The cookie is alive and kicking, not dead, but thankfully in Europe Google, Facebook etc. are still subject to law protecting our fundamental rights.

The cookie is alive and kicking, not dead, but thankfully in Europe Google, Facebook etc. are still subject to law protecting our fundamental rights.

A number of posts have reported on the death of the cookie, like this one in VentureBeat, but, as Mark Twain famously said, "the reports of my death have been greatly exaggerated".

SSO (and any log-on) uses cookies. They are usually first-party, but they are still HTTP cookies and part of a mechanism to collect PII. Data subjects may be more aware of their use because they have actively typed their username/password to log on, but only if the logged-in state lapses after a reasonable duration.

As the 95 Directive (95/46/EC) Article 6 says, personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes", and "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed".

What the VentureBeat piece is referring to are third-party cookies which have other issues, basically because they are used invisibly. In effect they are used to log people in without their knowledge, or to identify them when they go to other websites.

The relevant part of the Directive here is Article 10 because no information about "the identity of the controller and of his representative, if any" and "purposes of the processing for which the data are intended" is given to the data subject.

In line with this, Article 5(3) of the e-privacy Directive (2009/136/EC) requires that informed prior consent for storage, including use of first-party or third-party cookies and fingerprinting etc., must be given before use if they are not strictly necessary to supply an explicitly requested service.

People should not be logged in without their consent, and, even then, any authentication cookie used should expire no more than a few hours after the last transaction, unless a longer logged-on duration has been explained and agreed to.

Check out our other blog posts