Cookies Guidance
1. What are cookies?
Cookies are small text files stored on devices such laptops, mobile phones, or any other devices capable of storing information. When a user visits a web service, such as a website, cookies are downloaded onto their device. These cookies enable the website to identify the user's device and retain details about their preferences or previous activities.
Cookies can, for example, be used to:
- Auto-fill information in forms.
- Remember certain settings (e.g. preferred language).
- Keep users logged in between sessions.
- Make personalised content recommendations.
Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances. For example, a user authentication cookie would involve the processing of personal data, as it is used to enable the user to log in to their account at an online service. Therefore, the processing of cookies is subject to Operational Circular no. 11 “The Processing of Personal Data at CERN” (OC 11) .
As such, the aim of these guidelines is to assist website owners and developers in understanding and implementing the use of cookies in light of the requirements of OC 11 as well as international best practices.
2. Characteristics of cookies
Cookies can be differentiated based on their lifespan, origin, and purpose.
Lifespan of cookies
-
Session cookies are temporary and expire at the end of a browser session (normally when a user exits their browser). They allow websites to remember and connect a user's activities during a single browsing session. These cookies can be used for various purposes, e.g. keeping track of items in a shopping cart, or remembering language preferences while a user navigates the website.
-
Persistent cookies are stored on a user’s device in-between sessions, meaning that they remain on users’ devices even after the web browser is closed. They can allow the preferences or actions of the user across a site (or different websites) to be remembered. These cookies can be used for various purposes, such as storing user settings and choices or targeting advertisements. The duration these cookies stay on users’ devices depends on the website operator's settings. Usually, users can manually delete these cookies or adjust their browser settings to automatically clear them at specified intervals.
Origin of cookies
-
First-party cookies are created and used by the website a user is consulting. These are the session and persistent cookies described above that track site navigation, login information, and preferences. They are generally considered safe and useful.
-
Third-party cookies: Unlike first-party cookies that originate from the website a user is visiting, third-party cookies come from other domains. These are often advertisers or analytics providers seeking insights about users’ online behaviour across various sites. Other use cases for third-party cookies include:
- Sharing user preference or theme information across multiple sites.
- Collecting analytics across multiple sites.
In general, third-party cookies are persistent.
Purpose of cookies
-
Technical cookies — Also known as “strictly necessary or essential cookies”: They allow a user to navigate through a web site and use the different options or services that exist in it, and enable its functions and services, e.g. controlling traffic and data communication.
These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.
-
Preferences cookies — Also known as “functionality cookies”: They allow information to be remembered enabling the user to access the service with certain characteristics that can differentiate their experience from that of other users. It is the user who chooses these characteristics (e.g. by selecting the language of a website).
-
Analytics or measurement cookies — Also known as “performance cookies”: They allow the entity responsible for them to monitor and analyse the behaviour of the users of the websites to which they are linked, measuring, for example, how effective ads are. The information collected through this type of cookie is used to measure the activity of websites, applications, or platforms, to introduce improvements based on the analysis of the usage data made by users of the service.
-
Behavioural advertising cookies — Also known as “marketing cookies”: They store information on the behaviour of users obtained through the continuous observation of their browsing habit, which allows the development of a specific profile to display advertising. These cookies can share the collected information with other organisations or advertisers. These are persistent cookies and almost always of third-party provenance.
3. What to consider when using cookies
Web site owners at CERN should carefully consider the usage of cookies on their web sites. This requires first that they should know and document what cookies their site uses and the characteristics of the cookies. It is highly recommended to renounce on the usage of third-party cookies for marketing purposes due to their privacy invasive character.
Web site owners must be transparent about the usage of any cookies on their web site, collect consent for cookies when necessary and use a cookie banner.
A few recommendations when using cookies |
---|
Recommendation 1: Be transparent to the users
Recommendation 2: Collect consent for cookies when necessary
|
Third-party cookies for marketing purposes
Third-party cookies pose privacy concerns because the transactions typically involve unknown third parties and are often conducted without the user’s informed consent. Unless users pay attention to an often-confusing set of options in their browser software, these cookies are created and used without their knowledge. In addition, the information that is gathered may be stored forever.
Moreover, most third-party cookies track users to deliver targeted, behavioural ads without valid user consent. They provide advertisers extensive data about user behaviours, demographics, interests, and more.
Such purposes are not compliant with CERN’s data protection framework. Consequently, the use of third-party cookies for marketing is strongly discouraged.
Consent collection
Users should give their consent to all non-technical cookies being placed or used on their devices. This means that consent must be collected for preferences cookies, analytics or measurement cookies and behavioural advertising cookies.
-
Exceptions: Cookies that do not require user consent
Technical cookies do not require the consent of the user. They can be set without prior agreement, upon the loading of the web page. Technical cookies can be differentiated as follows:
- Communication: The cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communication network, such as a load balancing cookie.
- Strictly necessary to provide an ‘information society service’ (e.g. a service over the internet) requested by the user: The cookie is not merely useful but critical; without it, the service cannot function. For example, strictly necessary cookies include those that secure a user's connection when accessing a web page, but also language preference cookies that are used to remember the language selected by a user on a multilingual website (e.g. by clicking on a “flag”).
-
Conditions of consent
To be valid, consent must be specific, informed, unambiguous and freely given.
-
Specific means that for when a web site uses different cookies with different purposes, separate consent for every single processing purpose is collected.
-
Informed means the website visitor must be informed, in simple and understandable language, for what each cookie will be used (purpose), for how long the cookie will be stored (duration/lifespan) and well as the name of the cookie.
-
Unambiguous means that consent is opt-in and not opt-out, so that there is no misunderstanding that the web site visitor has consented to the cookie storage. In practice this implies that pre-checked cookie consent boxes do not count as valid consent and any consent management system used should not have any options pre-selected or turned on by default.
-
Freely given means access to the website and functionalities must not be made conditional on the consent of a visitor to the storing of information or gaining of access to information already stored on their end device.
In addition, for consent to be valid, it should be as easy to withdraw as it is to give it, without using any manipulative tactics or dark patterns to influence the decision of the website visitor.
Website owners should ensure not to restrict access to other website features except the ones for which the user has denied consent.
-
How often should consent be collected?
Consent should be collected every first time a user accesses the web service, and there may be scenarios where users need to reaffirm their consent for cookie setting. Several factors, such as the frequency of visits, the expiration of certain cookies or updates of content or functionality, will play a role. For instance, “fresh” consent is required when non-technical cookies from a new third-party provider are introduced, because the original consent covers only the third parties initially specified.
In any case, it is generally recommended that user consent for specific cookies remain valid for no more than 24 months. During this period, user preferences should be retained to avoid repetitive consent requests with each visit to the relevant page.
Information about cookies
Personal data must be processed in a transparent manner, and data subjects have the right to information regarding data privacy protection at CERN. As cookies can be considered personal data, relevant information must be provided to users when these technologies are used. For example, the purposes for which the cookies are used, information about any third parties that might process information stored on or accessed from the user's device, and the lifespan of the cookies.
Based on these requirements, every website must inform users about its use of cookies, regardless of the characteristics of the cookies.
In practice, it is common to ensure that information about cookies is prominently displayed to users upon their first visit to a web service, typically through a cookie banner. The cookie banner can display directly the aforementioned details or provide a link to a privacy notice that documents the processing of personal data through cookies.
4. Cookie banner
A cookie banner is a pop-up that appears when users visit a website for the first time, informing them about the use of cookies, asking for their consent, or both. Therefore, a cookie banner shall have functionalities to allow the user of a website to:
- Give or withdraw consent for the use of non-technical cookies,
- Consult their active consent preferences, and
- Obtain information about the cookies used by the website.
A layered approach is recommended to present and collect consent for cookies by giving users options:
- to accept or reject all non-technical cookies, for instance by displaying buttons to “Accept All Cookies” or “Deny All Cookies”, and
- for a more granular choice, by accepting or refusing cookies depending on their purpose (technical, preference, analytics, marketing). It can be achieved via a “settings/customise/preference” button or link on the cookie banner.
Using “dark patterns” to nudge users into giving consent does not constitute valid consent. Users must have full control to accept, decline or change cookie settings on the banner with one single click. It must be easy for users to distinguish between a ‘yes’ and a ‘no’ to cookies. In practical terms, this means that alongside an “Accept All Cookies” button on the cookie banner, there should always be a comparable “Deny All Cookies” or “Accept Only Necessary” button. These buttons should be identical in size, colour, and font to ensure fairness and clarity in user choice. The toggles for all cookies (except technical cookies) must be switched off by default; pre-ticked boxes or ‘on’ toggles/sliders are not compliant!
The processing of non-technical cookies can only start after the user has provided consent. Closing the banner or scrolling the site without responding to the banner does not imply user consent.
In scenarios where only technical cookies are used, the cookie banner should not request consent, but should nonetheless inform users about the use of these technical cookies.
The cookie banner should automatically appear upon the first visit of a web site, and afterwards remain easily accessible, ideally through a link in the footer of the website.
The cookie choice of the user should be recorded, together with the time stamp of the decision, and be transparently available to the user, for instance by displaying the choice in the cookie banner, so that any withdrawal of consent is facilitated.
A few recommendations for cookie banners |
---|
Recommendation 1: Present a cookie banner
Recommendation 2: Make withdrawing consent as easy as it was to give it
|
5. Example
A nice example of a compliant cookie banner and the information provided about the relevant cookies can be found on the Zenodo website.