The Cookie Clearinghouse will publish block-lists and allow-lists based on objective, predictable criteria. Right now, we are in the process of developing those criteria. As a result, and with the input that we receive from this process, we may make changes to the ideas outlined below.
The Cookie Clearinghouse starts with four presumptions. A presumption means this is how we expect software (like a web browser or plugin) to treat cookies, in the absence of other information on a block-list or an allow-list. These presumptions are:
- If a user visits a website, set the cookies from that site.
- If a user does not visit a website, do not set the cookies from that site.
- If a site is trying to save a DAA opt out cookie, set the opt out cookie from that site.
- If a user consents to setting a cookie, set the cookie.
(Note: In the future, we might add a fifth presumption for websites honoring Do Not Track. We await a W3C DNT Recommendation, and will evaluate this idea once W3C completes work.)
The first two presumptions are how Apple’s Safari browser works today, as well as how Mozilla’s Firefox browser works in pre-release versions. The third presumption is based in part on how Google’s Chrome browser works today. The fourth presumption is in keeping with requirements under European laws.
These presumptions work well most of the time. There are some edge cases, however, where they do not make sense.
Examples of Edge Cases
Example 1: A first party might have multiple domains with only one the user visits, and the rest have cookies blocked.
If Stanford hosted all of their images on www.stanford-images.edu, but users only visit www.stanford.edu, then cookies would set from www.stanford.edu (presumption 1) but not from www.stanford-images.edu (presumption 2.) This does not make any logical sense, since both websites are part of Stanford.
We can address this issue by creating an allow-list and adding the related-but-unvisited sites to that allow-list.
Example 2: A user might visit a site in a first party context, then have it track the user all over the web as a third party.
Social widgets are one possible example. A user could visit www.stanford.edu, and cookies would be set (presumption 1.) Later, the user might visit several completely unrelated news sites that have a widgets from Stanford, perhaps to let Stanford students share a news story with their friends. Because the user already visited www.stanford.edu, the Stanford widget could continue to read and set cookies (presumption 1) even on an unrelated site. This does not make logical sense, since once on the news site, the Stanford widget is hosted by a third party, and really should be treated as if the user had not visited the site (that is, treated under presumption 2.) To complicate things further, if a user cleared cookies and then visited an unrelated news site with a Stanford widget, in that case Stanford would not be able to set and read cookies. In other words, the order a user visits a series of sites can determine which cookies set. This is confusing to users.
We can address this issue by creating a block-list and adding cookies that should be treated as third-party cookies to that list.
Block-lists and Accept-lists
The Cookie Clearinghouse will create, maintain, and publish two lists:
- A block-list is for cases where cookies ordinarily would be set based on the four presumptions, but now will not be set.
- An accept-list is for cases where cookies ordinarily would not be set based on the four presumptions, but now will be set.
Challenges and Counter-challenges
We expect site owners and users will be able to fill out an online form to describe why the normal presumption is the wrong classification for a particular site. The online form will contain a set of check boxes that describe possible reasons why the presumption is incorrect.
If a presumption would have blocked a site’s cookies, then a challenge will put the site on the allow-list, to ensure their cookies are set. Similarly, if a presumption would have set a site’s cookies, then a challenge will put the site on the block-list.
A counter-challenge will revert to the initial presumption and trigger a technical review. During the technical review, Cookie Clearinghouse staff will work through the two competing claims and make a factual evaluation. In some cases this will involve contacting the parties involved.