For example, couldn’t I give my visitor a cookie like MySpammySiteLoginStatus=logged-out and then anyone can see they visited MySpammySite? Additionally, couldn’t I hide other information in relatively simple codes, like deciding whether or not to add toolbar preference cookies based on whether or not the user got to the shopping cart?
In: Other
tl;dr; sites can categorize cookies however they deem reasonable with no impact of how those cookies function on the site. So, there is nothing functionally different between categorizing a strictly necessary cookie and any other cookie you accept/reject. Strictly necessary cookies can absolutely be used the same way as advertising cookies.
I work extensively in this field.
When you’re interacting with CMP on the screen (cookie management platform; the Accept/Reject All banner), you are accepting/rejecting specific cookies that have been categorized by organization that has implemented the CMP. Those categories are usually the defaults (i.e. Strictly Necessary, Functional, Analytics, Advertising) but the organization has the ability to create their own categories. And they, themselves, categorize their *known* cookies in each of those categories.
So they may know about a google analytics cookie (_ga is a common one) and they have the power to categorize that cookie as a functional cookie or an analytics cookie. Functionally, that cookie is there to store who you are for tracking you between page views and send that data to their Google Analytics accounts. But how it was categorized does nothing to the actual cookie itself. Meaning, from your original question, all cookies will be used how they were intended. How the company categorized them does absolutely nothing to their functionality. It’s all for the legal need to get your users to consent to those cookies.
Not-so-fun fact, most US based customers are tracked even after rejecting cookies. This is because the US has no laws to enforce most of this. California has CPRA (upgrade to CCPA) that is enforceable to California residence, but even that law has almost no teeth. And it states you can track users by default until they tell you not to. GDPR (European privacy law) is *far* superior in this case. It says that companies cannot track you until you give them permission you can. ***Meaning*** if you’re a US resident and visit a site and THEN click the reject all button, they’ve already set cookies on your browser. You’ve already been tracked. They can’t further track you and share your data. But the deed is done. The cookies are there. They can wipe ones the site has ability to wipe, but many 3rd party cookies (your classic Facebook, Google Ads, etc. cookies) will still be in the browser and will share your browser session when it next makes requests to those platforms.
Latest Answers