Cookie glossary


8 min read

Posted by Fergal McHugh on October 28, 2020

Cookie glossary

There is a lot of jargon in relation to cookies and cookie compliance. We want to make the terminology easy to understand so we created a glossary of the most common words we have seen recently.

BCR (Binding Corporate Rules). BCR are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group.1

Beacon. A web beacon is a transparent image file used to keep track of your activities on one or more websites. They are primarily used by websites that use third party traffic monitoring and tracking services. Beacons are often used in combination with cookies. Under DPC guidance regarding tracking technologies the use of beacons requires user consent. See Pixels.

Browser Fingerprinting. Browser fingerprinting is an accurate and effective method of identifying unique browsers and tracking online activity without recourse to cookies or beacons/pixels. Browser fingerprinting uses a range of non-identifying information supplied by a user’s browser and device (including the settings on those devices) to derive a statistically “unique” fingerprint which can be used for tracking and re-identification.

CCPA (The California Consumer Privacy Act of 2018). The CCPA gives consumers in the state of California more control over the personal information that businesses collect about them. This landmark law secures a range of new privacy rights for California consumers. The legislation has similarities to the EU GDPR.

CJEU (The Court of Justice of the European Union). The CJEU interprets EU law to make sure it is applied in the same way in all EU countries and settles legal disputes between national governments and EU institutions. It can also, in certain circumstances, be used by individuals, companies or organizations to take action against an EU institution, if they feel it has somehow infringed their rights.2

CNIL (Commission nationale de l'informatique et des libertés). English: National Commission on Informatics and Liberty. The CNIL is an independent administrative authority that exercises its functions in accordance with French Data Protection Act of the 6th of January 1978 ( amended the 6th of August 2004). It is tasked with ensuring that the collection, storage, and use of personal data in France is compliant with data and privacy legislation.

Cookie. Cookies are small text files written to a cache in the user/client browser. Cookies typically have three components: a name, a value and a set of attributes indicating expiry dates, and settings determining how the cookie can be used and accessed.

Data Controller. A data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfil your tasks as data controller.3

Data Processor. The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking. The duties of the processor towards the controller must be specified in a contract or another legal act.4

DPA (Data Protection Authority). DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the General Data Protection Regulation and the relevant national laws. There is one in each EU Member State.5

DPC (The Data Protection Commission). The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected. The DPC is the Irish supervisory authority for the General Data Protection Regulation (GDPR), and also has functions and powers related to other important regulatory frameworks including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive.6

EDPB (The European Data Protection Board). The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities. The EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS). The supervisory authorities of the EFTA EEA States are also members with regard to the GDPR related matters and without the right to vote and being elected as chair or deputy chairs. The EDPB is established by the General Data Protection Regulation (GDPR), and is based in Brussels.7

GDPR (General Data Protection Regulation). The GDPR is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018.8

ICO (Information Commissioner’s Office of the United Kingdom). The Information Commissioner is the UK’s independent regulator for Data Protection and Freedom of Information, with key responsibilities under the Data Protection Act 2018 (DPA) and Freedom of Information Act 2000 (FOIA.9

Joint Controller. Your company/organization is a joint controller when together with one or more organizations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.10

LDU (Limited Date Use). The Limited Data Use feature is designed to give businesses more control over how their data is used in Facebook systems and to support them in their California Consumer Privacy Act (CCPA) compliance efforts. The LDU feature enables business using Facebook to send Facebook a parameter to indicate that a person in California has opted out of the sale of data or that the business has opted to have Facebook process data as a service provider, as defined by the CCPA. The feature only applies to the State of California, U.SA.

LIBE (The European Parliament Committee on Civil Liberties, Justice and Home Affairs). The LIBE Committee is in charge of most of the legislation and democratic oversight for policies enabling the European Union to offer its citizens an area of freedom, security and justice (Article 3 TEU).11

Pixel (Tracking Pixel). A tracking pixel is a usually transparent image file used to track activity on one more websites. The Facebook Pixel is a commonly used tracking pixel. Under DPC guidance regarding tracking technologies the use of beacons requires user consent. See Beacon.

Privacy Sandbox. The Privacy Sandbox is a Google initiative. It is set of open standards designed to enhance privacy on the web. The goal of the Sandbox is to a provide a secure environment for personalization and targeted advertising that also protects user privacy. It will replace reliance on third-party cookies, cross-site tracking and other privacy invasive technologies. The Privacy Sandbox is currently in development.

Privacy Shield. The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. 12 See the entry for Schrems II for more information.

SCC (Standard Contractual Clauses). The Standard Contractual Clauses (SCCs) are standard sets of contractual terms and conditions which the sender and the receiver of personal data both sign up to, aimed at protecting personal data leaving the European Economic Area (EEA) through contractual obligations in compliance with the GDPR’s requirements in territories which are not considered to offer adequate protection to the rights and freedoms of data subjects.13 The European Commission can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationally. It has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). It has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA.14

Schrems II. Schrems II is a ruling of the Court of Justice of the EU (CJEU). On July 16, 2020, the CJEU issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.15

U.S DOC (United States Department of Commerce). The United States Department of Commerce promotes job creation and economic growth by ensuring fair and reciprocal trade, providing the data necessary to support commerce and constitutional democracy, and fostering innovation by setting standards and conducting foundational research and development.16 It is responsible for the administration of Privacy Shield. See Privacy Shield for more information.

Have any suggestions for additional words we could add? Contact us and find out some reasons why you may not be compliant.

Register for our upcoming webinar on the 18th of November with OneTrust about getting compliant, staying compliant and the future of digital marketing.

1. Source: Official European Commission Website 2 Source: Official European Union Website 3. Source: Official European Commission Website 4. Source: Official European Commission Website 5. Source: Official European Commission Website 6. Source: Official DPC Website 7. Source: Official European Data Protection Board Website 8. Source: Official GDPR Website 9. Source: Official ICO Website 10. Source: Official European Commission Website 11. Source: Official LIBE Website 12. Source: Official Privacy Shield Website 13. Source: Law Business Research ( 14. Source: Official European Commission Website 15. Official Privacy Shield Website 16. Source: Official U.S DOC Website.

About the Author

Fergal McHugh
Fergal McHugh

Fergal McHugh is Head of Strategy at Arekibo. He is responsible for overseeing Arekibo’s innovation and growth strategies.