What about cookies?
You probably know “cookie banners” popping up when you call up a website and want you to accept the cookies policy. In the meantime, there are vast numbers of layout options and formulations—which might be a result of the legal-related uncertainty in terms of cookies. But first, let us explain how a cookie works.
Nowadays, web pages are being transmitted via “hypertext transfer protocol” (HTTP). This protocol is a stateless one. In a stateless protocol, “HTTP requests” which a web browser sends to a server (i.e. to a computer on which the respective web page is stored) are always without reference to previous requests. The cookies should somehow overcome the “statelessness” of the given protocol.
Example: I want to buy shoe laces for my old pair of shoes in an online shop. To do so, I have to visit the website of the online shop. There I choose a pair of shoe laces and click on the button “Add to shopping basket”. The Internet browser needs to reload the website of the online shop. The website seems to be the same with a slight difference: next to the basket icon, there is a small “1” now. Afterwards, I take a look at other products, e.g. a shoe care kit and brushes, by clicking on several other web pages. On each of these, there is a small “1” at the shopping basket icon, too. As it seems, the web browser somehow “remembered” me adding shoe laces to the shopping basket. This is only possible because of cookies.
Cookies are small text files which the server stores within the web browser and represent it. When a web browser sends a request containing a cookie, the server identifies the web browser or the cookie again. As a result, the server “knows” that the shoe laces were already in the shopping basket and displays the given website with respective data.
Cookies are available in many forms:
- session cookies (stored by the end of the browser session)
- persistent cookies (stored for a specific period, sometimes lasting for several years)
- first-party cookies (set in the browser by the provider of the specific website)
- third-party cookies (originate from the advertising partners of the provider)
- tracking cookies (for analysing the user behaviour)
- simple cookies (to identify a user within a content management system).
Depending on the type of cookies, the server “learns” a lot about the user via the browser in short time.
What is the connection between the technical process described and the all-pervasive cookie banner?
In short, it is the uncertainty about the regulations on the data processing. Cookies are personal data which need a legal framework if they be processed. Well, there is the other side of the coin, too. According to the association of the federal supervisory authorities and of the Länder (“Datenschutzkonferenz”), one must clearly give one’s consent to allow analysing and tracking by using particular types of cookies. Companies using cookie banners want to be sure to be given your consent. However, they usually fail to do so because, for example, they do not inform you sufficiently, the cookies are already stored before you click on the “Accept” button, or, if you stay on the web page without any clear action confirming your decision.
Currently, the University is using these cookies:
Name | Purpose | Storage period |
ROUTEID | It stores the live server on which the user is currently located so that the user returns to this live server. | end of the web session (closing the web browser) |
EGOTEC
|
The content management system identifies a user. The cookie contains the information on a randomly generated session ID. |
end of the web session
|
PIWIK_SESSID
|
It contains a token so that visitors and their behaviour on the web pages of the University may be clearly identified. |
end of the web session
|
Piwik_ignore
|
If set, the user is not being tracked. | 2 years |
forward_url | Identification of users to be redirected to the correct website after login. | end of the web session |
rc_hint | One time display of the chat hint | end of the web session |
rc_token | Identification of chat participants | end of the web session |
As you can see, the website uses a persistent cookie for the purpose of analysis. In comparison to the association of the supervisory authorities (“Datenschutzkonferenz”), we are convinced that it is not necessary to be given consent as the data processing is justified by our interest in accordance with section 6 subsection 1(f) of GDPR, as described in “Why and how does the University process your data?”.
How do we justify our point of view?
The University hosts Matomo on its servers only so that users are identifiable only based on filtering log files. In addition, we give you the option to de-activate the tracking options.