Last updated on 01 July 2022 by Stephen Titcombe (Legal writer at TermsFeed)
Have you ever wondered how websites recall the contents of your online shopping cart or remember your sign-in information or just give off a more personal feel? Look no further than cookies.
These small packets of data have taken the internet by storm and are currently the most common method of identifying users online and providing a personalized browsing experience.
As a website owner, it's imperative you let your users know what categories of cookies you use, why you need them and how users can control their cookie preferences.
With that said, an important category gradually gaining recognition by websites when presenting cookie information is social media cookies. If you have social media networks integrated into your website, chances are you'll be using social media cookies and therefore need to address them in your policies.
Cookies (aka "internet cookies," "web cookies," "HTTP cookies," etc.) are tiny data files placed on a user's internet device by web browsers when visiting a website. They are primarily used to identify users, observe their browsing activities, and remember certain information about them, like their usernames, passwords, shopping cart inventory, and so on.
Cookies are also used to carry out more complex tasks such as:
Since their invention in 1994 by Netscape engineer Lou Montulli, cookies have virtually penetrated every corner of the internet, helping websites function more efficiently as well as better understand and serve their users.
In matters of personal security, cookies aren't inherently harmful (contrary to common misconceptions). They can, however, present a threat to users' privacy in the sense that users may be tracked without their consent or approval.
As of now, it is effectively illegal for websites under their scope to implement certain cookies without the consent of users.
Now that we have a basic understanding of cookies and their general functions, let's look at some common cookie categories and their uses.
Cookies used by most websites typically fall into (at least) one of the following categories:
As a website owner, you need to understand each cookie category and how they work in order to stay compliant with applicable laws. Let's examine each one in turn and see their functions.
First-party cookies are placed directly on a user's device by the website and are primarily designed to enhance general website functionality.
These cookies allow website owners to obtain information for analytical purposes and help improve the overall browsing experience.
Third-party cookies are a little different. Unlike first-party cookies, third-party cookies are placed on a user's device by external platforms integrated into a website. Common examples are cookies set by ad platforms, live chats, payment gateways, and so on.
That said, third-party cookies are currently experiencing a decline in popularity as they pose a more significant data security risk to individual privacy. As a result, leading companies like Google no longer support them.
Session cookies (aka temporary or transient cookies) exist only as long as a user is active on a website. They allow users to browse websites without repeatedly filling out the same information every time they switch web pages.
Session cookies are activated when users launch a website and expire when they leave the website or close their browser window.
Persistent cookies, on the other hand, are primarily designed to help websites remember a user's settings, preferences, and previously provided information in order to deliver a faster and more convenient browsing experience.
These cookies remain on a user's hard drive (even after closing the browser) until they expire or are manually deleted. Persistent cookies are also known as permanent cookies or stored cookies.
Strictly necessary cookies (also known as essential cookies) are simply cookies that must be present for your website to carry out its primary functions. These cookies are required for users to access core features of the website, including the ability to log in, add items to their shopping basket in an ecommerce store, or pay for products.
It's important to note that strictly necessary cookies are the only cookie category that does not require user consent before being implemented.
Another important cookie category used by virtually all websites is functionality cookies (aka preference cookies). Although these cookies are not essential for websites to carry out their basic functions, they are needed to remember choices made by users in the past.
Examples include the following:
Here's how EY employs functionality cookies to help enhance its users' browsing experience:
Performance cookies are also known as analytical or statistics cookies. Their sole purpose is to monitor and help improve a website's performance by collecting anonymized information about how visitors use the website.
To put this in context, performance cookies can be used to find out:
They are typically provided by third-party analytics platforms (e.g., Google Analytics), and are for the exclusive use of the website owner.
Targeting and advertising cookies (also called marketing cookies) are generally third-party cookies specifically designed to collect information about the browsing habits of website visitors.
This information is subsequently used to build individual profiles of users' interests to provide them with the best-suited advertisements based on topics that interest them.
Here's a good example from Snap showing how it and third-party advertising partners use marketing cookies:
While these are the main ways of categorizing cookies, note that some cookies may not fit neatly into these categories or may qualify for multiple categories. For example, advertising cookies are usually a mix of third-party cookies and persistent cookies.
Now that we're clear on what cookies are and how you can classify them, let's talk about social media cookies, examining what they are, why they are needed, and how to present them in relevant sections of your website.
Social media cookies are a newly-introduced category of cookies set by third-party social media platforms that have been integrated into a website. For example, cookies from social networking sites like Twitter, Facebook, Instagram, and LinkedIn can be classified as social media cookies.
To further clarify, a cookie placed on your website by YouTube to measure the views of an embedded video is a social media cookie.
With the proliferation of social media, virtually all websites incorporate social networking platforms to provide additional services and features to their users.
These features typically include the ability to:
Social networking platforms, in turn, place cookies on the devices of site visitors to track their online activities and present them with digital content that may be of interest to them.
As a result, social media cookies are closely related to (and sometimes classified under) targeting and advertising cookies since they perform similar functions. Perhaps, the only significant difference between them is that social media cookies are set exclusively by social networking platforms.
Here's a more comprehensive description by the global safety organization UL:
Note how UL disclaims all liabilities by referring its users to the Privacy/Cookies Policy of its integrated social networking sites.
Here's a similar description by the European Union Agency for Cybersecurity, ENISA:
Social media cookies generally become active and collect information when users:
As a website owner, you need to provide clear and explicit information about what type of cookies you use (including social media cookies), why you need them, and how users can control their preferences.
Not only is this legally required by cookie regulations like the EU Cookies Directive, but your users will appreciate a clear and comprehensive explanation of your cookie practices.
Moreover, being upfront about cookie information is a simple way to show your users that you take their privacy seriously, and will play a huge role in promoting transparency and building credibility for your website.
That said, let's briefly look at key places to display social media cookies.
On a final note, social media cookies (much like targeting and advertising cookies) should be implemented only after getting clear, affirmative consent from users. This can be done by presenting a cookie banner upon a user's first visit to your website.
Note how Rise explains cookie information using simple, plain language and disclaims all liabilities where third-party social media cookies are concerned. This is good practice and can help you avoid legal issues.
Here's another brief but succinct example from Planable that details its use of social media cookies, the third-parties responsible, and how users can opt out:
As the name implies, a privacy or cookie preference center is a page on a website where users can choose which cookies they wish to allow or decline.
A preference center typically lists the categories of cookies used on a website, briefly explains their purposes, and provides a switch/button to enable or disable certain cookie categories.
If your website uses social media cookies, you need to include them in your privacy preference center and give users the ability to opt out.
You should also explain the effect of rejecting social media cookies so users can make an informed decision.
For example, here's how Akamai Technologies complies with these requirements:
Here's another example from the travel guide company Lonely Planet:
Lonely Planet takes it a step further and lets its users choose which individual social media cookie to allow and decline. This is a convenient feature that, while not essential, lets users make more informed choices.
Social media cookies are steadily gaining recognition as websites have begun distinguishing them from targeting and advertising cookies.
As a website owner, keeping your Cookies Policy constantly updated by including all relevant cookie categories is a legal responsibility and shows users you care about their privacy.
Here's a quick recap of the most important things to note when implementing social media cookies:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022