Right on time for the end of the year - our new Cookies Report is here. Get insights into your website’s first-party and third-party cookies and all the important information that goes with them.
A few weeks ago was Black Friday. Did you hunt for bargains searching for the best deal? While browsing a website, placing items in your shopping cart, opening multiple tabs to compare your options…
Did you recognize that your cart items were visible in every new tab of the same website you opened? Did the website suggest other items you could also like based on things you previously viewed or placed in your shopping cart? This is all possible due to cookies that websites use to keep track of your online activities.
Cookies are small pieces of data used by web servers to save browsing information on your device, that enables websites and third parties to store user preferences (e.g. when you change the currency in a webshop) or track a user’s online behavior.
Cookies can be divided into first- and third-party cookies as well as temporary (session) and persistent cookies.
First-party cookies are typically created by the website you are browsing to provide a better user experience. This also includes the example of enabling an automatically updating shopping cart in every tab you open.
While Third-party cookies originate from any other domain apart from the one of the website you’re browsing. These cookies are most commonly used for marketing or advertising purposes, as well as website services such as live chats, pop-ups or buttons linking to social media platforms.
Temporary cookies, so called session cookies, “forget” all your data and are immediately removed from your device the moment you close your browser or when the session has expired. One of the most common use cases for temporary cookies is the shopping cart. All your purchases are saved during a session, even if you open new windows.
Persistent cookies, on the other hand, are “physically” stored on your device in a local database for an extended period of time, even after you close your browser. This helps websites to identify your browser on your next visit to provide login information, remember user settings (e.g. language or currency) or show ads across different websites (retargeting).
And this is where compliance comes into play. According to legislation in most European countries, such as § 25 TTDSG in Germany (“Protection of privacy in terminal equipment”), storing information on an end-user's terminal equipment (your computer or smartphone) or accessing information previously stored in the terminal equipment, shall only be permitted if the end-user has consented based on clear and comprehensive information. However, this does not apply, if the cookie is technically required to provide the service. Moreover, cookies stored on a device have to expire - otherwise they might violate compliance laws since they don’t adhere to the principles of Data Processing - such as data minimisation and storage limitation.
As any compliance-related topic, cookies can become quite overwhelming.
But don’t worry, yet again we are right by your side to support you with our new Cookies Report.
With the Ryte Cookies Report you gain more transparency by discovering all detected cookies that might potentially violate GDPR or federal laws in a central report.
To receive results in the new Cookies Report, you first have to start a new crawl. Ryte then analyzes your whole website (including all subpages) and shows all detected cookies and all important related information (e.g. cookie domain, cookie expiration, etc.) transparently in a central report.
Our new Cookies Report enables you to filter according to cookie domains as well as highlights third-party cookies. Since these ones have the highest risk of potentially violating compliance laws, you should focus on checking them first.
At one glance, you can view Name, Cookie Domain, Path, SameSite, HttpOnly, Secure, Expiration and Pages.
Let’s take a closer look at some of the cookie attributes:
Cookie Domain: The cookie domain describes to which domain the cookie and it’s value can be sent. As an example, when you’re browsing a product page and add a product to your shopping cart a first-party cookie is stored for that particular shop, so the cookie domain is the website you’re browsing. If on this website any social media icon like a thumbs up button from Facebook is embedded, that integration could set a third-party cookie. In this case, the cookie domain would be Facebook.
Expiration: The expiration column shows the time period after that the cookie automatically gets deleted from your local device, e.g. 30 days.
Cookie Path: The cookie's path restricts that the cookie and its value can only be sent to URLs “within” that path (e.g. directory).
HttpOnly: A cookie’s HttpOnly attribute makes cookies inaccessible to client-side scripts, e.g. JavaScript. This security attribute is usually attached to cookies containing sensitive user information or that are sent to third parties.
SameSite: The SameSite attribute prevents cookies from being automatically sent by the browser during cross-site-requests (from one site to another) and thus confidential data (e.g. bank account login) from being leaked. An example is cross-site-request-forgery such as stealing sensitive data like your bank account login while making you think you’re actually logging in on your bank’s website. In this case, the attacker takes advantage of the fact that web browsers generally send the cookies stored for a domain with every request made to the domain.
The SameSite attribute can have three different values:
Strict: In the case of a strict SameSite attribute, no cookies are sent during a cross-site-request. Cookies are only sent either when staying on the same domain, e.g. when you’re on a product page of a website and jump to another product page of the same website. Or when you land from a different website on the original website. As an example: You’re on Twitter and see a shared blog article. A strict SameSite attribute would only send cookies from blog to blog, but not from Twitter to the blog.
Lax: In the case of a lax SameSite attribute, cookies are only sent during requests from your own website (first-party requests) or when navigating from another website to yours. The example is the same as above, you’re on Twitter and see a shared blog article, but in the lax case, the moment you click the link cookies are already sent.
None: In the case of setting the none SameSite attribute, cookies are always sent during cross-site-requests, independent of the website you navigate to and where you are coming from.
Good to know: If the SameSite attribute is absent (not set) any cross-site-request is treated by your browser as if a lax attribute had been set. This is due to security reasons. However, this changed in the last few years; originally an absent SameSite attribute behaved like the attribute is set to none.
Secure: A cookie’s Secure attribute prevents cookies from being observed by unauthorized parties. To do so, a cookie with a Secure attribute will only be sent to a server with a secure encrypted request (e.g. HTTPS). An example would be a classic man-in-the-middle attack like a manipulated wifi. In the offline world a suitable analogy would be a mailman that reads your letters to a friend and manipulates them. He later does the same to your friend’s reply letter.
Pages: The pages column indicates on how many pages this cookie has been detected.
When opening the drop-down menu (in this case a language cookie) you can see the URL and the cookie value (here: languages identifier). This should help you determine where the cookie is set in order to - if necessary - configure your consent management platform, so the cookie does not get dropped before user consent.
When crawling your website our crawler does not click on your cookie banner and thus, does not actively give consent to any form of information storing. Since our crawler can’t detect whether a cookie is technically necessary or not, especially first-party cookies found by our crawler should be checked by a legal expert to ensure that they are legitimate under compliance laws (like §25 TTDSG in Germany). Third-party cookies, that are dropped before user consent, almost always violate compliance laws. After revising the detected cookies, you should integrate them in your consent management platform and ensure to only set them if your users give consent. Additionally, verify that your website visitors are informed about storing information in a transparent and compliant manner.
Cookies are our constant companions when browsing the virtual world. Some make our lives (and shopping) easier, others follow us even after we close the browser. As a website owner, it's essential for you to know which cookies are on your website and make sure they don't start tracking until a visitor has given their explicit consent.
Published on Dec 15, 2022 by Stefanie Kirschner