Cookies have attracted a lot of attention and concern lately–particularly in the wake of the EU’s General Data Protection Regulation (GDPR) legislation going into effect–so we decided to re-examine the origin and nature of website cookies to remind users what cookies are, why they matter, and how they affect your data privacy.

What is a “cookie”?

A cookie is a small bit of textual information that is stored on a device’s hard-drive by a web server, which is sent again with each future request to that website.

In addition to storing data, the cookie is attached to a specific domain, (e.g. www.dbswebsite.com or amazon.com), and usually has an expiration date. A cookie set by one domain cannot be transmitted, used, or accessed directly by any other domain.

Why are cookies a thing?

Cookies were first used by the Netscape browser in 1994, during the same timeframe that the creative folks at Netscape Communications were also inventing JavaScript and SSL.  Technically, cookies are part of the HTTP protocol.

Why were cookies used, and why do we need them? There was a need to “preserve state” across page loads and browser sessions. The web is a “stateless medium” at its core, meaning each page load is 100% self-contained information. Once sent from a web server, the web server forgets all about what it sent and to whom. On the next page load, we start all over. This becomes inefficient when browsing websites at scale, so cookies are used to improve that inefficiency, and provide more continuity.

For instance, the most common usage of cookies is to preserve the state of a login. Once you login to a website, cookies allow you to move from page-to-page without having to re-login on each page load. They are preserving your authentication state, sometimes known as a “login or authentication session.” So here, cookies are “good” because they provide a direct and useful benefit to the end user.

What kinds of cookies are out there?

To understand cookies further, let’s examine four types of cookies: session, personalizationtracking, and third-party.

Session Cookies

“Session cookies” have no expiration date. Instead, they last only for the length of a browser “session” and are automatically deleted when the browser is closed. These are short-term cookies that have no real privacy concerns, and are not useful for tracking purposes. They typically contain transitory or incidental information.

The Verdict: Good Cookie

Personalization Cookies

Other helpful uses of cookies are for remembering and personalizing information. For instance, on an e-commerce site, the number of items in your cart typically appears at the top of the screen; as you move around the site, that information goes with you. Cookies are responsible for that. If you leave an e-commerce site and come back days later, the items you had in your cart will likely still be there. Again, this could not work without cookies (at least, not as the internet is designed and used today).

The Verdict: Good Cookie

Anonymous Tracking Cookies

Not all cookies have visible benefits to the end user. Some are used for tracking purposes, and their use is not immediately clear. The cookie data is often distributed and shared across multiple websites for the purpose of gathering information, and/or possibly to present customized content to you, such as advertisements. These cookies are not activated through any direct action by the user, but rather happen whenever the user visits a website. The data in these cookies could be anonymous, or not.

Anonymous tracking can have many useful benefits that happen out of sight. For example, it can allow website owners to monitor how their sites are being used, which helps them adjust and make improvements to website content and performance. Google Analytics is a prime example of anonymous tracking that is beneficial to website owners, and indirectly beneficial to their users, because the anonymized data gathered by Google Analytics via anonymous tracking cookies gives website owners more insights into user behavior and page flows so they can improve site content and site speed.

The Verdict: Good Cookie

Third-Party Cookies

Even though cookies can only be set by, and seen by, the domain from which they originated, third-party cookies often work around this restriction. How?

One way is iframes, which are sometimes used to present website elements by essentially pulling information from a separate website onto the website you’re viewing. Cookies from third-parties can be included in these iframes.

The majority of third-party cookies are delivered through advertisements. The service providing banner ads includes a cookie along with the advertisement. As this ad reappears across multiple sites, the provider collects more and more information from you.

These third-party cookies are the most likely to not be anonymous.

This is a very common scenario for anyone doing marketing, especially ad-related content. Their idea is “the more we know about you, the better we can target you with content you will be more likely to interact with, which hopefully will persuade you to buy something we are selling.”  They are collecting your data, so they can serve you more relevant ads (that also end up being more profitable to the company).

The Verdict: It Depends

How many cookies does the average website have?

The number of cookies you find on different websites can vary widely. To illustrate, we’ll compare two websites.

First, our own website, www.dbswebsite.com: There are five cookies, all from our domain. Three of those are from Google Tag Manager and Google Analytics. These are anonymous, perfectly safe, and informative cookies that help us keep our website relevant and useful to you:

The DBS website uses 5 cookies to anonymously track visitors during their site sessions

We also use two cookies: “contrast-selector” and “font-size” to maintain accessibility preferences (located in the Accessibility Panel) during your entire website session. This helps us serve website visitors with possible impairments, who may need to render our site differently so they can view and consume our content.

A second website, on the other extreme end of the cookie spectrum, is a popular political news site, crooksandliars.com.  A first-time visitor would have an astounding 769 cookies from a boatload of different domains, mostly third-party cookies, many of which are presumably tracking cookies:

This website has nearly 800 cookies tracking website visitors

There’s no “right number of cookies,” but you can expect that websites like this with extremely large numbers of cookies are less likely to proactively protect data linked to their site visitors. Put simply: You’re much more likely to be subjected to invasive cookies on sites like this.

How do you protect data privacy on websites with cookies?

Third-party tracking cookies are the only type of cookie that should potentially concern website visitors who want to protect their privacy. Most cookies on popular websites are safe, though many are used to serve you relevant advertisements. If you want to block cookies and protect your privacy, consider the following options:

  • Modern browsers have settings to block cookies. You can block all cookies, but understand this will break features and functions of many websites.
  • A better approach is to block only third-party cookies. Note that not all third party cookies fall in the “bad cookie” group. This setting will likely break some sites that are using third-party cookies, even if they are not tracking cookies. As a result, some of these sites might not work correctly, or at all.
  • You can also manually block and allow cookies on site-by-site basis. This will take more work and monitoring, of course, but doing so provides more flexibility and control of your privacy and user experience on different websites you use.
  • Modern web browsers also offer an “incognito” mode.  An incognito browser session begins as a clean slate. There is no browsing history, and no cookies. Cookies are still accepted by the browser in incognito mode, so all sites will work normally. But those cookies are not stored permanently, essentially becoming session cookies. One downside is that without these cookies, you will not have any saved logins. Still, this option will defeat tracking attempts via third-party cookies.
  • There are third-party extensions for Chrome browsers that provide various cookie-related functionalities, such as deleting cookies after leaving a site.

What’s the final verdict on cookies?

As with most technologies, cookies are not inherently good or evil–their ethical nature ultimately depends on how each website deploys, tracks, and uses them. With this in mind, website users who are concerned that cookies pose a potential threat to their data privacy must decide whether to allow them on a case-by-case, site-by-site basis.