to Google Analytics.
__utmcEnd of browser sessionNot used in ga.js. Set for interoperability with urchin.js. Historically, this cookie operated in conjunction with the __utmb cookie to determine whether the user was in a new session/visit.
__utmz6 months from set/updateStores the traffic source or campaign that explains how the user reached your site. The cookie is created when the javascript library executes and is updated every time data is sent to Google Analytics.
__utmv2 years from set/updateUsed to store visitor-level custom variable data. This cookie is created when a developer uses the _setCustomVar method with a visitor level custom variable. This cookie was also used for the deprecated _setVar method. The cookie is updated every time data is sent to Google Analytics.

Customization

The following methods can be used to customize how cookies are set:

  • _setDomainName - Sets the domain to which all cookies will be set.
  • _setCookiePath - Sets the path to which all cookies will be set.
  • _setVisitorCookieTimeout - Sets the Google Analytics visitor cookie expiration in milliseconds.
  • _setSessionCookieTimeout - Sets the new session cookie timeout in milliseconds.
  • _setCampaignCookieTimeout - Sets the campaign cookie expiration time in milliseconds.
  • _storeGac - Pass in false to disable the GAC cookie. Defaults to true

Read the Tracking Multiple Domains guide to learn how to configure ga.js to measure user interaction across domains.

urchin.js - cookie usage

Historically, Google Analytics provided a JavaScript measurement library named urchin.js. When the newer ga.js library launched, developers were encouraged to migrate to the new library. For sites that have not completed the migration, urchin.js sets cookies identically to what is set in ga.js. Read the ga.js cookie usage section above for more details.

Google Analytics for Display Advertisers - cookie usage

Summary

For customers that are using Google Analytics' Display Advertiser features, such as remarketing, a third-party DoubleClick cookie is used in addition to the other cookies described in this document for just these features. For more information about this cookie, visit the Google Advertising Privacy FAQ.

Content Experiments - cookie usage

For websites using Google Analytics content experiments, the following cookies are used for these features in addition to the other cookies described in this document:

Cookie NameExpiration TimeDescription
__utmx18 monthsUsed to determine a user's inclusion in an experiment.
__utmxx18 monthsUsed to determine the expiry of experiments a user has been included in.

Optimize - cookie usage

For websites using Optimize, the following cookies are used in addition to the other cookies described in this document:

Cookie NameExpiration TimeDescription
_gaexpDepends on the length of the experiment, but typically 90 days. Used to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.
_opt_awcid24 hoursUsed for campaigns mapped to Google Ads Customer IDs.
_opt_awmid24 hoursUsed for campaigns mapped to Google Ads Campaign IDs.
_opt_awgid24 hoursUsed for campaigns mapped to Google Ads Ad Group IDs
_opt_awkid24 hoursUsed for campaigns mapped to Google Ads Criterion IDs
_opt_utmc24 hoursStores the last utm_campaign query parameter.
Note: Optimize is not compatible with ga.js implementations.

Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive.

Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser. In and of themselves, cookies are harmless and serve crucial functions for websites. Cookies can also generally be easily viewed and deleted.

However, cookies can store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads. Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.

Before analyzing what the GDPR and the ePrivacy Directive have to say about cookies, it is essential to have a basic understanding of the different types of cookies.

Types of Cookies

In general, there are three different ways to classify cookies: what purpose they serve, how long they endure, and their provenance.

Duration

  • Session cookies These cookies are temporary and expire once you close your browser (or once your session ends).
  • Persistent cookiesThis category encompasses all cookies that remain on your hard drive until you erase them or your browser does, depending on the cookie’s expiration date. All persistent cookies have an expiration date written into their code, but their duration can vary. According to the ePrivacy Directive, they should not last longer than 12 months, but in practice, they could remain on your device much longer if you do not take action.

Provenance

  • First-party cookies As the name implies, first-party cookies are put on your device directly by the website you are visiting.
  • Third-party cookies — These are the cookies that are placed on your device, not by the website you are visiting, but by a third party like an advertiser or an analytic system.

Purpose

  • Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
  • Preferences cookies — Also known as “functionality cookies,” these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your user name and password are so you can automatically log in.
  • Statistics cookies — Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited.
  • Marketing cookies — These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.

These are the main ways of classifying cookies, although there are cookies that will not fit neatly into these categories or may qualify for multiple categories. When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies. These cookies can contain significant amounts of information about your online activity, preferences, and location. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse. Perhaps because of this, the use of third-party cookies has been in decline since the passage of the GDPR

Cookies and the GDPR

The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that has been passed by any governing body to this point. However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30.

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

What these two lines are stating is that cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.

Cookies and ePrivacy Directive

Passed in the 2002 and amended in 2009, the ePrivacy Directive (EPD) has become known as the “cookie law” since its most notable effect was the proliferation of cookie consent pop-ups after it was passed. It supplements (and in some cases, overrides) the GDPR, addressing crucial aspects about the confidentiality of electronic communications and the tracking of Internet users more broadly.

Cookie compliance

To comply with the regulations governing cookies under the GDPR and the ePrivacy Directive you must:

  • Receive users’ consent before you use any cookies except strictly necessary cookies.
  • Provide accurate and specific information about the data each cookie tracks and its purpose in plain language before consent is received.
  • Document and store consent received from users.
  • Allow users to access your service even if they refuse to allow the use of certain cookies
  • Make it as easy for users to withdraw their consent as it was for them to give their consent in the first place.

ePrivacy Regulation

The EPD’s eventual replacement, the ePrivacy Regulation (EPR), will build upon the EPD and expand its definitions. (In the EU, a directive must be incorporated into national law by EU countries while a regulation becomes legally binding throughout the EU the date it comes into effect.)

The EPR was supposed to be passed in 2018 at the same time as the GDPR came into force. The EU obviously missed that goal, but there are drafts of the document online, and it is scheduled to be finalized sometime this year even though there is no still date for when it will be implemented. The EPR promises to address browser fingerprinting in ways that are similar to cookies, create more robust protections for metadata, and take into account new methods of communication, like WhatsApp.

The rules regulating cookies are still being set, and cookies themselves are continually evolving, which means maintaining a current cookie policy will be a continuous job. However, properly informing your users about the cookies your site is using and, when necessary, receiving their consent will keep your users happy and keep you GDPR-compliant.

Related Posts

  • Recital 30 - Online identifiers for profiling and identification
  • What is considered personal data under the EU GDPR?
  • A guide to GDPR data privacy requirements
  • Art. 95 GDPR - Relationship with Directive 2002/58/EC
  • Art. 94 GDPR - Repeal of Directive 95/46/EC
  • Art. 34 GDPR - Communication of a personal data breach to the data subject
Share on: