When agreeing to cookies on a website, what exactly am I agreeing to?


When agreeing to cookies on a website, what exactly am I agreeing to?

In: Technology

You are agreeing to have special files installed on your computer that will store certain information for the website to access. For example, a cookie file might store your account information when you check the ‘remember me’ box while logging into your account.

First a definition: A cookie is a short piece of data – less than 100 bytes typically – that the server assigned to the browser. Then for each page loaded from the same web site the browsers sends that same cookie value back to the server as a way for the server to say “this is the same browser/person as last time”. This will usually persist as you turn your computer off/on, change internet providers, or just roam between Wifi and cellular in the case of phones.

It’s essential for web pages where you can log in with an account so that you stay associated with your account, but any web site can do it for any reason. Some web sites let you have preferences without an account – these are stored in the cookie in some way. Other web sites just give everyone a unique number in a cookie and let the analytics bot have its way with them.

Since this constitutes user tracking there are privacy laws that get involved and this is the disclaimer. It’s really picked up since the European GDPR law came into effect.

Can someone please remind me of how some people recommend to deal with these? Like an extension to Accept all automatically then delete cookies upon exit or something. Been meaning to do this, get sick of clicking Accept all the time.

You agree to let them put tiny files on your computer that they can later read again.

Normally when your computer talks to a website each new page you open is like the computer talks to the website for the first time.

Imagine having a conversation with a complete amnesiac.

Every time you introduce yourself and start talking to them they immediately forget what you just said and you either have to start over again or live with the fact that amnesiac you are talking to has no idea who you are or what you have been talking with them about.

This sort of works for the sort of stuff the web originally was designed for: Static stuff that is completely anonymous and without context.

It works less well for modern websites where you want to adjust what they show you based on who you are and remember what you have done before and even do stuff like e-commerce in a non stupid way.

You could preface each sentence you say to the amnesiac with your name and where you last where in the conversation, but that gets cumbersome really fast, requires you to remember stuff that ideally the other side should remember and has big security flaw in allowing somebody else to imitate you and pretend they are you.

Cookies are a way to work around the amnesia.

It is like the web-server guy handing you a name badge when you first start talking and asks you to put it on. the badge may contain your name and an identifiable number and some other info, so every time you start talking to the amnesia they look at the badge as you talk to them and immediately remember who you are and may even be able to look up what you said before.

It makes things easier.

Of course there are potential threats too.

Some people may enjoy their anonymity and having a complete stranger slap a name-tag on you as you walk by to track who you are seems rude.

This is why the EU mandate that websites should at least ask people first before they put a tag on them and not just do it without asking first.

A website like reddit needs to use cookies to tag their users and tell them apart, but other websites that you don’t really want to remember who you are and build a profile of you and what parts of their website interest you have less of an excuse.

It is balance between being useful to make websites easier and more secure to use and simply tagging users like wildlife to track them and study their behavior. You may want one but not the other.

Ideally only the websites that put a tag on you can see that tag. So CNN.com does not know what tag Reddit.com has given you, but in practice people have found ways around that. Especially advertisers with their ads on all sorts of sites you visit have an interest in figuring out all sorts of personal stuff about you that you might not want them to know.

In a perfect world we would only let websites put cookies into out browsers when it is necessary to make the site work, but too many websites claim that they need it to work when they really don’t in order to invade your privacy.

Even worse big advertisers have found ways around the whole needing a cookie to track you think.

Normally a webserver is not just amnesic, but also completely faceblind. To prosopagnosic amnesiac everyone looks alike and without the cookies they should have no way to figure out who is who. However they do notice certain things about the person they are talking to, like what webbrowser they are using and stuff like that and based of that they might be able to built a profile of everyone they talk to tell people apart without needing cookies.

This is bad if you care about privacy and don’t want google to know what weird shit you are into and sell that info to the highest bidder.

“Can we put a badge on you with a number that will identify you, so that when you come back to this – or a related – website, we can tell who you were and when you last came to that website, etc.?”

They know that badge number 2389473 visited them on Tues, Fri, went to this page, that page, clicked here, bought this item, came from this Google search, etc. but they don’t know *everything*, only what you’ve given them (what you did while you were wearing the badge).

Clearing cookies is removing all the badges from yourself. You’ll get new ones instead, so they “shouldn’t” be able to link back to whatever number you had before. But you will likely “log in” to a lot of websites, so they will know that your website account was also associated with badge 2389473 and is now being logged into by badge 967493748 too.

It’s a harmless number, on its own, but it provides a lot of links to what you do on them and their sister websites – but bear in mind that you’re ALREADY DOING THOSE THINGS ON THOSE WEBSITES, they know you are, because it’s their website! So it’s not really all as drastic as people make out. It just means they can join together a lot of information that would otherwise look like separate website visitors, knowing that it was all “you”.

website cookies are about storing information locally on your personal device, it’s typically useful when it comes to any user specific data that would be helpful if it persisted beyond the current session

that means if you close your browser, open it back up, go back to the site – the site can use cookies to remember things about you and personalize the experience a bit based on your previous session(s)

a common example is clicking on a “remember me” checkbox – this usually means the site will store your login info locally on your device inside a cookie that the site can access and make it easier to log back in… But if you went to the same website on a different device, it won’t have your login details pre-filled – or maybe even have someone else’s… That’s because the site is pulling that info from the device, locally. A different device means a different cookie, either empty and new or pre-populated with someone else’s info

It could also even be made to remember session data, and communicate with the server if you didn’t log out soon after closing the browser. If the session data in the cookie hasn’t expired, a website’s server might allow you to continue on with your last session without logging back in, even if you accidentally closed the browser window…

It’s good for remedying convenience issues like that, but if you share the device you’re using with others, then allowing cookies could be a risk for identity theft… anything you enter into a site can be stored on a cookie and can potentially be accessed later on by anyone else using that machine unless you deleted your cookies

From a technical perspective (not a legal one): It really bugs me that websites feel the need to put these warnings up.

Your browser is something *you* control. The web server is something that someone else controls.

You are a customer going to a place. The place is giving you a loyalty card because they aren’t going to remember for you.

It’s on you (and your browser) to keep and return (or not) that loyalty card.

So if you really care about privacy, tell your browser to not store or give back loyalty cards. Don’t trust them to tell you “don’t worry, we won’t give you a loyalty card, or use any you happen to give to us”.

However, you’re going to have a hard time using websites normally if you disable cookies entirely. Most websites require them, at least within a single “visit”, to work properly. Fortunately all browsers these days have a common option: “clear cookies on exit”

For the curious, on Chrome you can see cookies by:

1. Right-mouse click > Inspect
2. Application Tab
3. Expand the cookies option on the left side menu
4. Click into any of them to see what’s being stored

Explaining like you’re truly 5: Agree with the cookies company to let them know where you put your cookies, which kind of cookies you like the most, which time do you usually eat your cookies, which pant you’re wearing eating cookies, and many more info you wouldn’t think you want to share with them.

It’s like when you meet a neighbour for the first time in a new neighborhood and they give you a name tag so they’ll remember who you are next time, and other people on that street will also know who you are and what your name is.

Its like getting your hand stamped when going to a fun park with food. You have to buy a ticket, but after you do, they stamp you so they know you’ve been inside the park. If you wash off the stamp, they’ll have to see your ticket again, but with a stamp, you can just show them your hand and be back to riding fun rides super quick. In fact, you can leave the park and come back, show them the stamp, and they’ll let you in right away!

edit: please note that this is very simplified. read some of the discussions to get a better grasp of why they do this in the first place, how this can violate privacy, and why that can be a problem.

You’re agreeing to let the website put a tiny little text file on your computer (or phone). Websites will then read this little text file to learn stuff about you.

Some will use it to save you time, by “remembering” your login and password which they read from the text file.

Many will read *all* the text files left by different sites you visited. That lets them figure out where you’ve been online, what you like, and what kind of advertising to show you.

They want to put these baked goods inside your computer.

Except these baked goods actually contain pieces of information.

And some bad people will want to see and eat your cookies.

Follow up question that I didn’t see asked.

What happens if you don’t click ‘ok’ but you continue to use the website?

Are cookies only stored after clicking ‘ok’ or are they storing cookies by default and the pop-up is just a requirement to let you know?

There’s a lot of wrong or at the very least uninformed answers in here.

## Most sites that use popups don’t understand why they do

The first thing to know is that this cookie popup is overused for reasons that the people who run these sites don’t care to understand. Nearly every site uses cookies or something like them, but *only those that use such tech to track your actions outside of the requirements of the site must have a popup.*

For example, if you have a website that lets you login to see private stuff, or update your profile etc. *you don’t need a popup*. Have a site with a shopping cart? *No popup needed*.

The directive only applies when type using cookies in a way that’s not a basic functionality of the site. Say for example if you’re using cookies to track people’s movements on the site for your own records, or if you’re traking people across different sites *(coughfacebookcough)*.

## It’s not a cookie law

The ePrivacy Directive does not refer to cookies directly. The directive was written to intentionally avoid tying the spirit of the law to the technology of the time. It applies to things like LocalStorage, Flash cookies, etc. as well. You need to acquire consent to track user behaviour if that tracking isn’t an obvious requirement for using the site (like a shopping cart).

## Not GDPR

I know that for non-Europeans, you’re only going to hear about the occasional Big Thing that comes out of the EU, but you should resist the temptation to bundle everything under one headline just because it’s what you’ve heard… especially when it’s pretty obvious that these cookie popups started appearing *years* before GDPR was even mentioned.

These popups are the (misinformed) reaction to the [ePrivacy Directive](https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Directive_2002), a move by the EU to try to force websites that are collecting data on people to disclose that fact. [The General Data Protection Regulation](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) is a separate set of rules that apply to your rights as an EU citizen in dealing with tech companies. Among other things, it:

* Requires that a company can’t store stuff about you that it doesn’t need to perform the services you asked them to do for you (via informed consent).
* Prohibits the sharing of any personally identifying information with third parties without informed consent.
* Requires that the company make available to you everything they have on you, and delete all of it from their system at your request.

They’re totally different things.

## So what are you agreeing to?

Well, *did you read it?* ‘Cause of you didn’t read it, you could be agreeing too anything. More often than not though, it’s some legal boilerplate acknowledging that the site uses cookies and that they’ll use that data for whatever they want. The CEO probably heard this was what her friend was doing on their site, so she ordered her web nerd to do the same and stopped thinking about it.

You are agreeing to allow the site to store data on your computer. Only that specific website can access that data and only when you access the website (the browser enforces this by attaching the cookie to requests only to that specific website). They usually store details like if you are currently logged in, which is why when you access the website on a new computer you have to log in again (since there is no cookie on that computer yet).

Cookies are often used to track your preferences when you visit a site. Examples: What sections you visited, types of products you looked at, what default settings you prefer, etc. so that next time you visit the site it can load those preferences for you automatically.

Also, other sites can also look at your cookies and set their preferences accordingly. Which is why when you do a Google search for cowboy boots, you suddenly see ads for cowboy boots everywhere you go on the web.

Besides this being somewhat annoying for some, cookies can also be dangerous for others, e.g. a woman in an abusive relationship who may have secretly been looking for a women’s shelter could inadvertently give away that fact to her abuser.