Chapter 7
Cookies

Should you really accept them?
Reading time : 5 minutes


The European Union, with the ePrivacy Directive in 2002 and the General Data Protection Regulation in 2018, requires websites to obtain informed and explicit consent from users before storing or accessing information on their devices.

That's why you see a banner asking for your consent to use cookies 40 times a day.


What is a cookie?

Since the dawn of time, in computing, we have the concept of "magic cookie". This term represents data that is transmitted to programs without them understanding it. These programs are just intermediaries that will relay this data as is to others.

Example:

You purchase a subscription through a company's iOS app. The app sends to the backend of the site, "Hey, there's been a new subscription for such offer and FYI, the customer was on an iPhone 15, they started their purchase journey by clicking on page X".

The subscription manager will use the information about the offer to set everything up. However, it has no use for the customer's purchase context: iPhone 15, page X. It knows, though, that the Data teams need this data for their dashboard. It will dumbly relay it to them.

The Data team itself doesn't really analyze these informations; the dashboard simply lists the possible values and automatically suggests filters and groupings to a marketing director.

The purchase context is passed from the app to the marketing director without the intermediaries truly understanding its content. It's a magic cookie.

In 1994, an engineer at Netscape had the idea of adapting this concept to store information directly in the browser. The idea was to know if a customer had already visited the Netscape site when they arrived on the page.

  1. The site transmits information to the browser.
  2. The browser stores it without caring about its content.
  3. The browser will relay this information back to the site with each request.
  4. The site thus has access to the information.

As you've understood, this information represents what we more commonly call a Cookie.

Cookies have many uses. That's why it's almost impossible to navigate the web if you refuse to use them.

Sessions

You arrive on a site, you log in with your email and password. You come back 2 days later and you're still logged in. You navigate through different pages without being asked to authenticate all the time.

Upon your login, the site starts a user session. It places a cookie in your browser to represent and maintain it.
A logout action mostly consists of deleting this cookie.

Without cookies, no session. Some even translate the term "cookie" in French as "témoin de connexion" (connection witness). That's why when you switch to incognito mode, and your existing cookies are not available, you have to log in everywhere again.

Personalization

You arrive on a site that offers multiple languages. The default language is Spanish, but you want the page in English. This language change will be stored in a cookie so it can be transmitted to the back-end with every user action. Every success or error message resulting from the action will be personalized.

For this example, we could have manually transmitted the language in every request to the back-end. Using a cookie has the advantage of making this automatic and, above all, the site will remember your language if you come back later.

Customer journey analysis

Any website worth its salt tries to optimize its journeys based on customer behavior.
"We lose 60% of our customers at the moment of entering the delivery address of the order."
"Customers who saw the 100€ for 12 months variant finalize their journey more than those who saw 100€ for 1 year."

To do this, it is necessary to understand who is making which request, even though the customer may not necessarily be authenticated on the site. It's a bit like the same concept as sessions except instead of authenticating the client, we want to identify their browser.

When you arrive on the first page of a site, it creates a cookie by assigning you an identifier. Since this cookie is automatically sent back to the back-end, your entire chain of actions can be tracked.

Advertising

If we extend the analysis of customer journeys across multiple sites, we can show customers products that have recently interested them.

To do this, sites integrate advertising network solutions into their front-end code. Throughout your visits, these sites place their own cookies and simultaneously trigger requests to the networks to place their cookies as well. These are called third-party cookies.

Do the test

  1. Open Chrome, switch to incognito mode (ctrl + shift + n), and open deezer.com. Press F12 to open the DevTools. Go to the "Application" tab at the top, then "Cookies" in the left menu.

    For now, there's not much to see.
  2. Accept the use of cookies on the Deezer page. Instantly, you will see the creation of Snapchat, Pinterest, Google Ads cookies etc…
If you're not paying for it, you're not the customer; you're the product being sold. <Andrew Lewis / blue_beetle>

GAFAM and major social networks are among the biggest advertising networks.

Now that they know you use Deezer, they can display ads with promotions on subscriptions across all your networks and all the sites of their clients.
By providing context, developers can indicate to them that a customer, for example, is already subscribed. The networks can thus better target and adjust their marketing pressure.

Technically, integrating their solutions means including on your page code developed by these companies. Your browser will execute it as if it were your own code. It will have the same constraints, but especially the same powers.
If just one of your partners is not reliable, you can end up injecting malicious code on your page. In the best case, it breaks the entire display of the page, and everyone realizes it very quickly. In the worst case, it can intercept values in forms, keystrokes, and all sorts of other not cool stuff. That's why we avoid including this type of tools directly on payment pages.

Especially since external networks can also indirectly include other solutions. Go back to the cookie acceptance pop-up on Deezer, they give the explicit list of their 773 partners 😱.

Data protection

Now that you've seen how intrusive cookies can be, you should better understand why different entities like the CNIL and the European Union are trying to prevent abuses.
In the list of Deezer's partners, you can indeed see that some, notably Facebook, are not playing the game 100%.

Several options are available to you: disable third-party cookies in your browser, sort them out on each site before accepting cookies, use private browsing, or pay for the premium service of the site…

Since December 2023, Google has implemented a "Do not Track" feature in Chrome. They will gradually roll it out to everyone. In the meantime, you can manually activate it in "Settings" > "Privacy and security" > "Third-party cookies".


Fun fact: When you refuse cookies, the site must remember not to show you the banner on every page. Guess what your refusal is stored in… 😄