What's the deal with browser cookies?

During one of my many shopping rabbit holes (I’m attempting to find the perfect black bag — long-lasting but not too expensive, crossbody strap option, free standing, good material…I digress) I stumbled across Danish clothing brand Ganni’s website. Their website is beautiful: it uses large sans-serif typography and cobalt blue accents. However, I was most struck by their version of an oft-overlooked web element: the cookie collection module.

Screenshot of clothing site Ganni's cookie collection module detailing why they use cookies and asking permission for a variety of cookies — Ganni

Granted, this cookie collection module demanded the user’s attention, but I was drawn to it through a UI designer’s lens. It balanced form and function quite well and seemed to spell out more information than I was used to seeing. I usually click right out of cookie collection notifications without a second thought (like most web users on a mission), but Ganni’s module made me consider their place in the broader internet landscape. Was Ganni remaining loyal to their reputation of “authenticity and transparency” or were they merely following web best practices and European privacy laws?

What are browser cookies?

Internet “cookies” are the cutest name for something that isn’t very cute at all: data collection. At their worst, cookies can be invasive and a breach of privacy, but at their most basic they are harmless text files stored on your device’s browser “[functioning] like a combination of an online ID card and a digital Post-It Note”. Cookies inform browsers like Chrome about the user’s preferences. They range from basic web functioning like language preference to remembering log-in information and data for targeted ads. Websites will not function properly without the use of some cookies (but certainly not all).

There are many different types of cookies, but the ones to be aware of are First-party, Third-party, and Strictly Necessary cookies. First-party cookies are files placed there by the website you are visiting and stored under that domain, while Third-party cookies are placed there by separate entities, such as advertisers. Strictly Necessary cookies make certain features of a site work properly and they vary depending on the function of the site. These cookies can include the function of logging in to access secure parts of the site or keep an item in a virtual shopping cart while you continue to browse. Cookies can fall into more than one category as well: Strictly Necessary cookies are also First-party cookies.

Cookies and privacy risks

Third-party cookies are among the cookies that raise privacy concerns. They track your behavior on the site you are visiting, as well as the sites you visit later, in order to advertise to you via social media and similar sites. They are the party responsible for the infamous targeted ads we are all familiar with. In the absolute worst case scenario, hackers have been able to steal cookies for their own personal gain, such as stealing passwords for financial information or social media account access.

Luckily, Google announced in January 2020 that they would phase out third-party cookies in 2022. Though that date has been extended to 2024, the Privacy Sandbox initiative is still in the works.

The GDPR and the EU Cookie Law

Back to my question of whether or not Ganni was simply following the rules, I looked to both the European Union’s policies for the answer: The GDPR (General Data Protection Regulation) and The EU Cookie Law (also known as the ePrivacy Directive). Even though I’m visiting Ganni’s site from my home in Chicago, they are a Danish company and must adhere to the EU’S privacy laws.

The GDPR was enforced on May 25th, 2018 and is the strictest set of data privacy regulations to date. In regards to cookies, the law states that cookie collection beyond those that are strictly necessary requires the consent of the user and may only collect cookies that pertain to the purpose of the site. The latter is also known in legal terms as “legitimate interest”. Ganni, for example, sells clothing; they would have no use for data on a person’s political opinions, so asking for it would be a breach of this faction of the GDPR.

While the GDPR pertains to data security overall, the EU Cookie Law refers to cookie collection specifically. Like the GDPR, the Cookie Law requires consent of the user, with an emphasis on explicit consent. Explicit consent of the user requires privacy to be the default setting, transparent understanding of the role cookies play in the site’s function, and affirmative action when opting in to data collection. For example, if there is a checkbox for accepting the cookies on a module, the checkbox must be unchecked by default. There also must be an easy way to opt out once the user has opted in.

As for the United States, our cookie laws are considerably lax in comparison. There is no federal law regulating cookie collection, only regulations at the state level such as the California Consumer Privacy Act (CCPA). However, both the GDPR and the EU Cookie Law pertain to businesses overseas if they are advertising to consumers within the EU. In such a global economy, it’s likely that a US retailer is subject to the EU’s cookie regulation. One easy indicator of whether or not a US site is subject to the EU’s regulations is whether they offer a language option for European citizens, such as German or Italian.

How transparent is Ganni’s cookie collection?

With all of the above in mind, Ganni’s cookie collection follows the EU regulations. The user must opt in to receive cookies beyond those strictly necessary by either clicking “Accept All” or clicking the category toggles one by one. When you click “See Details” beneath the “Accept All” or “Decline All” buttons, an accordion opens up to display the different categories and what their site uses each for. To find even more information about cookies, you can select the “Read more about cookies” link in the opening paragraph above the “Accept All” and “Decline All” buttons. This takes you to Ganni’s cookie policy, which is also found in the footer of the site. Within the information spelled out for the user, presented in an FAQ-style format, there is also a section on both deleting cookies (including links to doing so in each type of browser or device) and changing your consent. The ease in which the user can retract their consent is the only area here that I believe could use some improvement, since the module disappears once the settings are saved, but it is not too hard to find at the bottom of the page.

Cookie collection in the wild

Even after extensive research, Ganni’s cookie collection module is still one of the best I’ve seen. Here are a few more examples of great cookie collection notifications that both follow the rules and look good while doing so:

Dinamo's cookie collection module — Dinamo

This is the only example I’ve seen of the fortune cookie instead of the regular ol’ chocolate chip, plus it provides a very clear illustration of what cookies they use and why they use them.