News and information useful to Cleveland State College of Law students, faculty and staff.

Archive for November 21st, 2022

Comment 8: It’s November. Remember to be Moderate with Your Cookies (and other stuff)

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to


Cookies, to paraphrase from a now beat-to-death cultural reference, are like a box of chocolates: some of them are good, and others are filled with that weird nougat that tastes like how you think the elderberry wine must have tasted in Arsenic and Old Lace. That’s two references in one compound sentence!

It should, hopefully, come as no surprise that the cookies that I am discussing are not the kind that you eat. Today we are going to look at the cookies which are used by the web sites that we visit and the web apps that we use.


What is a cookie?

A cookie is a small text file that a website stores on your computer’s internet browser. Much like their physical counterparts, cookies on the web come in many flavors. [note: I’m likely not finished with this joke yet, so I will now refer to electronic cookies as cookies.] Each cookie serves a particular function and you can learn more about the types here but, basically, cookies are used for session management; personalization, and; tracking. More broadly, cookies are defined by the standards set out in the General Data Protection Regulation (GDPR): duration, provenance, and purpose.

What you need to know is that some cookies are necessary and some are optional.


What is a GDPR?

The GDPR is regulations adopted and April 2016 and made enforceable in May 2018 by the European Union. Data privacy and the protection of data held by professional or commercial organizations are cornerstones of the GDPR. Thus, the GDPR is meant to protect EU citizens by establishing a compliance framework of covered organization that operate in the EU.

“Wait just a minute,” you’re saying to yourself, “I’m not a citizen of the EU. This has nothing to do with me!”

“Au contraire, mon ami,” I reply. Though I suppose we aren’t friends, but you’re very easy to talk to.


Why me?!

There are actually two reasons why the GDPR affects you and your time on the internet:

First, following the adoption of the GDPR a lot of other law makers thought it made sense to make similar rules. Among those adopters are Turkey, Japan, Brazil, Kenya, the United Kingdom, and the state of California. The list of places adopting similar provisions continues to grow. “Wait just another minute,” you once again interject into the void, “I don’t live any of those other places either.”

This brings us to the second reason this affects you. Risk. Well, you could also call it ‘people trying to make their jobs easier,’ but ‘risk’ is just easier. For example, the California Consumer Protection Act (CCPA) based a lot of it data protection rules on the GDPR and created regulations that protect residents of California and establishes a compliance framework for professional and commercial organizations that operate in the state. Imagine you are one such organization. Let’s say that you sell [insert product] online for you base of operations in oh, I don’t know, let’s say Ohio. If you meet the criteria set forth in the CCPA then you need to make sure you are compliant with its regulations. There is an informative, easy-to-follow article available here.

So whether your organization is under the GDPR; CCPA; or whichever other similar regulatory framework, how do you make sure that you are properly protecting the EU; California; or wherever citizen. The risk is too great to just check it against every visit to your website or every transaction on your webstore. Compliance failures can be expensive. The solution that has become most common is to use regulations like GDPR as a baseline for all people.

Because of this approach taken by organizations, you’ve probably noticed a lot more pop-ups on website asking you about accepting cookies and what cookies you want to accept. What does this mean for you as a smart internet user who wants to protect that data and privacy?

Well, don’t fill up too much over the holiday. Next month we are going to take a practical look at this subject in a Part 2 post that I may, or may not, title “The Good, The Bad, and The Cookie”.