Cookies have attracted a lot of attention and concern lately – particularly in the wake of the EU’s General Data Protection Regulation (GDPR) legislation going into effect – so we decided to re-examine the origin and nature of website cookies to remind users what cookies are, why they matter, and how they affect your data privacy.
What is a “cookie”?
A cookie is a small bit of textual information that is stored on a device’s hard-drive by a web server, which is sent again with each future request to that website.
In addition to storing data, the cookie is attached to a specific domain, (e.g.cyber-cops.com or amazon.com), and usually has an expiration date. A cookie set by one domain cannot be transmitted, used, or accessed directly by any other domain.
Why are cookies a thing?
Why were cookies used, and why do we need them? There was a need to “preserve state” across page loads and browser sessions. The web is a “stateless medium” at its core, meaning each page load is 100% self-contained information. Once sent from a web server, the web server forgets all about what it sent and to whom. On the next page load, we start all over. This becomes inefficient when browsing websites at scale, so cookies are used to improve that inefficiency, and provide more continuity.
For instance, the most common usage of cookies is to preserve the state of a login. Once you login to a website, cookies allow you to move from page-to-page without having to re-login on each page load. They are preserving your authentication state, sometimes known as a “login or authentication session.” So here, cookies are “good” because they provide a direct and useful benefit to the end user.
What kinds of cookies are there?
To understand cookies further, let’s examine four types of cookies: session, personalization, tracking, and third-party.
“Session cookies” have no expiration date. Instead, they last only for the length of a browser “session” and are automatically deleted when the browser is closed. These are short-term cookies that have no real privacy concerns, and are not useful for tracking purposes. They typically contain transitory or incidental information.
The Verdict: Good Cookie
Other helpful uses of cookies are for remembering and personalizing information. For instance, on an e-commerce site, the number of items in your cart typically appears at the top of the screen; as you move around the site, that information goes with you. Cookies are responsible for that. If you leave an e-commerce site and come back days later, the items you had in your cart will likely still be there. Again, this could not work without cookies (at least, not as the internet is designed and used today).
The Verdict: Good Cookie
Anonymous Tracking Cookies:
Not all cookies have visible benefits to the end user. Some are used for tracking purposes, and their use is not immediately clear. The cookie data is often distributed and shared across multiple websites for the purpose of gathering information, and/or possibly to present customized content to you, such as advertisements. These cookies are not activated through any direct action by the user, but rather happen whenever the user visits a website. The data in these cookies could be anonymous, or not.
Anonymous tracking can have many useful benefits that happen out of sight. For example, it can allow website owners to monitor how their sites are being used, which helps them adjust and make improvements to website content and performance. Google Analytics is a prime example of anonymous tracking that is beneficial to website owners, and indirectly beneficial to their users, because the anonymized data gathered by Google Analytics via anonymous tracking cookies gives website owners more insights into user behavior and page flows so they can improve site content and site speed.
The Verdict: Good Cookie
Even though cookies can only be set by, and seen by, the domain from which they originated, third-party cookies often work around this restriction. How?
One way is iframes, which are sometimes used to present website elements by essentially pulling information from a separate website onto the website you’re viewing. Cookies from third-parties can be included in these iframes.
The majority of third-party cookies are delivered through advertisements. The service providing banner ads includes a cookie along with the advertisement. As this ad reappears across multiple sites, the provider collects more and more information from you.
These third-party cookies are the most likely to not be anonymous.
This is a very common scenario for anyone doing marketing, especially ad-related content. Their idea is “the more we know about you, the better we can target you with content you will be more likely to interact with, which hopefully will persuade you to buy something we are selling.” They are collecting your data, so they can serve you more relevant ads (that also end up being more profitable to the company).
The Verdict: It Depends
How many cookies does the average website have?
The number of cookies you find on different websites can vary widely. There’s no “right number of cookies,” but you can expect that websites with extremely large numbers of cookies are less likely to proactively protect data linked to their site visitors. Put simply: You’re much more likely to be subjected to invasive cookies on such sites.
How can you protect data privacy on websites with cookies?
Third-party tracking cookies are the only type of cookie that should potentially concern website visitors who want to protect their privacy. Most cookies on popular websites are safe, though many are used to serve you relevant advertisements. If you want to block cookies and protect your privacy, consider the following options:
What’s the final verdict on cookies?
As with most technologies, cookies are not inherently good or evil – their ethical nature ultimately depends on how each website deploys, tracks, and uses them. With this in mind, website users who are concerned that cookies pose a potential threat to their data privacy may only allow them on a case-by-case, site-by-site basis.