Chapter 7
Cookies
The European Union, with the ePrivacy Directive in 2002 and the General Data Protection Regulation in 2018, requires
websites to obtain informed and explicit consent from users before storing or accessing information on their
devices.
That's why you see a banner asking for your consent to use cookies 40 times a day.
What is a cookie?
Since the dawn of time, in computing, we have the concept of "magic cookie". This term represents data that is transmitted to programs without them understanding it. These programs are just intermediaries that will relay this data as is to others.
Example:
You purchase a subscription through a company's iOS app. The app sends to the backend of the site, "Hey, there's
been a new subscription for such offer and FYI, the customer was on an iPhone 15, they started their purchase
journey by clicking on page X".
The subscription manager will use the information about the offer to set everything up. However, it has no use
for the customer's purchase context: iPhone 15, page X. It knows, though, that the Data teams need this data for
their dashboard. It will dumbly relay it to them.
The Data team itself doesn't really analyze these informations; the dashboard simply lists the possible values
and automatically suggests filters and groupings to a marketing director.
The purchase context is passed from the app to the marketing director without the intermediaries truly
understanding its content. It's a magic cookie.
In 1994, an engineer at Netscape had the idea of adapting this concept to store information directly in the browser. The idea was to know if a customer had already visited the Netscape site when they arrived on the page.
- The site transmits information to the browser.
- The browser stores it without caring about its content.
- The browser will relay this information back to the site with each request.
- The site thus has access to the information.
As you've understood, this information represents what we more commonly call a Cookie.
Cookies have many uses. That's why it's almost impossible to navigate the web if you refuse to use them.
Sessions
You arrive on a site, you log in with your email and password. You come back 2 days later and you're still logged
in. You navigate through different pages without being asked to authenticate all the time.
Upon your login, the site starts a user session. It places a cookie in your browser to represent and maintain it.
A logout action mostly consists of deleting this cookie.
Without cookies, no session. Some even translate the term "cookie" in French as "témoin de connexion" (connection
witness). That's why when you switch to incognito mode, and your existing cookies are not available, you have to log
in everywhere again.
Personalization
You arrive on a site that offers multiple languages. The default language is Spanish, but you want the page in
English. This language change will be stored in a cookie so it can be transmitted to the back-end with every user
action. Every success or error message resulting from the action will be personalized.
For this example, we could have manually transmitted the language in every request to the back-end. Using a cookie
has the advantage of making this automatic and, above all, the site will remember your language if you come back
later.
Customer journey analysis
Any website worth its salt tries to optimize its journeys based on customer behavior.
"We lose 60% of our customers at the moment of entering the delivery address of the order."
"Customers who saw the 100€ for 12 months variant finalize their journey more than those who saw 100€ for 1 year."
To do this, it is necessary to understand who is making which request, even though the customer may not necessarily
be authenticated on the site. It's a bit like the same concept as sessions except instead of authenticating the
client, we want to identify their browser.
When you arrive on the first page of a site, it creates a cookie by assigning you an identifier. Since this cookie
is automatically sent back to the back-end, your entire chain of actions can be tracked.
Advertising
If we extend the analysis of customer journeys across multiple sites, we can show customers products that have
recently interested them.
To do this, sites integrate advertising network solutions into their front-end code. Throughout your visits, these
sites place their own cookies and simultaneously trigger requests to the networks to place their cookies as well.
These are called third-party cookies.
Do the test
- Open Chrome, switch to incognito mode (ctrl + shift + n), and open deezer.com. Press F12 to open the DevTools.
Go to the "Application" tab at the top, then "Cookies" in the left menu.
For now, there's not much to see. - Accept the use of cookies on the Deezer page. Instantly, you will see the creation of Snapchat, Pinterest, Google Ads cookies etc…
If you're not paying for it, you're not the customer; you're the product being sold. <Andrew Lewis / blue_beetle>
GAFAM and major social networks are among the biggest advertising networks.
Now that they know you use Deezer, they can display ads with promotions on subscriptions across all your networks
and all the sites of their clients.
By providing context, developers can indicate to them that a customer, for example, is already subscribed. The
networks can thus better target and adjust their marketing pressure.
Technically, integrating their solutions means including on your page code developed by these companies.
Your browser will execute it as if it were your own code. It will have the same constraints, but especially the same
powers.
If just one of your partners is not reliable, you can end up injecting malicious code on your page.
In the best case, it breaks the entire display of the page, and everyone realizes it very quickly.
In the worst case, it can intercept values in forms, keystrokes, and all sorts of other not cool stuff. That's why
we avoid including this type of tools directly on payment pages.
Especially since external networks can also indirectly include other solutions.
Go back to the cookie acceptance pop-up on Deezer, they give the explicit list of their 773 partners 😱.
Data protection
Now that you've seen how intrusive cookies can be, you should better understand why different entities like the CNIL
and the European Union are trying to prevent abuses.
In the list of Deezer's partners, you can indeed see that some, notably Facebook, are not playing the game 100%.
Several options are available to you: disable third-party cookies in your browser, sort them out on each site before
accepting cookies, use private browsing, or pay for the premium service of the site…
Since December 2023, Google has implemented a "Do not Track" feature in Chrome. They will gradually roll it out to
everyone. In the meantime, you can manually activate it in "Settings" > "Privacy and security" > "Third-party
cookies".
Fun fact: When you refuse cookies, the site must remember not to show you the banner on every page. Guess what your
refusal is stored in… 😄