Cookies, also known as HTTP Cookies, are text files which are stored on a user’s computer to enable website owners to identity the user’s computer or electronic device. They are generally used by website owners to track a user’s online behaviour or interaction with websites.
These text files typically store information such as the user’s username, language preference and browsing habits. For example, it is a way how website owners serve targeted advertisements which match a user’s browsing preferences.
In Hong Kong, personal data covers information which relates to a living individual and can be used to ascertain that individual’s identity. It must also exist in a form in which access to or processing of it is practicable. When determining whether a piece of data is personal data, the totality of the circumstances should be taken into account (see Note 1 below).
In light of the above, when deciding whether cookies in a specific case are personal data, it depends on whether the cookies contain any data that can uniquely identify an individual. Website owners who deploy online tracking that involves the collection of personal data should consider the requirements under the Personal Data (Privacy) Ordinance, including the six Data Protection Principles.
- Inform website users about the kind of information being stored in the cookies, the purpose of collecting the information and how the information is collected;
If the website deploys third-party cookies, the website owner should also set out the type of information being collected and/or transferred and the purposes of collecting the information (Notes 2 & 3).
When cookies are used to collect behavioural information, it is recommended that website owners should:
- Set up an appropriate expiry date for the cookies;
- Encrypt the contents of the cookies whenever appropriate; and
It is also important for the website owners to offer an option to website users to disable or reject the cookies.
Many countries have recently expanded their regulations to cover cookies in their scope of personal data for better protection of data privacy. For more information, website owners or website users should observe the Guidance on Online Behavioural Tracking issued by the Office of the Privacy Commissioner for Personal Data.