Drücke „Enter”, um zum Inhalt zu springen.
Hinweis zu diesem Datenschutz-Blog:
Anscheinend verwenden Sie einen Werbeblocker wie uBlock Origin oder Ghostery, oder einen Browser, der bestimmte Dienste blockiert.
Leider wird dadurch auch der Dienst von VG Wort blockiert. Online-Autoren haben einen gesetzlichen Anspruch auf eine Vergütung, wenn ihre Beiträge oft genug aufgerufen wurden. Um dies zu messen, muss vom Autor ein Dienst der VG Wort eingebunden werden. Ohne diesen Dienst geht der gesetzliche Anspruch für den Autor verloren.

Ich wäre Ihnen sehr verbunden, wenn Sie sich bei der VG Wort darüber beschweren, dass deren Dienst anscheinend so ausgeprägt ist, dass er von manchen als blockierungswürdig eingestuft wird. Dies führt ggf. dazu, dass ich Beiträge kostenpflichtig gestalten muss.

Durch Klick auf folgenden Button wird eine Mailvorlage geladen, die Sie inhaltlich gerne anpassen und an die VG Wort abschicken können.

Nachricht an VG WortMailtext anzeigen

Betreff: Datenschutzprobleme mit dem VG Wort Dienst(METIS)
Guten Tag,

als Besucher des Datenschutz-Blogs Dr. DSGVO ist mir aufgefallen, dass der VG Wort Dienst durch datenschutzfreundliche Browser (Brave, Mullvad...) sowie Werbeblocker (uBlock, Ghostery...) blockiert wird.
Damit gehen dem Autor der Online-Texte Einnahmen verloren, die ihm aber gesetzlich zustehen.

Bitte beheben Sie dieses Problem!

Diese Nachricht wurde von mir persönlich abgeschickt und lediglich aus einer Vorlage generiert.
Wenn der Klick auf den Button keine Mail öffnet, schreiben Sie bitte eine Mail an info@vgwort.de und weisen darauf hin, dass der VG Wort Dienst von datenschutzfreundlichen Browser blockiert wird und dass Online Autoren daher die gesetzlich garantierten Einnahmen verloren gehen.
Vielen Dank,

Ihr Klaus Meffert - Dr. DSGVO Datenschutz-Blog.

PS: Wenn Sie meine Beiträge oder meinen Online Website-Check gut finden, freue ich mich auch über Ihre Spende.
Ausprobieren Online Webseiten-Check sofort DSGVO-Probleme finden

Cookies: Fundamentals and Importance for Data Protection on Websites

0
Dr. DSGVO Newsletter detected: Extended functionality available
More articles · Website-Checks · Live Offline-AI
📄 PDF for this post
📄 Article as PDF (only for newsletter subscribers)
🔒 Premium-Funktion
Der aktuelle Beitrag kann in PDF-Form angesehen und heruntergeladen werden

📊 Download freischalten
Der Download ist nur für Abonnenten des Dr. DSGVO-Newsletters möglich

Meaning of cookies

Cookies play a crucial role in the context of GDPR for websites. The reasons are particularly:

  1. The ECJ ruling on cookies. However, it was not primarily about cookies, rather the reporting presented it that way
  2. The revised ePrivacy Directive is misleadingly referred to as the Cookie Directive.
  3. The marketing gimmicks of some providers of Consent Tools and some advisory platforms
  4. The fact that cookies can most easily be proven as a data processing mechanism and cannot be dismissed

What is a cookie?

A cookie consists of a key and a value and is managed by the user's browser. Usually, browsers store cookies on the user's device in the form of text files. Back then, browsers usually stored cookies in the form of text files on the user's device. Nowadays, cookies are often stored in databases. Cookies are not text files and never were, because each browser could and can choose its own storage format freely.

A cookie has in particular the following properties (example values are given with):

  • Name: National Identity Document
  • Value: 200=Unknown string of characters
  • Lifespan: 1 year
  • Security settings: HttpOnly
  • Domain: google.com

Over the domain of cookies it is determined whether a First- or Third-Party Cookie exists.

First-Party Cookies

First-Party Cookies are managed by the website itself that was just called up and can only be read out by this one. If the cookie has the domain webseite4711.de and the website also has this address, then the cookie is First-Party for this website.

Third-Party Cookies

Third-Party Cookies are managed by third parties. A third party is a provider of a tool such as for example Google reCAPTCHA. When such a third-party tool is loaded, all cookies from the same domain as the tool are appended to the call by the browser.

A third-party cookie can only be generated on the server of whoever is requesting a file.

A practical example for Google reCAPTCHA: This tool is available over the domain google.com. When calling a website that integrates reCAPTCHA, the following happens:

  1. The website is called up in the browser by entering the address _www.webseite4711.de
  2. The website integrates Google reCAPTCHA via the following file: https://www.google.com/recaptcha/api.js
  3. The browser fetches the file and sends all cookies already existing for the domain google.com along with it. Specifically, the cookie NID is transmitted, which contains the Google user ID. This cookie is set, for example, when a user logs in to their Google account.
  4. The called tool can read out or change the value of the cookie.

Third-Party Cookies are therefore only accessible by tools that reside in the same domain as the cookie, where the domain is by definition different from the one of the called website (hence the name Third-Party, i.e., third-party)..

Sharing of Third-Party Cookies between different tools

The aforementioned tool Google reCAPTCHA has access to several domains, including google.com and gstatic.com. All cookies set for these domains before integrating Google reCAPTCHA are automatically accessible to this tool. As a result, reCAPTCHA can not only read self-managed cookies but also those set by all other Google tools on one of the two mentioned Google domains. Thus, reCAPTCHA has comprehensive access to various cookies that should actually be assigned to other tools! This makes it practically impossible to use Google reCAPTCHA without consent inquiry in a legally compliant manner. The inquiry for consent is also difficult because nobody knows how Google processes which data.

Third-party cookies for first-parties

If a website binds a tool like Google Analytics in, then a Javascript-Code is loaded on the website during this process. With this Javascript-Code First-Party Cookies can also be managed, because the JavaScript-Code „lives“ on the loading website and can act in its place.

A first-party cookie is treated as a third-party cookie

A first-party cookie can also become a third-party cookie. Here's a popular example:

  1. A user accesses the website google.com
  2. A first-party cookie named NID is created (or updated if it already existed) on the domain google.com
  3. The user now calls up a website uvwxyz.de, which integrates Google reCAPTCHA
  4. Google reCAPTCHA is loaded by the domain google.com among others. When loading the tool, the original First-Party Cookie NID is loaded and is now a Third-Party Cookie, since the domain of the current website is uvwxyz.de and thus unequal to google.com.

Cookies and Data Protection

Whenever a website loads a tool from a domain, all cookies present on the user's device for that domain are automatically transferred over.

If a tool loads additional scripts from other domains, these scripts can generate, read, and modify Third-Party Cookies. In practice, this happens (always as of 30.12.2020) when embedding YouTube videos with or without cookies (!), where the tracker DoubleClick is loaded for marketing purposes. DoubleClick is loaded from the domain doubleclick.net and can therefore access cookies from these domains.

The more files from different domains a tool downloads, the more potential control it has over cookies. For example, YouTube videos embedded on websites load not only files from youtube.com or youtube-nocookie.com but also from ytimg.com, gstatic.com, and doubleclick.net. At the same time, Google Maps also loads files from gstatic.com, so both tools could potentially exchange data through these domains. Since the company Google owns all of these servers, the company can secretly replay collected data to itself at will.

Cookies are suitable for Identifying and tracking users over several sessions. A session is a visit to a website, which ends when leaving the website or closing the browser.

A cookie exists only within a single browser on the user's device. If the user visits a website from another browser, this other browser does not know the cookies of previous visits to the website.

Cookies are therefore not generally suitable for cross-browser or device tracking of users.

The Fable of the Cookieless Domain

You must have already read about the Google Tag Manager being a cookieless domain. That this statement in itself is gross nonsense, because a service is not a domain, let's just leave that aside for now.

The statement is not true even if one considers the domain googletagmanager.com as cookieless. I have shown and proven this in a separate post on Google Tag Manager.

The solution for cookies

The solution is to use as few tools as possible that process cookies. Unnecessary tools should be removed at all costs. External fonts, images, and libraries should be stored locally. Ask your service provider for a complete inventory of your website to identify all tools used.

Further solution options:

Please note that even tools on websites that do not use cookies are often consent-based.

For which tools is consent required?

Key messages

Cookies are data files stored by websites on your computer. They can be used to track your activity online and personalize your experience.

Google reCAPTCHA has extensive access to cookies, even those not directly set by the website using it, making it difficult to use legally and ethically without user consent.

About

About the author on dr-dsgvo.de
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.