What is a cookie?
A cookie is a small file, generally made up of letters and numbers, which is downloaded to the memory of a computer (or other equipment used for online browsing - mobile phone, tablet, etc.), when the user accesses a certain website.
Cookies are created when the browser used by a user displays a certain website. The website sends information to the browser, which creates a text file. Each time the user accesses the respective website again, the browser accesses and transmits this file to the website server. In other words, the cookie can be seen as an identification card of the Internet user, which informs the website every time the user returns to that website.
Purpose of cookies
Cookies can ensure a faster and easier interaction between users and websites. For example, when a user authenticates on a certain website, the authentication data is stored in a cookie; afterwards, the user can access that site without having to log in again.
In other cases, cookies can be used to store information about the activities carried out by the user on a certain web page, so that he can easily resume those activities when accessing the site later. Cookies tell the server which pages to show the user, so that he does not have to remember this or navigate the entire site from the beginning. Thus, cookies can be assimilated to "bookmarks" that tell the user exactly where he was on a website.
Similarly, cookies can store information about products ordered by the user on an e-commerce site, thus making the concept of a "shopping basket" possible.
Also, cookies can give websites the possibility to monitor users' online activities and establish user profiles, which can then be used for marketing purposes. For example, on the basis of cookies, the products and services agreed by a user can be identified, this information later serving to send appropriate advertising messages to that user.
It is important to mention that websites in Romania have the obligation to publicly specify if they use cookies and for what purpose
Types of cookies
Cookies specific to an online session
Web pages have no memory. A user who navigates from one web page to another will be considered by the website as a new user. Session-specific cookies usually store an identifier that allows the user to move from one web page to another without having to enter the identification information (username, password, etc.) each time. Such cookies are widely used by commercial websites, for example, to keep track of the products added by a user to the shopping cart. When the user visits a certain page of a product catalog and selects certain products, the cookie retains the selected products and adds them to the shopping cart, which will contain all the selected products when the user wants to leave the page.
Cookies specific to a session are stored in the user's computer memory only during an Internet browsing session and are automatically deleted when the browser is closed. They can also become inaccessible if the session has been inactive for a certain period of time (usually 20 minutes).
Permanent, persistent or stored cookies
Persistent cookies are stored on the user's computer and are not deleted when the browsing session is closed. These cookies can retain the user's preferences for a certain website, so that they can be used in other Internet browsing sessions.
In addition to authentication information, persistent cookies can also retain details about the language and theme selected on a certain website, preferences regarding a website's menu, favorite pages within a website, etc. When the user accesses a site for the first time, it is presented in default mode. Later, the user selects a series of preferences, which are then retained by cookies and used when the user accesses the site again. For example, a website offers its content in several languages. On the first visit, the user selects the English language, and the site retains this preference in a cookie. When the user visits the respective site again, the content will be automatically displayed in English.
Persistent cookies can be used to identify individual users and, thus, to analyze the online behavior of users. They can provide information about the number of visitors to a website, the time (on average) spent on a certain page, and, in general, the performance of a website. These cookies are configured to track user activities for a long period of time, in some cases even years.
Flash cookies
If the user has Adobe Flash installed on the computer, small files can be stored in the memory of that computer by websites that contain Flash elements (such as video clips). These files are known as "local shared objects" or "flash cookies" and can be used for the same purposes as regular cookies.
When regular cookies are deleted through the functions of a browser, flash cookies are not affected. Thus, a website that uses flash cookies can recognize a user on the occasion of a new visit, if the data specific to the deleted cookies have also been retained in a flash cookie.
Since flash cookies are not stored on the user's computer in the same way as regular ones, they are more difficult to identify and delete. Banks and financial sites use such cookies precisely for this reason. Because they are difficult to identify, these cookies are stored in users' computers to allow user authentication and prevent fraud, because possible criminals may have the username and password for authentication, but do not have access to the user's computer. Thus, cookies act as a second level of authentication, in addition to the username and password.
First party cookies vs third party cookies
Each cookie has an "owner" - the website/Internet domain that places that cookie.
First party cookies are placed by the Internet domain / website accessed by the user (whose address appears in the address bar of the browser). For example, if the user visits www.apti.ro, and the domain of the cookie placed on his computer is www.apti.ro, then it is a first party cookie.
A third party cookie is placed by a different Internet domain/website than the one accessed by the user; this means that the accessed website also contains information from a third-party website - for example, an advertising banner that appears on the accessed website. Thus, if the user visits www.apti.ro but the cookie placed on his computer has the domain www.trafic.ro, then it is a third party cookie.
The Article 29 Working Group (made up of the national data protection authorities from the member states of the European Union) considers that, from a legal point of view, and considering European legislation, the notion of "third party cookie" refers to a cookie placed by an operator[1] distinct from the one that operates the website visited by the user. Third party cookies are not strictly necessary for the user accessing a website, as they are usually associated with a service distinct from the one that was explicitly "requested" by the user (by accessing the website) .
Cookie access
The cookies used on our website, as well as their use, are presented in the table below:
Cookies of the Google Analytics script that monitor and report the traffic on this site.
The cookie required to display and use the site's chat module, the module displayed in the lower right corner of each page accessed by the client.
Cookies of the Google Remarketing script that store information about website visitors in order to display advertisements after visiting the website
Deletion of cookies
Detailed information on how to manage, disable and delete cookies by using the settings of the browser used to browse the Internet is available at the following addresses:
Internet Explorer (IE 8, 9 and 10):
Internet Explorer 8
Internet Explorer 9
Internet Explorer 10
Mozilla Firefox
Cookie settings and debugging cookies (activating and deactivating cookies, deleting cookies, blocking certain sites from placing cookies, unblocking the placing of cookies, etc.)
Delete cookies to remove information stored on your computer by other web pages
< strong>Google Chrome
Cookie management (delete, block, allow, etc. enabling exceptions, etc.)
Management cookies and site data
Safari
Manage cookies - Manage cookies (only in English)
Safari 6 (OS X Mountain Lion): Manage cookies
Remove cookies - Delete cookies (only in English)
Safari 6 (OS X Mountain Lion): Remove cookies and other data
Opera
Managing and deleting cookies (only in English)
Management of cookies and site data
Useful information
Cookies from the perspective of IT security and privacy protection
Although cookies are stored in the memory of the Internet user's computer, they cannot access/read other information located in that computer. Cookies are not viruses. They are just small text files; they are not compiled as code and cannot be executed. Thus, they cannot self-copy, they cannot spread to other networks to generate actions and they cannot be used to spread viruses.
Cookies cannot search for information in the user's computer, but they store information of a personal nature. This information is not generated by cookies, but by the user, when he fills in online forms, registers on certain websites, uses electronic payment systems, etc. Although, as a rule, sensitive information is protected so that it cannot be accessed by unauthorized persons, it is still possible for such persons to intercept the information transmitted between the browser and the website. Even though they are quite rare, such situations can occur when the browser connects to the server using an unencrypted network, such as an unsecured WiFi channel.
To reduce the chances of cookie interception, the so-called "secure cookie" or "HttpOnly cookie" can be used. "Secure" cookies are intended to limit the communication of information stored in cookies to encrypted transmission, indicating to the browser to use cookies only through secure/encrypted connections. Thus, if the website uses HTTPS, the cookies related to the website are marked with the "secure" attribute, preventing their transmission to a non-HTTPS page, even if it is located at the same URL. For example, if google.ro uses a "secure cookie", that cookie can only be obtained by google.ro and only from an https connection (which certifies that the person requesting the cookie is Google Inc and not someone else) . The "HttpOnly" attribute tells the browser to use cookies only through the HTTP protocol (which also includes HTTPS). An HttpOnly cookie is not accessible by non-HTTP methods, such as JavaScript, and cannot be the target of cross-site scripting attacks.[2]
Another source of concern is the use of cookies for behavioral advertising purposes. Thus, cookies can be used by online advertising companies to monitor the user's online behavior and preferences, in order to identify and deliver the most relevant advertising messages to the user. But these preferences are not expressed explicitly or consciously by the user, but are modeled according to the user's online browsing history, the pages viewed by him, the advertising messages accessed. For example, when the user reads a web page about cars and later moves to another page, advertising messages about cars will be displayed on the new page, even if it is not related to cars. Since the user is not informed that his online actions are being monitored, this raises privacy concerns.
Thus, the use of cookies raises concerns about the use of information retained by these cookies for the purpose of monitoring users and the use of spyware technologies, especially in cases where the information is stored on users' computers and used for their recognition , without the users knowing about this or having given their consent in this regard.
5. Regulation of the use of cookies
The use of cookies and the obligations of suppliers are regulated both in European Union legislation and in national legislation.
Thus, Directive 2002/58/EC (PDF) on the processing of personal data and the protection of confidentiality in the electronic communications sector, amended by Directive 2009/136/EC (PDF), provides that:
"Art.5 - (3) The member states ensure that the storage of information or gaining access to the information already stored in the terminal equipment of a subscriber or user is allowed only on the condition that the subscriber or user in question has given his consent , after having received clear and complete information, in accordance with Directive 95/46/EC, inter alia, regarding the purposes of the processing. This does not prevent storage or technical access for the sole purpose of carrying out the transmission of the communication through a communication network electronic or if this is strictly necessary for the provider to provide an information society service expressly requested by the subscriber or user."
These provisions were transposed into the national legislation in Law no. 506/2004 on the processing of personal data and the protection of private life in the electronic communications sector, with subsequent amendments and additions:
"Art. 4 -
(5) Storing information or obtaining access to the information stored in the terminal equipment of a subscriber or user is allowed only with the cumulative fulfillment of the following conditions:
- the subscriber or user in question has expressed his consent;
- the subscriber or user in question were provided, prior to expressing the agreement, in accordance with the provisions of art. 12 of Law no. 677/2001, with subsequent amendments and additions, clear and complete information that:
- to be presented in an easy-to-understand language and to be easily accessible to the subscriber or user;
- to include mentions regarding the purpose of processing the information stored by the subscriber or user or the information to which he has access.
If the provider allows third parties to store or access information stored in the terminal equipment of the subscriber or user, the information in accordance with points (i) and (ii) will include the general purpose of the processing of this information by third parties and the way in which the subscriber or user can use the settings of the internet browsing application or other similar technologies to delete the stored information or to deny third parties access to this information.
- (51) The agreement provided for in para. (5) lit. a) it can also be given by using the settings of the internet browsing application or other similar technologies through which it can be considered that the subscriber or user has expressed their consent.
- (6) The provisions of para. (5) do not affect the possibility of storing or technical access to the stored information in the following cases:
- when these operations are carried out exclusively for the purpose of transmitting a communication through an electronic communications network;
- when these operations are strictly necessary in order to provide a service of the information society, expressly requested by the subscriber or user."
According to these provisions, the use of third party cookies is allowed under the following conditions:
- informing users, in a clear, complete and easily accessible manner, regarding:
- the placement, by a certain website, of cookies in the memory of the user's computer;
- the purpose of using cookies (the information stored in cookies and the purpose in which this information is used);
- the ways in which the user can delete cookies or deny access to third parties to the information stored by those cookies;
- obtaining the user's consent for placing cookies and for using the information contained in them.
- although users' consent can also be expressed by using the settings of the browser used for browsing the Internet, it is necessary that in this case there is a prior information of the user regarding the placement of cookies and their purpose.
The exceptions provided in European and national legislation allow the use of first party cookies without observing the obligation to obtain the user's consent. In addition, in June 2012, the Article 29 Working Group issued an opinion (PDF) clarifying these exceptions:
- some cookies can be exempted from the obligation to obtain the user's informed consent under certain conditions and if they are not used for additional purposes. Such cookies include: cookies used to store information entered by a user when filling out an online form, cookies used to store technical data necessary to run video and audio content and cookies used to personalize web pages (for example, those that retain preferences regarding the language in which the content of a website is displayed).
- first party cookies do not generate risks for the privacy of users if the website provides users with clear information regarding the use of cookies, as well as guarantees regarding the protection of privacy (for example, putting at the disposal of an easy mechanism through which the user can request that his data not be collected) and if the anonymization of the authentication information is ensured.
Do Not Track mechanism
As I showed in point 5, at the European level there are regulations regarding the monitoring of users' online activities for marketing purposes, it being necessary, in general, to obtain the consent of the users for such practices. But in other parts of the world such situations are less regulated. Under these conditions, the World Wide Web Consortium (W3C) is currently working on a technical standard (and technologically neutral) - "Do Not Track". This standard will be able to be used by users to tell their browsers to signal to advertising companies that they do not want their online activities to be monitored.
W3C states that "users have the right to know what data will be collected and for what purpose it will be used. Having this information, they can decide whether or not to allow the monitoring of online activities and the collection of personal data. Many companies The Internet uses the data collected in connection with the online activities of the users to personalize the content provided to the users and direct relevant advertising messages to them, depending on the interests identified on the basis of the information collected. Although some users appreciate this personalization of the content and advertising messages in certain contexts, others are concerned about what they perceive to be an intrusion into their private lives.
Under these conditions, users need a mechanism that allows them to express their preferences regarding the monitoring of online activities; this mechanism must be easy to configure and efficient. Additionally, websites that cannot or will not provide content without also providing behavioral advertising or collecting user data need a mechanism to indicate this to users and allow them to take a decision in the light of the case."
The purpose of the "Do Not Track" standard is "to give the user the opportunity to express his personal options regarding the monitoring of online activities and to communicate these options to each server or web application with which he interacts, thus allowing each service accessed either to adjust its practices based on the user's choices, or to reach a separate agreement with the user that is convenient for both parties.The basic principle is that the expression of monitoring preferences is transmitted only when it reflects a deliberate choice of the user . In the absence of a user option, it is considered that the preference regarding the monitoring of online activities is not expressed."
Do Not Track functionality for search engines
Options for preventing the monitoring of the user's online activity are implemented today in various forms. From Internet Explorer 8, which offers you the possibility to block third-party sites that leave content when you visit a website, to the new extensions, add-ons and options introduced even in the search engine's preferences. In the absence of the standard mentioned above, in some search engines it is more obvious how to activate this functionality, in others it is more hidden. Instructions to set the Do Not Track mechanism for Safari, Internet Explorer 9, Firefox and Chrome can be found here
Being among the last to introduce this functionality, version number 23 Google Chrome offers the possibility of installing the extensions Do Not Track Me, AVG Do Not Track or Keep My Opt-Outs which block cookies and prevent (for the moment) only the companies American advertising to personalize the ads according to the online behavior of the internet user.
Firefox, in addition to the Do Not Track Me add-on, also offers the "Tell web sites I do not want to be tracked" option that can be configured in the privacy menu. Moreover, Internet Explorer 10 comes with Do Not Track as a default option. Microsoft's decision sparked a series of strong reactions, the response of companies such as Yahoo and Apache being that they will ignore Internet Explorer 10's Do Not Track signals.
Another tool that you can install on most search engines (and even as an application on iOS) is Ghostery. Ghostery scans the page you visit and notifies you of the existence of elements installed by third-party sites in order to track your activity. You can then set your preferences according to the categories in the menu: advertising, analytics, beacons, privacy, widgets. More information here.
It should be noted that not all Do Not Track functionalities block cookies. Therefore, it is good to check what is included in the component of each Do Not Track extension and to choose the one that best represents the limitations you want to convey to the sites that monitor your activity on the Internet.
Complaints and notices
If you have certain complaints or want to notify us of certain irregularities in the use of cookies related to this site, please do so via the contact form.
Thank you!
