Cookies – Ever Your Choice?

Cookies are almost inevitable when you go online. While cookies have been around for many years, should we step up our regulation in Hong Kong?

Are cookies personal data?

A cookie is a small computer file stored in a website user’s device that allows website operators to track the user’s online activities. In Hong Kong, according to the Personal Data (Privacy) Ordinance, a piece of data only constitutes personal data when it relates to a living individual in an accessible and processable form, from which it is practicable to ascertain the individual’s identity directly or indirectly. To determine whether a piece of data is personal data, we take into account the totality of the circumstances.

There are several Administrative Appeals Board (AAB) cases regarding online identifiers. In AAB No.16/2007, the AAB took the view that an IP address was information about an inanimate computer, not an individual, and an IP address alone could not reveal the identity of the computer user, thus lacking the characteristic of personal data. In AAB No.25/2012, the email address of user name “huoyan_1989” registered with a free email service provider was not considered to be sufficient for ascertaining the user’s identity, and it was not considered personal data. Following the same logic, cookies could have been considered simply as browsing histories of anonymous computer users, and hence not personal data.

Nonetheless, with the proliferation and advancement in data mining, big data analytics and profiling in recent years, the then views of the AAB on online identifiers will have to be re-examined as and when relevant cases are brought before it. This is particularly true when it comes to cookies, which do not only relate to inanimate computers, but by tracking the Internet browsing habits of their users, they may potentially infer intimate or sensitive personal data about the users, such as political stance, health condition and sexual orientation.

Privacy Implications

Certain types of cookies are more privacy intrusive than others. For example, first-party cookies are placed by the website operator directly, often out of necessity to track the functionality and the performance of the website. They entail benefits to website users. Third-party cookies are often marketing cookies that can track users’ online activities in order to provide advertisers with details and profiles to conduct targeted advertising.

It is especially worrying when cross-site tracking cookies are involved, where the third-party marketing cookies do not simply track a user’s activities on a designated website, but rather a range of websites using the same advertiser’s services. Over time and with sufficient tracking of browsing activities, the advertiser who deploys the cookies would be able to observe or infer behavioural patterns and build profiles of website users, placing them into “segments” and eventually guessing in an informed manner their interests. This would enable advertisers to place targeted advertisements, be they commercial or political, toward specific browsers.

The use of third-party cookies raises several privacy issues, particularly the transparency of this practice, the validity of users’ consent (if any) on the tracking as well as on the subsequent use and sharing of the tracking data.

Regulatory approach in overseas jurisdictions

Many overseas jurisdictions have opted to expand to cover cookies in their scope of personal data under regulation for better protection of privacy, notably the General Data Protection Regulation (GDPR) of the European Union, which came into force in May 2018. According to recital 30 of the GDPR, online identifiers such as IP addresses, cookie identifiers, RFID tags associated with natural persons may be used to create profiles of those individuals and identify them. As long as the online identifiers can single out an individual, they qualify as personal data. The European Commission took the view that “Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR.”

In particular, data protection authorities of the UK, France, and Germany have published recently their respective guidance on technologies that store or access information on user’s device, including cookies. The authorities stressed the importance of specific, freely given and unambiguous consent from users before cookies are placed, and to provide sufficient information and options to users.

Further, the Court of Justice of the European Union (CJEU) in October 2019 ruled in the case C-673/17 that before website operators drop and access non-essential cookies such as marketing cookies, the user must have given specific consent by actively selecting to opt-in. A pre-checked checkbox for user to de-select or opt-out in order to refuse consent is no longer sufficient. This ruling tightens up the consent requirement for cookies under the GDPR and returns to users in the EU the control over their personal data.

Updating the law

Back in Hong Kong, while the principle-based Personal Data (Privacy) Ordinance does provide room for continued applicability against changes in time, the global data-driven economy has created challenges for privacy to be adequately protected against technologies such as cookies and other privacy intrusive online tracking tools. We are living in a world where our presence online is as prevalent, if not more, as the same offline. There are legitimate calls for updating our own law by expanding the definition of “personal data” to protect privacy online.


Barrister, Privacy Commissioner for Personal Data, Hong Kong