Cookies haven’t gone anywhere.
They’re still lurking in your browser, feeding ad machines, despite all the GDPR hoopla. Look, I’ve covered this Valley circus for two decades — from the dot-com bubble to today’s AI gold rush — and one thing never changes: regulators promise chains, but trackers find loopholes. The original pitch? Cookies as benign helpers. Reality? They’re the digital spies powering targeted ads that know your coffee order before you do.
And here’s the kicker: GDPR, that 88-page behemoth everyone freaks over, mentions cookies exactly once. In Recital 30, no less.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with uniqu
That’s it. One half-sentence. Cuts off like a bad connection. But ePrivacy Directive? That’s the real cookie cop, buried in Brussels bureaucracy.
Cookie Types: Beyond the Buzz
Session. Persistent. First-party. Third-party. Strictly necessary. Preferences. Stats. Marketing. It’s a taxonomy that sounds like a bad zoo exhibit.
Session cookies vanish when you do — poof, browser closes, they’re gone. Handy for keeping your cart full while you shop. Persistent ones? They squat on your drive until you evict ‘em, sometimes coded to linger years. ePrivacy says cap at 12 months, but who enforces that? Not your average user.
First-party: the site’s own cookies, polite neighbors. Third-party: the creepy ones from advertisers, crashing the party uninvited. And purposes? Strictly necessary get a pass — no consent needed, just explain ‘em. Preferences remember your language (bless ‘em). Stats aggregate clicks for site tweaks — anonymized, supposedly. Marketing? That’s the villain, tracking cross-site, sharing your soul with ad networks.
People rage about third-party persistent marketing cookies. Rightly so. They build profiles richer than your LinkedIn. Chain of access? A tangled web — site owner, analytics firm, ad exchange, all dipping in.
Decline since GDPR? Sure, but fingerprinting’s the new sheriff. Canvas your browser, tally fonts, clock quirks. Cookies die; ghosts rise.
Does GDPR Even Care About Cookies?
GDPR’s personal data hammer swings wide — any info identifying you, directly or indirectly. Cookies? Sometimes yes, if they link to your IP or behavior.
But consent? Processing rules? That’s ePrivacy turf for ‘content stored or accessed on your device.’ Article 5(3): no sneaky placements without prior consent. Banner pop-ups? Born from this.
GDPR layers on top for personal data bits. Double jeopardy, kinda. Fines? ePrivacy via national bodies, GDPR via DPAs. Confusion reigns.
Remember 1995 ePrivacy roots? Pre-GDPR dinosaur, updated but not replaced. EU promised ePrivacy Reg to modernize — it’s been kicking cans since 2017. Stalled in Parliament. Big Tech loves it that way.
Who Profits from Cookie Chaos?
Advertisers. Duh. Google, Meta — they minted billions on third-party cookies. Chrome’s phasing ‘em out by 2024, but alternatives bloom: Google’s Topics API, FLoC flop to protected audience nonsense.
Publishers? Screwed. No cookies means less targeting, lower CPMs. Who wins? Walled gardens. Sign into NYT? They track internally. Consent-or-bust banners? Most click ‘accept’ — 80% in some studies. Lazy humans.
My hot take, absent from the legalese: this echoes 1996 cookie wars. Netscape invented ‘em for state; Lou Montulli for shopping carts. Ad industry hijacked. Now, history loops — regs tighten, tech pivots. Prediction: by 2026, server-side tracking dominates, privacy theater continues. Users none the wiser, ad bucks flow.
Strictly necessary? Free ride. But what’s ‘necessary’? Cart cookies yes; A/B test trackers? Gray zone. Preferences, stats — often need consent unless ‘legitimate interest’ saves ‘em under GDPR. Marketing? Slam dunk consent.
ePrivacy’s 12-month persistent cap? Ignored. Tools like Cookiebot scan sites; violations galore.
Why Can’t EU Just Fix This?
Politics. Telecoms want softer touch; privacy hawks push hard. ePrivacy Reg draft? Watered down yearly.
National twists: Germany’s strict, France fines loose. CNIL hit Google €150M in 2022 for cookie sins. But systemic? Nah.
Browser makers — Apple, Firefox — block third-party by default. Safari’s ITP ages ‘em out. Google’s dragging feet, antitrust breathing down.
Unique insight: GDPR’s cookie whisper created a myth. It’s not the boss; ePrivacy is. But without Reg upgrade, it’s whack-a-mole. Big Tech donates to lobbyists; regs lag innovation. Always has.
So, delete cookies weekly. Use uBlock. VPN. But full privacy? Dream on.
🧬 Related Insights
- Read more: The Toolkit Builders Are Fighting Back: How Communities Can Actually Stop AI Data Centers
- Read more: Inside the Three-City Stand Against Digital Surveillance: What Cindy Cohn’s Book Tour Really Reveals About Privacy’s Future
Frequently Asked Questions
What types of cookies need consent under GDPR?
Consent required for non-essential like marketing and stats; strictly necessary exempt if explained.
How does ePrivacy Directive differ from GDPR on cookies?
ePrivacy mandates prior consent for device storage/access; GDPR handles personal data processing.
Are third-party cookies illegal in EU?
Not illegal, but need consent; declining due to blocks and privacy tools.
