Cookies Are One Piece of a Larger Puzzle
There has been an odd preoccupation with cookies for some time now—to the exclusion of other forms of browser tracking, some of which are much more flexible and more robust in their data collection capabilities than cookies. Despite this fact, these other, non-cookie tracking technologies are often not referenced in privacy policies and cookie policies, even though they are used to “store information” and / or “gain access to information stored in the terminal equipment” for purposes of the ePrivacy Directive and will presumably qualify as personal information under the CCPA as well.
LocalStorage and Cookies—The Similarities
Cookies are typically sent by a remote host (a server on the Internet) and stored in the user’s browser. They are transmitted by the end-user’s browser back to the remote host whenever an HTTP Request is subsequently made to that host. However, HTML5 localStorage is more flexible form of persistent data storage in browsers (i.e. for storing such things as tracking IDs, location, preferences, purchase history and the like). HTML5 localStorage is a part of the “Web Storage” specification created by the W3C standards body and, like cookies, stores data persistently in “name-value pairs” in the browser.
LocalStorage and Cookies—The Differences
The Potential Privacy Issues With LocalStorage
The potential privacy and security issues associated with persistent, flexible, high-density storage are not lost on the W3C in its standards document:
“A third-party advertiser (or any entity capable of getting content distributed to multiple sites) could use a unique identifier stored in its local storage area to track a user across multiple sessions, building a profile of the user’s interests to allow for highly targeted advertising. In conjunction with a site that is aware of the user’s real identity (for example an e-commerce site that requires authenticated credentials), this could allow oppressive groups to target individuals with greater accuracy than in a world with purely anonymous Web usage.” See https://www.w3.org/TR/webstorage/#privacy.
Often Excluded From Cookie Policies and Privacy Policies
What to Do
Author: Steven Roosa oversees NT Analyzer at Norton Rose Fulbright where he is a partner in the New York office. NT Analyzer is a comprehensive tool suite for companies to catalog and analyze their consumer-facing web and mobile data collection.