The information on this web site should not be treated as legal advice. It is provided on an "as is" basis and without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality of the obtained information is with you.
In technical terms web cookie (RFC 6265) is a small
piece of text that a website stores on you browser, in the background,
while it is loading the page. In HTTP
protocol server uses
header to set cookie in a browser. The browser then reflects the
Cookies were introduced because websites handle thousands of clients at each moment and have no way to distinguish your network connection from the multitude of other users' connections. This would make any multi-step or transactional operations impossible. So on the first connection website assigns you a random identifier (a cookie), which your browser reflects with each future connection. This way the website can distinguish your connection from the others. This is just the simplest example — in reality cookies can be used for numerous other purposes that share the same goal — uniquely identify a client to the website.
From privacy and compliance point of view there are three main types of cookies:
An example of session cookie:
Set-Cookie: sessionid=0c3ca1b85524d571454b2cf22c62fb34; httponly; Path=/
An example of permanent cookie:
Set-Cookie: csrftoken=NUZeWttMIijbs7OQrVNm0k1pIknjLyPW; expires=Thu, 27-Feb-2014 22:55:03 GMT; Max-Age=31449600; Path=/
An example of third party cookie (being permanent at the same time:
Set-Cookie: GAD=KlSrB8sGvaGpI8EeouVto3eC8xRQxQsoYyQGGsWtkUF3QooKYGGQQee1HcsxSaGGQCGRNF5RY73SxAxgRoQSGEvyS8S8QnpHeGMXdKFRa1s-iFRKExFhsaGS8zV26rGnbiGSUigZ8D6_GvsSqPBBcYj7DnJCoGklQquU2Zq80l9QSG8.; Domain=hub.com.pl; Path=/; Expires=Wed, 30 Aug 2017 00:00:00 GMT
There are two main reasons why people are concerned about web cookies:
European Directive 2009/136/EC (more on Wikipedia and Directive itself) has much wider scope. It doesn't actually regulate "cookies" in specific, technical meaning. This is what the Directive says:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.There's also paragraph in the preamble (non-binding but setting context):
Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.
There was a lot of confusion and discussions on how this should be actually implemented. One of the first countries in EU to enact this law on national level was United Kingdom, and their Information Commissioner's Office (ICO) decided to give a good example and for some time it presented a very literal approach, so to say, especially about the user's consent being "prior" to website display.
As result, if you visited ICO website at that period a part of it was covered by a rather annoying pop-up banner asking if you agree to receive a cookie. If you did, the banner would disappear — and your "yes" answer would be of course stored in a cookie. If you did not agree, you'd see the annoying pop-up on each page of ICO's website you'd browse, because the website has no way to remember that you answered "no". Later on ICO has reverted their policy towards a more liberal interpretation.
For most websites in most EU countries it should be sufficient to provide a clear, easy to read information on what cookies your site sets and what is their purpose (example on ICO website). To do that, you need to actually know what cookies sets — and this is where WebCookies.info helps a bit. You can scan your website and use the obtained results as a starting point to develop full documentation of cookies used.
Note however, that the road to the directive was long, bumpy (see NoCookieLaw) and full of rather complicated legal discussion (see Opinion 04/2012 on Cookie Consent Exemption) which is not always consistent with technical understanding of how cookies work.
In addition to that, there's one Directive and 27 Member Countries in European Union to implement it, and each country took slightly different approach. As result these local implementations can substantially differ from each other. So if you need to be certain about your compliance against the laws in your jurisdiction, consult a technology lawyer.
The short answer is: no. In some cases this service will not be able to see and record all cookies used by a website.
First, WebCookies.info will load the page as an anonymous user and will only receive cookies intended for such users. It's quite common (and it's actually good security practice) to set session cookies after the user has authenticated — and these cookies we will not recorded.
Second, a website can display different cookies on different pages. If you scan main page and then some other part of the website, you may get different results. You need to understand technology used to build different parts of your website to know which pages to test.
Third, we are currently recording only traditional cookies set using
header. While this is what is most often meant by web cookies,
remember that the Directive talks about "storing information", not
only HTTP cookies. And there are some other ways to track users apart from
cookies. Data can be stored in similar way in other objects such as, Flash cookies,
HTML5 storage and other means collectively named Evercookie.
Currently we do not support those alternative information storages.
This site uses a script that emulates a web browser to render page for which people wanted to check the cookies. The scipt uses the following User-Agent string: