Cookies – the good, the bad and the ugly

The decision of the European Court of Justice (ECJ) of 1 October 2019 (judgment of 1 October 2019, Ref. C-673/17) has brought the debate on data protection and the technical use of cookies back to life. I would like to discuss the topic from the technical side in order to bring more clarity to the topic, which is so confusing for laymen.

Cookies are, first of all, no more than a technique that allows developers to store information on the visitor's computer in the form of a small text file. This technical possibility led to the fact that interactive applications became feasible at all, because this is the only way to store cross-page information. Without cookies or other identification mechanisms, shopping baskets or protected member areas cannot be realized.

A cookie is actually the most harmless variant of the technical storage possibilities, because the amount of data that can actually be stored there is very small (4 kB). Typically, a cookie has a unique name, an assigned value, an expiration date, and some other properties that developers need. Technically required cookies are usually so-called session cookies. As soon as you close your browser window, they are automatically deleted. They are not evil and do no harm. However, there are others that may accompany you – if you do nothing about it – until your computer blesses the temporal.

Cookies are therefore primarily a technology.

How and for what purpose Cookies are used by developers and companies is another matter. They can also be the technical basis for personalized advertising and targeted internet marketing. A service sector in its own. Behind this are not all too seldom large corporations whose data-gathering frenzy is generally known. ECJ's decision to demand active approval from the website visitor (opt-in) for the use of such cookies is a decision that I take very positively from a developer and consumer point of view. However, it has far-reaching consequences and is going change an entire industry.

Google Analytics, among others, is a powerful marketing tool. Many website operators use it to tailor their website to the needs of their customers and to learn more about their behavior and to be able to respond appropriately to it – with the aim of better marketing their products or services, of course. Most companies don't have anything unethical in mind, they just want to increase their reach. But all this data also ends up directly at Google, where it is linked with the help of intelligent algorithms. All website operators should really ask themselves whether the lessons learned from the use of such a tool justify the use and the consequences associated with it.

Your data is no longer meaningful

Mozilla already equipped its Firefox with Enhanced Tracking Protection in September. By default, all "third-party tracking cookies" that are blacklisted are blocked. If you click on the small icon with a shield next to the URL input line, you can see all blocked cookies of the respective website. Why such automated technology is not enabled by default in Google Chrome certainly doesn't need to be explained in more detail.

This means that all marketing tools that rely on such tracking cookies have not provided valid data since September because they do not include a large proportion of Firefox visitors. Google has reacted to that cookie story, because Google Analytics can also be operated cookie-free. (Fingerprint/LocalsStorage/IP-based) – However, data is still collected. With Facebook it looks no different (FacebookPixel etc) – we remember Cambridge Analytics.

Reaching the goal with transparency

The Internet is an achievement for all of us, which has changed our coexistence massively in recent years. For me, this ragbag of knowledge is something I never want to miss again. So many different people shape a technical space and make it a technical society of its own, where there is exchange and communication as well as crime and violence.

As a website operator, everyone has the goal of being found and evaluated particularly well - in many cases economic success depends on this. Many website operators are now worried that they could lose their position by requiring consent for tracking cookies. I believe that there will also be winners, namely those who are openly and transparently confronting their visitors by informing them about the tools and techniques they use.

The ECJ calls for Opt-in

That is a clear statement. No tracking cookies without the active consent of the user. In the last few weeks, cookie bots have been on the rise, turning off the cookies already set with the help of JavaScript, giving the impression that we have full control. Others offer necessary analysis techniques and Opt-in in one (e-right etc.). Usually at a not quite cheap price. Technically, the whole issue is not that simple. Depending on which CMS you use, cookies are set at different locations in the system's rendering process. An outside bot cannot have access here. It cannot intervene until the rendering is complete.

Joomla - a solution

The Joomla session cookie is set at the very beginning of the rendering process, it is technically necessary and serves, among other things, security. (When submitting forms, etc.) External applications and marketing tools are usually integrated into the index.php of the template via JavaScript snippets. Joomla now offers the technical prerequisites for this integration only after prior consent by the user. The approval process requires a module that fulfils the following tasks:

  1. Provide an interface for entering the external JavaScript snippets/ PHP snippets in the Joomla backend.
  2. Generating a form with switches for activation
  3. Storage of the selection and subsequent integration of the corresponding code
  4. Editing and changing the selection
  5. Deletion of all cookies and associated JavaScript snippets with JavaScript and PHP -No saving of the selection in the database

 Thanks Roland for the translation .-)

Note: For many, an alternative could be the open source web analytics tool Matomo. Matomo can be operated cookie-free on its own server. It provides a lot of valuable information, slightly different from Google Analytics – but as an alternative it is certainly worth a test. Nevertheless, visitors should be made aware of the use of such tools.