In the 1990s when websites were struggling to remember who their users were or what they did in previous website visits, Lou Montulli, a network engineer, invented the HTTP cookie or what is widely known as internet cookies or simply as cookies. Cookies have now become an inevitable part of the internet, helping businesses accomplish a wide variety of purposes.
These days, you may often come across cookie popups on websites as the arrival of stricter privacy laws changed how cookies are used on websites. Therefore, it is important to understand what cookies are, how they function and how they affect user privacy.
What are internet cookies?
An internet cookie (HTTP cookie or browser cookie or web cookie) is a small piece of data that a website stores on a user’s browser. A cookie consists of a small text file with a unique ID which is an anonymous number (randomly generated). There are two copies of it, one is stored on your device and one is stored on the website.
Cookies are set on the user’s device while the user is browsing a website and are stored for a range of purposes such as uniquely identifying users, managing their browsing sessions, facilitating personalized user experiences, ad targeting, and much more.
How do internet cookies work?
Here’s how cookies work:
- User visits a website.
- The site sets a small text file (a cookie) in your browser with a name–value pair and attributes (expiry, path, domain, secure).
- User browser stores it.
- On the next page load or visit, the browser automatically includes the cookie in the request.
- The site reads the cookie to keep the user signed in, remember preferences, or measure usage.
To download this infographics, click here
To find information on any cookie, check out CookieSearch, an open-source cookie database where you can find information on over 100,000+ cookies.
What are internet cookies used for?
Cookies are an important component that helps websites to function effectively. Cookies enable you to use basic features on the website and allow sites to personalize user experience, track how users browse the site and collect insights for improving the site, products and services.
Most often, websites use cookies to:
- Keep you logged in on the site
- Remember items in your shopping cart or wishlist
- Keep your payment information secure
- Personalize the content you see
- Save your preferred site settings and themes
- Track how users interact with a website
- Show users relevant, personalized ads
Types of internet cookies
Cookies are generally classified based on their characteristic attributes such as their mode of origin, the time period they remain on a user’s browser, and what purposes they serve. The most common types of cookies are described briefly below.
| Category | Type (synonyms) | What it does / definition | Examples |
|---|---|---|---|
| Source | First-party | Set by the website you’re on (same domain as the address bar). Remembers on-site activity and preferences across visits; powers on-site conveniences like “recently viewed”. | Recently viewed list; saved on-site prefs |
| Source | Third-party cookies (tracking) | Set by other domains via embedded services (ads, social, chat, maps). Often used to track activity across the internet for advertising/marketing; can be set even if you never visit the third party’s own site; raises privacy concerns. | Ad networks; social buttons; live chat; Google Maps |
| Duration | Session cookies (temporary, non-persistent) | Expires when the session ends (leaving the site or closing the browser). Keeps state and remembers actions during a visit as you move between pages, even if not logged in. | Cart contents during checkout |
| Duration | Persistent cookies (permanent) | Remains until its set expiry (from 1 second to several years) and is then auto-deleted. Recognises returning users; remembers information, settings, preferences, and sign-in across visits for faster experiences. | Saved sign-in; language/region |
| Purpose | Strictly necessary cookies (essential) | Required for the website to function: navigation, authentication/session, cart, checkout, payments. Per the original section: exempt from cookie consent. | Sign-in; add to cart; payments |
| Purpose | Performance (statistics) | Collects anonymous information (pages viewed, friction/errors) to evaluate performance, understand interests/motivations, and improve how the site and communications work. | Page views; error/friction metrics |
| Purpose | Functional cookies (preference) | Ensures the site works properly and enhances functionality. Remembers choices/credentials (e.g., auto-login, language, region). Not used to track on other websites; may be set by third-party providers used by the site. | Auto-login; language; region |
| Purpose | Advertising cookies (targeting/tracking) | Tracks browsing to build interest profiles and show relevant ads on other websites. Usually third-party and often persistent; doesn’t directly store personal info but can uniquely identify a browser/device/location and habits. | Google Ads; Amazon PS; Media.net |
Read more: full breakdown of types and examples → Types of Internet Cookies
Internet cookies and user privacy
When cookies began to be widely adopted by websites in the late 90s, concerns were raised about user privacy and those concerns have not died down ever since. As personal data collected from cookies are aggressively being used by ad networks to target ads, privacy concerns regarding cookies have been increasing in recent times. In this regard, data protection laws and directives such as the General Data Protection Regulation (GDPR), ePrivacy Directive (ePD), CCPA, and LGPD have included provisions that regulate the use of cookies.
If you are a website owner or you are a developer, marketer or freelancer involved in building websites, you should be concerned about how cookie law affects you.
The ePrivacy Directive, also known as the EU cookie law is a directive passed by the European Union that regulates the use of cookies, email marketing, and other forms of electronic communication. Regarding cookies, the Directive requires websites to get prior consent before placing cookies and trackers on a user’s device, except for strictly necessary cookies that are essential for the basic function of a website. The Directive was adopted in the UK as Privacy and Electronic Communications Regulations (PECR).
Data privacy laws around the world have added provisions to regulate cookie usage.
Cookie consent refers to the requirement that websites need to obtain prior consent from users before dropping cookies on their browsers. For consent to be valid as per the GDPR, it has to be freely given, specific, informed and unambiguous indication of the user’s wishes through clear affirmative action. Consent should also be revocable i.e. users should have the option to withdraw consent at any time. To demonstrate that websites have received valid consent, they should record user consent for proof of compliance.
You can implement cookie consent on your website with CookieYes, a cookie consent solution trusted by over 1.5+ million websites worldwide. With CookieYes you can fulfil the cookie consent checklist below for compliance with privacy laws like the GDPR, LGPD, CNIL and CCPA.
What happens when someone accepts all cookies?
- The consent banner/CMP records the visitor’s choice (“granted” per category) in a consent cookie or local storage and, where used, generates a TCF consent string readable by vendors.
- The site’s tag manager receives a “consent granted” signal and unblocks previously held scripts (analytics, ads, A/B testing, embeds).
- Those scripts execute: first- and third-party cookies/pixels are set and data requests are sent to their services, subject to the browser’s policies.
- The CMP logs an audit trail of the event (timestamp, choices, consent ID) for compliance.
- On subsequent visits, the stored consent state is read and the same categories load automatically until the visitor updates their preferences.
What happens when someone rejects all cookies?
- The CMP records a denied state per category (often storing a consent cookie/local storage entry and, if used, a TCF string with purposes set to “no”).
- The tag manager keeps non-essential scripts blocked; only strictly necessary functionality runs. Third-party embeds may show placeholders until the visitor opts in.
- No new non-essential cookies are set. If configured, previously set analytics/ads cookies are cleared or ignored on subsequent requests.
- The CMP writes an audit log of the refusal (timestamp, choices, consent ID).
- On return visits, the stored denial is honored and those categories remain blocked until the visitor changes preferences.
Cookie consent checklist
- Collect consent for using cookies on your website with a cookie banner or popup
- Give users full control to accept, decline or change cookie settings on the banner
- Customize the banner for desktop and mobile devices for accessibility
- Show cookie table (with name, type, purpose and duration) for full disclosure of cookies
- Show auto-translated banner to users as per their browser language
- Auto-block third-party cookies from loading till the user gives consent
- Record all user consents for proof of compliance
- Add a callback widget for the banner so users can withdraw consent at any time
- Generate a cookie policy with detailed disclosure of cookie use and link it to your cookie banner
- Scan your website for cookies to auto-update your cookie list and cookie policy
What are some other types of cookies?
Supercookies
Supercookies are not cookies per se because they are not downloaded and stored on browsers. They use something called Unique Identifier Headers or UIDH that inject information sent from a user’s device and the service it connects to. Unlike cookies that cannot be shared with another website, UIDH is available to any website that requests access. Supercookies have raised many privacy concerns because they are nearly impossible to remove. They cannot be cleared by deleting the browser cache or be blocked by ad blockers or privacy trackers.
Zombie cookies
Zombie cookies are named so because of their ability to come back from the dead! They are third-party cookies that are placed outside of the web browser’s designated cookie storage. They also don’t get cleared because they are hiding outside the regular cookie storage. Zombie cookies often bypass any restrictions or third-party cookie blocking enabled on browsers when they are re-created. These cookies are capable of tracking a user’s internet behaviour across all available browsers on their device. Ad networks use zombie cookies to gather personal profiles of website visitors.
Flash cookies
These are cookies stored and accessed by Adobe Flash, the browser plug-in used by sites such as YouTube. Flash cookies are Local Shared Objects (LSOs) that provide Flash applications with options to save data to the local system. Flash cookies are used to personalize user experience, but they also can store information about the websites you visit and can persist even after you block web cookies or opt out of ad tracking.
Secure cookies
Secure cookies or HttpOnly cookies have a secure attribute to ensure that cookies are only sent over a secure SSL connection. The secure attribute is always activated so that the cookies are transmitted with encrypted connections, without security issues. These cookies only work for HTTP and HTTPS, hence the name HTTPonly.
What are the alternatives to third-party cookies?
Cookies are here to stay, but third-party cookies are facing the heat in an increasingly privacy-conscious world. Websites, advertisers and even search engines are seeking alternatives to third-party cookies.
First-party data
First-party data is the information that a business collects directly from its users or customers such as data from users’ interactions on a website or app, demographics, data from web forms, in-site search queries, purchase history etc. First-party data can also include data collected offline through in-person events, point of sale, conferences, calls etc. First-party data stays in the hands of those who collect it, and that gives more control and transparency over what happens with that data. Businesses are actively looking at utilizing first-party data to create hyper-personalized experiences for users.
Unified ID
Unified ID or UID 2.0 is an open-source identity framework developed by The TradeDesk Unified ID that will enable cross-site targeting and will provide businesses with the ability to run targeted and personalized ads but with stricter privacy control for users. Unified ID 2.0 will have a single sign-in with the user’s email address when they visit a publisher’s page that supports UID 2.0. An encrypted identifier is created.
Contextual advertising
Contextual advertising or targeting refers to placing ads based on their relevance to the content on a web page. It involves advertisers making use of keywords and key phrases on a webpage. The content on a web page acts as a proxy for personal data. Advertisers use machine learning and cognitive technologies such as natural language processing (NLP) to predict which pages are best to target. Without collecting personal data from users, contextual advertising can help ad networks target users through the content they consume and not serve irrelevant ads.
Google FLoC
FLoC or Federated Learning of Cohorts is a privacy-focused alternative to third-party cookies, part of Google’s proposed Privacy Sandbox. Google FLoC anonymizes users by grouping users with similar interests and browsing habits together into “cohorts”. Each cohort corresponds to groups with similar browsing histories with a specific cohort number for identification. This means Google will target ads to cohorts based on the cohort’s interests rather than targeting it for specific individuals. FloC is designed to show relevant ads to users without collecting personal data through third-party cookies.
How to block Internet cookies
Google Chrome
In Chrome, click on the three dots in the top right corner, then select: Settings> Privacy and security > Cookies and other site data, then Disable Allow all cookies
Chrome (Android)
Open the Chrome browser, click on the three dots in the top right corner, then select: Settings > Site settings > Cookies and enable Block all cookies
Mozilla Firefox
By default, Firefox blocks third-party tracking cookies, social media trackers etc. To enable additional settings, open Firefox, click on the menu bar on the top-right corner, select: Settings > Privacy & Security, then choose the relevant option under Cookies and Site Data
Apple Safari
Safari blocks cookies used for cross-site tracking by default. To block all cookies on the browser, open Safari and select: Preferences > Privacy. Then enable Block all cookies
Safari (iOS)
From your home screen navigate to: Settings > Safari , then turn on Block All Cookies, and then tap on tap on the Block All
Microsoft Edge
To block all cookies on the browser, open Edge and select: Settings > Cookies and Site permissions > Manage and delete cookies and site data and then disable Allow sites to save and read cookie data
For a step-by-step guide to block or clear cookies, refer to How to block cookies on your browser
FAQ on Internet cookies
A cookie or internet cookie is a text file with a small piece of data that is stored on the web browser by websites we visit. Cookies are used for many different purposes, but the most important ones are for managing user sessions, personalization, and ad tracking.
Cookies are small text files stored on a user’s web browser on their device when they visit a website. These files contain data that can be accessed by the website to remember user’s login information, their shopping cart and other preferences. Cookies enable websites to provide a personalized user experience by storing information about the user’s interactions with the site.
Not every website uses cookies, but most websites utilize them for basic website performance, enhanced user experience, tracking analytics, and other purposes.
Generally, the use of cookies is prevalent, especially on websites that require user authentication and personalization. Websites that do not use cookies typically have less functionality and features.
Websites use cookies for various purposes such as:
-Authentication: Cookies allow websites to recognize users, authenticate them and allow them to log in when they return to the site later.
-Personalization: Cookies help websites remember user preferences, such as their language settings, items in their shopping cart etc.
-User analytics: Cookies can collect data for website analytics and to improve website performance.
-Advertising: Cookies are used to track user behaviour such as pages they visit, products they click on etc. for targeted advertising purposes.
The history of cookies can be traced back to Lou Montulli, a web browser programmer at Netscape Communications, one of the first internet browsers. In 1994, he came up with the idea of using text files to store information. The idea behind cookies was to help store items in a virtual shopping cart by storing the data in the user’s local computer.
The name “cookie” was coined by Lou Montulli himself and is derived from the term “magic cookie”, which is the package of data received and sent by a program.
Yes, some cookies can track you on the internet. These cookies are often called advertising cookies or tracking cookies and allow websites to collect information about your browsing habits, websites you visit, and your on-site behaviour such as scrolling speed and mouse clicks. They are most commonly used for targeted advertising that shows display ads across the sites you visit.
Usually yes. If a cookie (or its ID) can identify a person/device or is linked to an account, treat it as personal data.
Purely functional, non-identifying cookies may fall outside that definition, but many regions still require consent to set/read them.
HTTP cookies or internet cookies are small pieces of data sent from a website and stored on a user’s browser. These cookies are used for session management, personalization, remembering and tracking user information etc., and help websites to perform different tasks required. HTTP cookies are also referred to as web cookies and browser cookies.
It’s no surprise that you can find internet cookies on your smartphones too. These are stored in your mobile browser just like desktops. Different mobile browsers have different default settings for cookies. Here’s how you can clear cookies on your mobile:
Chrome (Android)
Open the Chrome browser, click on the three dots in the top right corner, then select: Settings > Site settings > Cookies and enable Block all cookies
Safari (iOS)
From your home screen navigate to Settings > Safari, then turn on Block All Cookies, and then tap on tap on the Block All
You may delete cookies if you no longer want the browser to have information saved such as account password, preferences and settings. If you use a shared computer or device, you may choose to delete cookies if you don’t want other users to see your browsing history.
If you perform sensitive tasks such as online transactions or investments or don’t want to be shown targeted ads, you may periodically delete cookies.
You may accept or reject website cookies depending on your privacy preferences. Typically, cookies are harmless and are used to provide basic functionalities and improve user experience on a website. However, other cookie categories such as analytics or advertising cookies are used to collect data for targeted advertising.
Most websites in the EEA & UK will display a cookie banner or popup that allows you to choose whether to accept cookies or not. Strictly necessary cookies or essential cookies will be set on your browser regardless of your preference as they are exempt under the GDPR and hence do not require your explicit consent.
If you are concerned about third parties collecting your data via websites, you can also disable third-party cookies on your browser’s settings. Internet browsers like Chrome, Safari, Firefox and others have settings to disable tracking.
No. Internet cookies are not illegal. Cookies are however subject to certain regulations on their use as per privacy laws such as the ePrivacy Directive, GDPR, CCPA and so on. This primarily requires websites to seek prior consent for setting cookies on users’ browsers and only using cookies that the user has consented to. Strictly necessary cookies are exempt from the requirement of consent as they are essential for a website to function properly. Other cookie categories like performance, analytics and advertising need explicit consent from the user.
Yes. Cookies can be enabled or disabled on your browser. All modern web browsers have privacy settings that allow users to restrict or block cookies.
Chrome:
In Chrome, click on the three dots in the top right corner, then select: Settings> Privacy and security > Cookies and other site data, then Disable Allow all cookies
Firefox:
By default, Firefox blocks third-party tracking cookies, social media trackers etc. To enable additional settings, open Firefox, click on the menu bar in the top-right corner, select: Settings > Privacy & Security, and then choose the relevant option under Cookies and Site Data
Safari:
Safari blocks cookies used for cross-site tracking by default. To block all cookies on the browser, open Safari and select: Preferences > Privacy Then enable Block all cookies
Online identifiers like cookies, IP addresses, advertising IDs, pixel tags, account handles, device fingerprints, and radio frequency identification (RFID) tags, can be used in combination and used to create profiles of individuals and identify them. Hence, cookies can be considered personal data and are subject to privacy laws like the GDPR, LGPD (Brazil), CCPA etc.
Kavya is a content designer who works across marketing, and product to create simple, user-first content. She brings expertise in long-form content, UX writing, and copywriting for B2C and B2B brands. In her downtime, she’s probably watching re-runs of mobster dramas and baking.
