Cookies lately have attracted a lot of attention and concern, particularly in the wake of the EU’s General Data Protection Regulation (GDPR) legislation going into effect.  

What is a cookie?

A cookie is a small bit of textual information that is stored on a device’s hard-drive by a web server and is then sent with each future request to that website.

In addition to the data stored by the cookie, it is attached to specific domain, (e.g. www.dbswebsite.com or amazon.com), and probably has an expiration date. A cookie set by one domain, cannot be transmitted, used, or directly accessed by any other domain.

Why cookies?

Cookies were first used by the Netscape browser in 1994. In the same timeframe that the creative folks at Netscape Communications were also inventing JavaScript and SSL.  Technically, cookies are part of the HTTP protocol.

Why, and why do we need them? There was a need to “preserve state” across page loads and browser sessions. The web is a “stateless medium” at its core.  Each page load is 100% self contained information. Once sent from a web server, the web server forgets all about what it sent and to whom. On the next page load, we start all over. Cookies are used to improve this situation, and provide continuity. For instance, the most common usage of cookies, is to preserve the state of a login. Once you login to a website, it is cookies that allow you to move from page to page, without having to re-login on each page load. They are preserving that authentication state, sometimes known as a “login or authentication session”. So here “cookies are good”, and provide a direct and very useful benefit to the end user.

Let’s look at the three types of cookies: session, personalization and tracking.

Session Cookies

“Session cookies” have no expiration date. Instead, they last only for the length of a browser “session” and are automatically deleted when the browser is closed. These are short term cookies, that have no real privacy concerns, and are not useful for tracking purpose. They typically contain transitory or incidental information.

The Verdict: Good Cookie

Personalization Cookies

Other helpful uses of cookies are for remembering and personalizing information. For instance, on an ecommerce site, the number of items in your cart typically appears at the top of the screen. And as you move around the site, that information goes with you. Cookies are responsible for that. If you leave an ecommerce site and come back days later, the items you had in your cart will likely still be there. Again, this could not work without cookies.

The Verdict: Good Cookie

Anonymous Tracking Cookies

But not all cookies have visible benefits to the end user. Some are used for tracking purposes, and their use is not immediately clear. The cookie data is often distributed and shared across multiple websites for the purpose of gathering information, and/or possibly to present customized content to you, such as advertisements. They happen, not because of any direct action by the user, but simply by visiting a website. The data in these cookies could be anonymous or not.

Anonymous tracking can have many useful benefits. It can allow website owners to monitor how their sites are being used, and then to adjust and make improvements to the website.  Google Analytics is a prime example of anonymous tracking done via cookies, that is beneficial to website owners, and indirectly to their consumers. While not as immediately visible, websites everywhere use anonymous data gathered via Google Analytics’ anonymous tracking cookies to improve site content and site speed.  

The Verdict: Good Cookie

Third Party Cookies

Even though cookies can only be set by, and seen by, the domain from which they originated, third-party cookies often get around this. Sometimes website elements are presented using iframes, which essentially pull information from a separate website onto your website.

Cookies from third-parties can be included in iframes. The majority of third-party cookies come through advertisements. The service providing banner ads includes a cookie along with the advertisement. As this ad reappears across multiple sites, the provider collects more and more information from you.

These third party cookies are the most likely to not be anonymous.

This is a very common scenario for anyone doing marketing, especially ad related content. The idea is “the more we know about you, the better we can target you with something you will be more likely to respond to, and then, of course, you will buy something”.  They are collecting your data, so they can serve you more relevant ads (that also end up being more profitable to the company)

The Verdict: It Depends

How many cookies are on the average website?

To illustrate, we’ll compare to websites.

First, our own website, www.dbswebsite.com. There are five cookies, all from our domain. Three of those are from Google Tag manager and Google Analytics. These are anonymous, perfectly safe, useful cookies.

We also use two cookies: “contrast-selector” and “font-size” to maintain accessibility preferences (located in the Accessibility Panel) across your entire website session.  

A second website on the other extreme is a popular political news site, crooksandliars.com.  A first time visitor would have an astounding 769 cookies from a boatload of different domains, and mostly third party cookies, with many of them presumably being tracking cookies.

This website has 800 cookies

There’s no “right number of cookies,” but you can expect that websites with extremely large numbers of cookies are likely less to be proactive protectors of their site visitors’ data. You’re much more likely to be subject to invasive cookies on sites like this.

Protecting yourself

The only type of cookie to potentially be of concern to those protecting their privacy, are the third party tracking cookies. Most cookies on popular websites are safe, although many are used to serve you relevant advertisements. If you are looking to block cookies and protect your privacy, consider the following options.

  • Modern browsers have settings to block cookies. You can block all cookies. This will break many websites.

  • A better approach is to block only third party cookies. Note that not all third party cookies fall in the “bad cookie” group. This setting will likely break some sites that are use third party cookies, but not as tracking cookies. Some of these might not work correctly, or at all.

  • You can also selectively block and allow cookies on site by site basis.
    .
  • Modern web browsers also have an “incognito” mode.  An incognito browser session is started as a clean slate. There is no browsing history, and no cookies. Cookies are still accepted by the browser in incognito mode, so all sites will work normally. But those cookies are not stored permanently.  They essentially become session cookies. The downside is that without cookies, you will not have any saved logins. But this will defeat tracking via third party cookies.

  • There are third party extensions for chrome that provide various other functionalities, such as deleting cookies after leaving a site.