Cookies came into being in 1994 to serve as the memory of the Internet. Invented by Lou Montulli while working for Netscape, these small text files served the purpose of giving websites recall ability.
Their name was coined from the concept of a “magic cookie” used to describe a data packet received and sent back by early Unix programmers.
The world hasn’t been the same since. Today, we live in hyper-cookied times. Websites harbor myriads of third-party cookies that allow for the harvest and combination of user data in comprehensive psychographs on each individual to be used for behavioral advertisement and targeted marketing.
As the great privacy scandals of late has shown, these have also been weaponized to violate democratic elections in the US and UK. Once, cookies were the ability of the Internet to remember.
Today, they have become its ability to predict. With the GDPR, the EU has taken up the big fight against privacy intrusive practices and laid out a roadmap to a future of balanced, respectful processing of personal information on our digital highways.
The GDPR is an EU regulation that represents the most significant initiative on data protection in 20 years.
The purpose is to protect “natural persons with regard to the processing of personal data and on the free movement of such data”, e.g. the website user.
Cookies are mentioned once in the 88 pages long regulation. However, those few lines have a significant impact on the compliance of cookies:
(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In other words: when cookies can identify an individual, it is considered personal data.