Privacy & Cookies

Cookies

A cookie is created at the request of the website which a user is viewing. The website requests the web browser to create a small text file containing a small amount of information which it can access whilst you are viewing the website. The information is usually to provide certain functionality to enhance your experience on the site.

The information saved in a cookie has the name of the cookie and a value (which can be a numeric or text value). Other information includes the website domain the cookie is for, the path or page on the website (if not specified then the cookie is for all pages on the domain), cookie expiry date and time, if the cookie is HTTP only (ie cannot be accessed by javascript) and finally if the cookie is a secure cookie.

Cookie security and privacy

Security

Cookies are small text files stored on your computer, and therefore cannot be used to infect your computer with a virus or allow malicous code to run on your computer. Cookies are not deemed dangerous, however there maybe concerns over privacy.

Privacy Concerns

Cookies cannot access any other information on your computer, so the privacy concerns relate solely to tracking of websites that you browse.

UK Regulations and Cookies

(As at November 2017)

Recently all EU countries introduced new rules surrounding the use of cookies on websites, this was an amended E-Privacy Directive of 2009. Each EU country then were require to amend their laws accordingly.

The UK introduced the amendments on 25 May 2011 through The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The relevant section is below:

6. - (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Cookie Uses and Applications

Cookies are used on websites to provide enhanced functionality on improve the users experience.

Examples of website cookie use include:

  1. Online web stores, which can record items in your shopping cart whilst you are browsing the store. We don't do that on our website though. Our online store does not capture your purchase preferences. PayPal (and other 3rd party websites) may well use cookies to store your information.
  2. Websites which can display different content based on if you have never visited a site before. An example of this is that many sites show a cookie warning on first visit to the website. These warnings may be repeated several days or weeks later to ensure your choices are stll valid.
  3. Ability for a website to save any preferences set by you so that next time those settings don't need to be set again. Some examples might be storing your name or email address so it is shown to you next time you visit on the same computer.
  4. Tracking your browsing habits. An example is an online store might suggest more useful additional items to buy, based on the previously visited pages.
  5. Websites which requires you to login; these allow you to avoid having to enter in your user name and password every time to visit the site (or view different pages on a site)

Types of Cookie

Session cookie

A session cookie only exists whilst the user is reading or navigating the website. When the user closes their web browser these cookies are generally removed.

Persistent cookie

A persistent cookie for a website exists on a user's computer until a future date. For example the cookie expiry date could be set as 1 year, and each time the website is accessed over this period, the website could access the cookie.

HttpOnly cookie

A HttpOnly cookie can only be used via HTTP or HTTPS, and therefore cannot be accessed by javascript. This reduces threat of session cookie theft via cross site scripting (XSS).

Secure cookie

A secure cookie can only be used via HTTPS. This ensures the cookie data is encrypted, reducing the expose to cookie theft via eavesdropping.

Third-party cookie

First-party cookies are cookies set with the same domain (or its subdomain) as your browser's address bar. Third-party cookies are cookies set with domains different from the one shown on the address bar. The web pages on the first domain may feature content from a third-party domain, e.g. an advert run by another website. Privacy setting options in most modern browsers allow you to block third-party tracking cookies.