Q&A for website owners regarding cookies

This information refers to provisions that enter into force on 1 July 2011.

Here we have compiled Q&A about cookies for those who have or are responsible for a website.

There is also Q&A for users.

What are ‘cookies’?

What is the legal position?

Third parties suppliers 

What is a ‘cookie’?

A ‘cookie’ is a small text file that a website asks to be saved on the visitor’s computer. Cookies are used on many websites to allow visitors to use various functions. Information contained in cookies can also be used to track the surfing of a user on websites that use the same cookie.

There are two kinds of cookie. One kind saves a file for a long time on the visitor’s computer; this cookie then has an expiry date. This kind of cookie is used, for example, for functions that tell users about any new features since they last visited the website in question. When the expiry date has passed, the cookie is deleted when the user returns to the website that created it.

The second kind of cookie is called a ‘session cookie’ and does not have an expiry date. This cookie is temporarily stored in the memory of a user’s computer while this user is surfing on a site, for example to keep track of which language the user has chosen. Session cookies are not stored in the user’s computer for a long period of time, but disappear when the user shuts down their web browser.

What are cookies used for?

The following are a number of examples of what cookies can be used for:

  • Cookies are often used to log onto websites. When anyone logs onto a website, a cookie is placed in their computer. Each time a user goes to a different page, the user’s computer sends the cookie to the website that the user is visiting and the website uses this cookie to verify that the user is logged on, preventing the user from having to use their user name and password for each new page. 
  • On websites where goods are sold, cookies are used to make it easier to shop. The website can use cookies to keep a track of which goods a user has ‘added to their basket’. 
  • Websites can use cookies to register which persons have visited which pages. This information can then be used to choose the right advertisement or in some other way customise the pages that the people may see through advertisements and custom content. Many of the cookies used for advertisements and custom content are third-party cookies. 
  • Cookies can be used when a user personally wishes to customise websites to their own user preferences. This may, for example, apply to wishes in respect of the design of a website frequently visited, adapted contrast or font size for ergonomic reasons, or adapted sorting or selection. 
  • Most websites use web statistics to monitor traffic in order to be able to improve the website, justify costs and learn more about their target groups. Many of the cookies used for web statistics are third-party cookies. 
  • Cookies may also be used to keep a track of who has taken part in a vote to prevent users from voting several times.

What are ‘third-party cookies’?

Cookies that, for example, are used to collect information for advertisements and custom content and also for web statistics may be ‘third-party cookies’. These cookies come from someone other than the party responsible for the website, e.g. an advertising firm via a banner. An advertising firm may deploy advertisements or statistics services that monitor the surfing habits of users on many different websites. Visitor surfing habits may therefore potentially be monitored on all of the websites that use the same advertisement or statistical service.

Third-party cookies make it possible to generate more comprehensive surveys of user surfing habits and for this reason they are deemed to be more sensitive from the perspective of integrity. Most web browsers allow users to adjust their settings so that third-party cookies are not accepted.

If website owners choose to install various kinds of component on their website (advertising functions, statistics functions, questionnaire tools, etc.), there is a risk that these will involve third-party cookies. It is then particularly important to find out what these cookies are used for and to ensure that those providing the components are serious and do not misuse personal information they may conceivably come across.

What are ‘Flash cookies’?

Flash cookies are a technical design similar to cookies. Almost all web browsers have a Flash player that is used to display Flash presentations. One well-known example of a Flash presentation is the video player on the YouTube video site. (Flash cookies are not only associated with YouTube, but apply to all websites that use Flash cookies.)

A Flash cookie can be used to save user preferences, such as volume. The difference between ordinary cookies and Flash cookies is, for example, that only ordinary cookies are included when users configure cookie management in their web browser, not Flash cookies. Flash cookies are also much larger than ordinary cookies and therefore take up more space on the hard drive. Flash cookies also do not have a time limit. They remain there until someone deletes them.

What are the risks associated with cookies?

Cookies are small fragments of text that are harmless when compared with, for instance, viruses. Cookies will not wreck a computer. However there are still a number of risks. These risks basically fall within the following categories:

  • Cookies enable websites to monitor the activities of users on the Internet. This may be perceived as intrusion of personal integrity and some users may choose not to accept cookies on their computers. This may be something to consider when designing your website and when choosing how you use cookies. 
  • The interception and falsification of cookies may under certain conditions be used as tools for electronic crime. These tools may then be used, for instance, for unauthorised logging on, unauthorised tampering with the content of baskets, distortion of statistics and unauthorised voting.
    It is in the interests of website owners to take measures to prevent the interception and falsification of cookies, and similarly other methods of intrusion and fraud. Likewise, website owners must ensure that the personal information collected via cookies is not misused, either by the owners themselves or their collaborating partners.
  • If you use Flash presentations (e.g. a ‘You Tube’ video) on your website and it has been taken from another website, the owners of the Flash presentation can register visits to your website and link this information with information from other websites that have the same Flash presentation. This may happen even if a user has blocked the use of cookies in their web browser. It is important for website owners to be aware of any Flash cookies being used on their websites and also to inform visitors about this.

What is the legal position?

Under the Electronic Communications Act, all visitors to a website with cookies must have access to information stating that the website contains cookies and the purpose for which cookies are used. Visitors must also consent to cookies being used.

What is the purpose of the provision on cookies?

The purpose of this provision of the Act is to protect the integrity of users. Cookies are used on many websites to allow visitors to use various functions. Information contained in cookies can also be used to track the surfing of a user. Cookies can therefore also be used to compile and analyse the information that a user leaves after surfing on the Internet.

Do we have to rebuild my company’s/my organisation’s website to comply with the Act?

The use of cookies is not prohibited. However, you must inform visitors to the website of the fact that the website contains cookies and the purpose for which cookies are used. You must also ensure that the visitor consents to you using cookies.

As the current provision has been changed from and including 1 July 2011, it is not yet possible to say in any detail how the rule is to be applied to a particular website. PTS wants to give those with websites the time and space to produce a solution that works for both websites and users.

The information that you provide to your visitors about the use of cookies should as a minimum contain information about what the various cookies are called, which domain name they belong to, what data is stored in the cookies and how long they are saved in the visitor's web browser. It should also clearly state the purpose of the cookies on your website, and similarly whether the information comes from or is released to a third party.

How do I formulate information for users of my website?

A user must be informed about the fact that the website uses cookies and what these cookies are used for. As the current provision has been changed from and including 1 July 2011, it is not yet possible to say in any detail how the rule is to be applied in respect of a particular website. PTS wants to give those with websites the time and space to produce a solution that works for both websites and users.

The information that you provide to your visitors about the use of cookies should as a minimum contain information about what the various cookies are called, which domain name they belong to, what data is stored in the cookies and how long they are saved in the visitor's web browser. It should also clearly state the purpose of the cookies on your website, and similarly whether the information comes from or is released to a third party.

How should users consent to the management of cookies on the website?

Website users are obliged to ensure that users consent to the management of cookies that are found on the website. In simple terms, ‘consent’ means conscious approval. The exact appearance and function of the technical design to enable this is not something that PTS can specify in advance. PTS considers that website owners are best able to produce functioning and secure solutions for how consent should be given. PTS would like to give those responsible for websites the time and space to produce such solutions.
 

How can I find out which cookies are being used on my website?

As a website owner, you should know that some of the technical platforms used to build websites create cookies regardless of whether or not they are needed. Cookies are likely to be used in any ready-made web applications used.

You can personally examine your website to find out which cookies are used. By configuring your web browser so that you are able to make a decision about each new cookie that your website sends to your computer, you can personally go through your website. On Macromedia’s website (the company that developed Flash cookies) you are given the option of limiting the use of Flash cookies. PTS has developed a web service to help those with websites to find the cookies used on their website, hittakakor.pts.se.

If website owners want to be sure about the cookies that are on their own websites, they should also consult the persons who developed the web application(s) used in addition to examining their own websites. Start by contacting the developer/web hotel that helped you.

What questions can I ask my website provider?

You can ask the supplier of each component of your website the following questions:

  • Which cookies could end up in the web browser of visitors to my website as a result of us using your <insert the name of the component here> component?

    For each of these cookies I would like to know:
  • What it is called 
  • The purpose of this cookie 
  • Is it a third-party cookie? If so, where has it come from? 
  • Is it a Flash cookie or an ordinary cookie? 
  • What are the consequences of visitors choosing not to accept cookies in their web browser?
  • Are cookies used to survey visitors in any way, and if so how?
  • Is it a session cookie, or how long will it remain in the user’s computer?

Asking suppliers questions is a good way of finding out the purpose(s) of each cookie. However it is possible that the provider does not know which cookies are left by its components. This is why it is important for the website owners themselves to investigate all of the cookies using the method shown above or with the help of PTS’s web service: hittakakor.pts.se.

Is there any alternative to using cookies on my website?

You can deactivate your cookies. If the website does not require users to log on, does not need to adapt content to visitors, does not need to keep tabs on a basket or has a limited need to analyse traffic, it is not certain that cookies will add anything of value. Some users choose not to accept cookies on their computers, and you can also reach these users by deactivating cookies.

On the other hand, if you want to have any of the above functions on your website, it may be expensive and/or complicated to find solutions that do not involve cookies, although it is possible to replace cookies with other technology. Some platforms offer alternative ways in which you can track your visitors. This involves the web server inserting an identity code as an extra parameter in all web addresses instead of storing the corresponding identity code in a cookie.

On a website with many different languages, can the information text be in English or does it have to be translated into all of the languages?

The information must be provided in a clear and simple way. It is reasonable to require the text to be understood by Swedes as the legislation covers Sweden. It can hardly be expected that all Swedes understand English.

Do we have to conclude contracts with our visitors?

No, but on the other hand visitors to a website must be informed about cookies being used and consent to their use; see above. There is no requirement regarding the form in which consent is to be given.

How does the Act function if we put out a website on a foreign server?

The party supplying the website is responsible for providing sufficient information about the use of cookies and for visitors to consent to this. The starting point is where the party responsible for the website operates from, not where the server is located. However, in certain cases this may involve delimitations that may be determined on a case by case basis.

Does the new Act regulate websites developed prior to the Act entering into force?

Yes, the time at which websites were created is irrelevant as the Act applies to each individual occasion on which cookies are used.

The party responsible must not save cookies in the user’s computer without the user’s knowledge, but may a page be saved in the user’s computer without providing information?

Yes, the technical function whereby parts of a website are saved in a cache is exempt from this provision. A ‘cache’ constitutes the storage required to transmit an electronic message via an electronic communications network.
Third parties suppliers

How does this provision affect a website that provides visitors with cookies from a third party (e.g. an advertising intermediary that administers advertisements on websites) or from statistics companies that conduct traffic measurements?

In order to comply with the applicable provision on the use of cookies, those with websites need to ensure that information is provided and consent given in respect of all cookies sent to or obtained from the users’ computers when they visit the website.

This also applies if certain cookies are sent from a third party, such as advertising intermediaries or statistics companies. It is up to each website owner to cooperate with such third parties to find solutions to comply with the requirements of the Act that work in respect of their individual website.

How does this provision affect companies that offer advertisers the opportunity to appear on banners on a large number of websites with which these companies cooperate?

See above.