Cookies work by identifying users by their specific devices. When a user interacts with a website for the first time from a computer or smartphone, a small amount of data is created based on the user’s activity and labeled with an ID unique to the individual device. When the user returns to the website, the ID is recognized, enabling the website to present information specific to the user’s account or preferences wherever necessary. Some cookies are stored in random access memory (RAM), and are deleted automatically after a browsing session (session cookies), while others live on the hard drive of the actual device, and remain there indefinitely for authentication and tracking purposes (persistent cookies). Cookies simply allow a website to communicate with its users in increasingly efficient and familiar ways, such as remembering usernames and/or passwords, saving the contents of shopping carts, and establishing individual preferences. In this way, cookies provide a number of benefits to both users and web developers, and have become a nearly indispensable component of the modern internet.
Although cookies are simple text files, and do not themselves contain any nefarious elements such as viruses or malware, they can become problematic if the data is any way compromised or accessed by a malicious third-party. In the worst cases, hackers can gain access to a user’s browser history and potentially their login information. This is one of the primary reasons web developers have an obligation to inform their users as to what cookies are being downloaded during a browsing session, and for what specific purposes. In reference to the PECR, the Information Commissioner’s Office maintains that web developers “must explain the way the cookies work and what [they] use them for, and the explanation must be clear and easily available.” Further, they must obtain the user’s consent before storing cookies on a device, and should be able to demonstrate that consent has been “freely given, specific and informed.”
Users should be reminded that, for the most part, accepting cookies from a website is entirely optional. Provided that the PECR guidelines are followed, enough information will be given to the user to make an informed decision as to what cookies to allow, reject, or delete. (As a general rule, users should be wary of third-party cookies, or cookies that do not originate from the website being visited.) While many cookies are essential to the functionality of a website, this is not always the case, and it is otherwise common for a user to ultimately value privacy over expediency when browsing the web.
Information Commissioner’s Office - https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/#cookie ; https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/