Cookie Duration: How Long Cookies Last and Why It Matters

From tracking visits to remembering login details, cookies run the web in the background. How long they last, their duration, shapes site experience, analytics quality, and privacy compliance. This guide outlines what cookie duration is and best practices to set cookie durations in a way that protects privacy without breaking measurement or usability.

The cookie duration (sometimes called “cookie lifetime”) refers to how long a cookie file stays on a visitor’s device. When a server or script sets a cookie, it can include an expiry date using the Expires or Max‑Age attribute. If the cookie does not include either attribute, it becomes a session cookie and is removed when the browser session ends. Cookies can also be deleted manually by the user or automatically by the browser.

Knowing a cookie’s duration helps you understand when a cookie will be removed if the user does nothing, if an analytics cookie persists long enough to recognise returning visitors, or if you need to refresh consent because the cookie will expire soon.

Cookies do expire when their specified time passes or when the browser enforces a limit (as discussed later). Depending on their purpose, durations can range from minutes to several years.

Yes, all web cookies have an end point, even if that end point is triggered by the user closing their browser or clearing their cookies. Here’s how expiry works:

• Session cookies expire as soon as the user closes their browser window. They have no Expires or Max‑Age attribute. Session cookies are useful for temporarily storing items in a shopping cart or remembering form data during a single visit.
• Persistent cookies stay on the device until the expiry date is reached or the user deletes them. They always include an explicit expiration date and are often used for remembering log‑in preferences or tracking analytics across multiple sessions.

Even persistent cookies eventually expire. However, some websites refresh them by setting a new cookie with a later expiry, effectively extending the lifetime each time the user visits.

Session cookies last only for the duration of the browser session. When the user exits the browser, the session cookie is deleted. Because they contain no expiration date, they are stored in volatile memory (e.g. cache) rather than on the hard drive.

Typical uses include:

• Shopping carts: keeping track of items added to a cart during a single browsing session.
• Login status: maintaining a user’s authenticated state while navigating between pages without requiring them to log in on every page.
• Form data: preserving form inputs when navigating back and forth on a site.

Session cookies are generally considered less intrusive from a privacy standpoint because they disappear quickly and don’t persist across sessions.

Persistent cookies can last anywhere from minutes to years. When creating a cookie, the website sets an explicit expiry date or a Max‑Age value (the number of seconds until expiry). If a persistent cookie’s expiry isn’t refreshed by another visit, it is removed automatically at the end of its lifetime.

Many factors determine how long a cookie lasts:

Purpose and necessity

• Preferences and usability: cookies that remember language settings or login credentials often persist for weeks or months because users expect convenience each time they return. For instance, Google’s NID cookie remembers search preferences and expires six months after the last use.
• Analytics: to distinguish new and returning visitors, analytics platforms set cookies with longer durations. Google Analytics’ main identifier cookie _ga lasts two years, while its campaign cookie _gcl_au used for advertising conversion tracking persists for about three months.
• Advertising and profiling: marketing cookies often last months to years. For example, Facebook’s _fbp cookie for ad delivery expires after 90 days, and LinkedIn’s bcookie persists for two years.

Browser limits and tracking prevention

Browsers can override the expiry set by the website. Apple’s Safari uses Intelligent Tracking Prevention (ITP), which deletes first‑party analytics cookies after seven days and sometimes after 24 hours if the cookie is set via a URL with tracking parameters. Google Chrome has introduced a 400‑day maximum on the lifetime of first‑party cookies. These limits mean that even if you set a longer expiry, the browser may remove the cookie sooner.

Regulatory guidance

Data protection authorities emphasise proportionality. The UK’s Information Commissioner’s Office (ICO) says organisations must justify how long they keep personal data and ensure that cookies are not retained longer than necessary. French, Luxembourgish and Dutch regulators have suggested that cookie retention periods longer than 6, 12 or 13 months may be excessive. The ePrivacy Directive also requires that consent for cookies be renewed at least once a year.

Because these factors vary, there is no single “standard” expiry for persistent cookies. Site owners must decide based on necessity, user expectations and the legal environment.

To illustrate how varied cookie lifetimes can be, here are some real‑world examples drawn from cookie policies:

When a cookie reaches its expiry date, the browser automatically removes it. The next time a user visits the website, the cookie will no longer be sent. As a result:

• Analytics platforms will treat the user as new rather than returning, which may affect metrics like bounce rate and user retention.
• Users may need to log in again or reconfigure preferences if cookies storing their credentials or settings have expired.
• Advertising networks may lose the ability to recognise returning users for retargeting, leading to less personalised ads.

Because cookie expiry influences user experience and analytics, some websites refresh cookies on every visit. However, refreshing a cookie may require renewed consent under privacy regulations. For example, if you extend an advertising cookie beyond its original purpose, you may need to obtain fresh consent.

Yes. Browsers do limit cookie lifetimes. For example, Google Chrome caps cookies at 400 days, Safari’s Intelligent Tracking Prevention reduces many tracking cookies to just seven days, and Firefox currently allows longer durations but may align with the 400-day standard in the future.

Browsers set their own maximum expiration limits for cookies, which can override whatever expiry date a website sets. This means that even if your policy allows a cookie to last two years, it might still expire sooner because of browser rules.

Chrome introduced its 400-day maximum in version 104 (August 2022) to prevent excessively long-lived cookies while keeping a reasonable balance between convenience and privacy. Firefox still permits longer durations but is considering adopting the 400-day limit recommended in the draft HTTP cookie specification. Safari takes the strictest stance, using Intelligent Tracking Prevention (ITP) to cut many tracking cookies down to a week, especially for cross-site tracking.

Privacy laws don’t set a single global rule for cookie duration. Instead, they regulate how long cookie consent lasts by requiring renewal at regular intervals and limiting storage to what’s necessary for the stated purpose.

In the EU, the GDPR and ePrivacy Directive expect websites to follow renewal timelines set by national data protection authorities (DPAs) or use a period that’s appropriate for the purpose. Most guidance falls between every 6 and 12 months.

Key takeaways:

• No fixed global standard: The GDPR does not specify an exact validity period. Renewal schedules should follow national DPA guidelines.
  
• Common renewal periods: Many European DPAs recommend 6–12 months. For example, Ireland and France advise renewal every 6 months, while Luxembourg sets a 12-month maximum.

• Purpose-driven duration: Consent should expire or be refreshed once the purpose for which it was collected is no longer relevant.
  
• User rights: Websites must clearly inform users about how long consent lasts and allow them to withdraw or update it at any time.
  
• Jurisdiction differences: Some countries, such as the UK, use a “necessary for the purpose” standard, which can lead to varied practices.
  
• Outside the EU: The CCPA/CPRA (California) follows an opt-out model without set renewal periods, while India’s DPDPA requires explicit consent but doesn’t set a maximum duration.
  

Always check local laws and DPA guidance when setting a consent renewal schedule, and ensure users know how long their consent and cookies will be stored.

Yes, you can change or delete cookie duration times, both technically and legally as long as you follow privacy regulations that give users control over their consent and cookie preferences.

Technical control

• Developers can adjust a cookie’s duration by modifying its Expires or Max-Age attributes in the Set-Cookie HTTP header.
  
• To delete a cookie, set its expiration date in the past and browsers will remove it immediately.
  
• Changes can be applied when cookies are created or updated, and consent management platforms often allow site owners to configure these settings without editing code directly.
  

Legal requirements

• Laws like the GDPR require that users can withdraw or change their consent at any time, which includes updating or deleting cookies set for them.
  
• Websites must provide an accessible way (such as a cookie banner or privacy settings page) for users to manage their preferences easily.
  

Consent renewal and duration

• Many regulators recommend or require periodic consent renewal, typically every 6–12 months depending on jurisdiction.
  
• Consent and associated cookies can persist or be refreshed based on user actions, updated consent, or regulatory requirements.
  
• Consent management systems let site owners set validity periods and update consent records when durations change.
  

User empowerment

• Users can also delete or adjust cookies directly in their browser settings.
  
• Websites must ensure these changes are reflected in their consent records and privacy practices promptly.
  

You can adjust or delete cookie durations at any time, but you must do so transparently, make the process easy for users, and document it to stay compliant.

Persistent cookies are saved to the device’s file system, while session cookies reside in temporary memory. Their location depends on the operating system and browser:

• Windows: Chrome stores cookies under App Data\Local\Google\Chrome\User Data\Default, Firefox uses App Data\Roaming\Mozilla\Firefox\Profiles and Edge uses App Data\Local\Microsoft Edge\User Data\Default.
• macOS: Safari keeps cookies in the Library/Cookies/ directory.
• Linux: Chrome stores cookies in ~/.config/google‑chrome/Default/, while Firefox uses ~/.mozilla/firefox.

Users can delete cookies via browser settings. For example, Chrome’s settings at chrome://settings/cookies allow users to delete existing cookies, block new ones and set site‑specific preferences. Safari, Firefox and Edge provide similar options.

Cookie duration is more than a technical parameter, it has practical and legal implications:

• User experience: Persisting login sessions and preferences for too short a time forces users to re‑authenticate or reconfigure settings repeatedly. Conversely, excessively long durations can make users feel tracked and might conflict with privacy expectations.
• Analytics accuracy: Short durations reset unique identifiers too quickly, artificially inflating “new visitor” counts and breaking attribution funnels. Safari’s seven‑day limit on first‑party cookies has already forced marketers to rethink measurement strategies.
• Ad‑personalisation: Advertising networks rely on persistent identifiers to deliver relevant ads. As cookies expire sooner due to browser and regulatory changes, retargeting may become less precise.
• Compliance: Demonstrating that data is stored only as long as necessary is a core requirement under data‑protection laws. Organisations that set unnecessarily long cookie expiries risk enforcement actions and fines.

Given the complex interplay between usability, marketing and privacy, here are some practical guidelines:

Map cookie purposes

• Conduct a full audit of your site’s cookies.
• Document: name, provider, type (first-party/third-party), purpose, whether they process personal data, and their default expiration date.
• Categorise into functional, analytics, and marketing/tracking for easier consent management.

Apply the GDPR’s storage limitation principle

• Set durations only as long as strictly necessary for the declared purpose.
• For example:
  • Analytics cookies: up to 12 months for analysing trends or seasonality.
  • Ad-tracking cookies: much shorter, e.g. 3–6 months, unless you can clearly justify more.

Follow regulatory guidance

• In the EU, most Data Protection Authorities (DPAs) recommend 6–12 months for tracking cookies.
• Renew or shorten retention if not strictly needed for the business purpose.
• Maintain documented justifications in case of an audit.

Account for browser-imposed limits

• Safari’s 7-day Intelligent Tracking Prevention (ITP) limit applies to many cookies.
• Chrome’s 400-day limit for persistent cookies sets an upper bound.
• If you need longer tracking, consider server-side storage or privacy-compliant alternatives such as hashed identifiers, but ensure these still comply with consent rules.

Provide full transparency

• Clearly list each cookie in your cookie policy: name, purpose, provider, type, and expiry.

Example: test_cookie (15 minutes) – checks if the user’s browser supports cookies; _fbp (90 days) – used by Facebook for ad delivery and retargeting.

• Ensure users can find this information easily.

Seek renewed consent

• Renew user consent at least every 12 months or sooner if you:
• Introduce new cookies,
• Change cookie purposes,
• Extend cookie lifespans.
• Use granular choice panels so users can accept/reject by category.

Implement deletion & withdrawal mechanisms

• Your consent management platform (CMP) should:
• Block non-essential cookies until consent is given,
• Delete cookies immediately if the user opts out.
• CMP options include CookieYes, OneTrust, or TrustArc.

Test across regions

• EU: Strict opt-in plus specific durations.
• US (CCPA/CPRA): Opt-out model, focus on “Do Not Sell/Share” signals.
• Implement geolocation-based consent flows if needed.

Stay updated

• Privacy regulations and browser privacy policies change frequently.
• Subscribe to updates from national regulators (e.g. CNIL, ICO, FTC) and browser vendor blogs (Chrome, Safari, Firefox).
• Periodically re-audit durations to ensure compliance.