All posts
Date

Everything you need to know about cookies as a website owner

As a website owner, you've probably wondered whether you actually need to display a cookie consent banner on your website.

If you're running a simple blog, you might not need a banner at all. But if you're using third-party advertising or tools like Google Analytics, you're likely legally required to ask for consent.

  1. What are cookies?
  2. What kind of cookies are there?
  3. Privacy regulations around cookies (GDPR, ePrivacy)
  4. Cookies and web analytics; cookieless alternatives

What are cookies?

Cookies are small text files that websites store on your device to remember information about you and your browsing session.

They can be used for a variety of purposes, most commonly for web analytics and advertising, which various regulations aim to crack down on. Using cookies for analytics helps such services to track you, as they are able to identify you when you come back to the same website.

But cookies can also be used for other legitimate puproses, like remembering your website preferences, authentication, theme preferences, etc. Provided that these cookies are first-party (set by your website directly), essential for the website to function, and not used for tracking, you don't need to display a cookie consent banner. Although it's a good practice to at least disclose the use of such cookie in a cookie or privacy policy.

What kind of cookies are there?

Cookies can be classified in three main ways: by their duration, provenance (where they come from), and purpose. Understanding these categories is crucial to determine your legal obligations.

Duration

Session cookies are temporary and disappear once you close your browser or end your session. They're typically used for things like maintaining your login state while browsing a website.

Persistent cookies remain on your device until they expire (based on their programmed expiration date) or until you manually delete them. These can last anywhere from a few days to several years, depending on their purpose.

Provenance

First-party cookies are set directly by the website you're visiting. For example, when you visit example.com, any cookies set by example.com are first-party cookies.

Third-party cookies are placed on your device by external services, not the website you're visiting. These are commonly used by advertising networks, analytics services, or social media widgets embedded on websites.

Purpose

Strictly necessary cookies are essential for basic website functionality. They enable core features like secure login areas, shopping carts, or remembering your privacy preferences. These are typically first-party session cookies, and while you don't need consent for them, you should still explain their use to visitors.

Preferences cookies (also called functionality cookies) remember your choices to enhance your experience. They store settings like your preferred language, region for weather reports, or login credentials for automatic sign-in.

Statistics cookies (or performance cookies) collect anonymous, aggregated data about how visitors use your website - which pages they visit, which links they click, and how they navigate. This data helps improve website functionality. Third-party analytics cookies fall into this category when used exclusively by the website owner.

Marketing cookies track your online activity across websites to deliver targeted advertising or limit ad frequency. These are almost always persistent third-party cookies and can build detailed profiles of your browsing habits and preferences.

Privacy regulations around cookies (GDPR, ePrivacy)

In Europe, cookies are primarily regulated by the General Data Protection Regulation (GDPR) and the ePrivacy Directive. These laws are pretty complicated and in general, when they talk about cookies, they also mean other means of storing data on your device, like local storage.

GDPR and cookies

GDPR mentions cookies directly only once, in the Recital 30:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

It means that if cookies are used to identify users, they qualify as personal data and therefore require consent.

ePrivacy Directive

ePrivacy Directive (EPD) is a more specific regulation that deals with cookies and other means of storing data on your device, as well as email marketing and other privacy-related matters.

EPD requires that a website must inform a user and obtain their consent before storing cookies in their browser, except for strictly necessary cookies. This applies to both 1st and 3rd party cookies.

So unless your cookies are strictly necessary (like for authentication), you need to obtain consent from the user before storing them.

Cookies and web analytics; cookieless alternatives

Many services like Google Analytics use cookies to track visitors across websites they're installed on. And because of that, you're legally required to display a cookie consent banner for that.

It depends on the audience, but around 30% of internet users reject analytics cookies. That leads to a lot of missing data in your reports, especially if your audience are tech savvy users.

But there are alternative web analytics solutions that don't use cookies at all. One of them is Swetrix. We built our service with privacy and GDPR-compliance as our fundamental principles. We don't use cookies to track visitors, and are an ethical alternative to Google Analytics.

If you're interested, please give us a try 😊