Do you need to list cookies which are used on your site?

ByKrzysztof Planeta
gdpr cookies illustration

In short, it is not required. You do not have to list cookies (tracking or otherwise) in your consent banner or your privacy policy.

What’s more, it is often technically impossible to do so.

So, why do so many people think it’s necessary? And, why do so many privacy policies include such lists?

Let’s talk about it.

Why many people think cookies need to be listed (two out of three reasons)

There are three reasons, but I will mention two here. I’ll add the third one in the summary.

Reason #1 – The “Cookie Law”

Cookies became ingrained in many people’s minds as “the thing that enables tracking” ever since the European Union introduced the ePrivacy directive in 2002.

At that time, cookies were the only effective way to track users across the web, so consenting to them was synonymous with consenting to be tracked.

This is what solidified the term “cookie notice” to describe a tracking consent banner (even though today it has almost nothing to do with cookies).

Reason #2 – Vague provisions in the GDPR.

Although the GDPR, introduced in 2016, mentions cookies only once, it contains provisions that might suggest listing them is necessary.

These provisions state that consent for the use of personal data, must be obtained based on specific, detailed information.

While this requirement is not limited to websites, many people interpreted it too literally, mentally linking it to the earlier ePrivacy directive.

According to their interpretation, “detailed information” means that the user must be shown a list of all cookies, along with how they will be used and what data they store.

This, however, is an over-interpretation becauseā€¦ it is very often not possible.

Why it is often impossible to list all cookies on a website

Let’s start with the fact that any developer can create cookies.

They can have any name, any value, and serve any purpose (within their technical capabilities). Due to the ease of their creation, there are millions (if not tens of millions) of different cookies.

What’s more, to find out their purpose (and sometimes even what information they store), you need to thoroughly diagnose the code that uses them.

After all, how would you interpret a cookie named ulm_preg_m with a value of 3?

All of this makes it impossible to recognize all cookies. On top of that, it is also dangerous.

Blocking cookies is in fact… dangerous and ineffective

Blocking cookies, while technically possible, can cause various problems on a website and can even break it completely.

Plus, it is also ineffective because nowadays tracking scripts use various methods for user identification and tracking and cookies are just one of them (albeit a very important one).

So what do you block?

Tracking scripts.

And how do you find out which scripts are used on a site and what they are for?

With cookies.

The not-obvious use of cookies

Every programmer knows that for a function to work, it must have a unique name. Otherwise, multiple functions with the same name would overwrite each other.

The same applies to cookies. If everyone started naming them: cookie_1, cookie_2, cookie_3, etc., nothing would work.

Therefore, a cookie is a recognizable and (relatively) unique identifier of the scripts that use it – and some of them may be tracking scripts.

But that’s not all. The cookies of popular tracking tools are well-known, and their purpose, such as advertising or statistics, is understood.

This is used by CMPs (Consent Management Platforms) that create “consent banners.”

They scan websites to check what cookies they save.

This helps them to learn which tracking scripts and tools are used on a given site and what the user must consent to in order to run a particular tracking tool.

And how do these platforms know which cookie is for what purpose and which tool it belongs to?

From their users, whom they ask to categorize all cookies.

Why many people think cookies need to be listed (the last reason)

The largest and best-known Consent Management Platforms operate in the cloud.

However, they do not have access to your website’s database or functions, and so they cannot determine what tracking tools you have installed.

That is why they use cookies, to “guess” it.

They scan their clients’ websites in search of cookies and later ask the same clients to name, categorize, and describe all the ones they don’t recognize.

Since these descriptions can be used in a privacy policy (as they describe the functions of the tracking tools), CMPs encourage their users to paste them there.

As a result, many privacy policies include lists of cookies, which further strengthens the popular belief that they are necessary.

But they are not.

Krzysztof is a WordPress plugin developer, the author of WP Full Picture analytics plugin and a big web-analytics enthusiast. At the moment he lives with his wife and 2 cats in Spain where they enjoy the sun.

Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments