What Are Cookies, and Why Do Websites Have Them?
Cookies simplify our online lives, but it's important to understand what they are before accepting them.
If you’re online all the time (and we’re willing to wager most people are), you’ve no doubt been bombarded with the “accept cookies” pop-ups that appear on every website. And aside from wondering how to make them go away, the question you probably ask every time you hit “accept” is, “What are cookies anyway?” Some cookies are safe—there to offer you a more personalized user experience—while others are more nefarious, allowing you to be tracked and spied on, possibly without your consent.
“The majority of people just click ‘accept cookies’ on those annoying website banners that pop up each time,” says Chris Pierson, PhD, a former privacy attorney who also served for more than a decade on the Department of Homeland Security’s Privacy Committee and Cybersecurity Subcommittee. “Most free websites, apps, and other services require the user to accept their terms of service to collect and use their data, and often this is done through the use of tracking cookies. If it’s free, you are the product.”
With all the tracking going on, it can be tempting to disappear completely from the Internet, but that’s an extreme solution. Understanding how web cookies work and what their purpose is will help you identify the times you shouldn’t accept cookies, why you might want to browse the Internet anonymously, and how to prevent companies from buying and selling your information as well as why you should clear cookies from your phone, tablet, and computer.
What are cookies?
A cookie is a small piece of data from a website stored in your browser to recognize you when you return.
“Cookies have been around since the early [to] mid-1990s and have become a ubiquitous part of the Internet,” says Alex Hamerstone, director of advisory solutions at cybersecurity company TrustedSec. “They are blocks of data [or] information that the Web browser puts on your computer, phone, or other devices.”
The cookie was created to make your online life more seamless. “The technology was originally developed to make Web surfing easier by enabling the Web server to remember your log-in information or catering information on the website to your interests,” explains David Finkelstein, cofounder and CEO of data exchange platform BDEX.
But it’s important to understand that not all cookies are created equally. There are authentication cookies that make it so you don’t have to log in every time you visit a website. And then there are tracking cookies, which store information about your browsing. (And no, private browsing won’t let you avoid tracking cookies.)
“A lot of the things that happen as you browse the Web that people attribute to their devices ‘listening to them’ are really from cookies following them around as they browse,” says Hamerstone. “When you search for an item on a website and then see ads for that item on different websites, that is usually cookies at work.”
How do cookies work?
Web browsers and websites talk to each other in a “stateless language.” Translation: “Every message is independent and isolated from every other message,” says Pieter Arntz, threat intelligence expert at Malwarebytes, which sells cybersecurity solutions. “It’s like having a conversation with somebody who instantly forgets who you are after every sentence.”
That’s where cookies come in.
“To tie the separate sentences together into a conversation,” Arntz says, “a website sends a Web browser a cookie with a unique ID the first time they communicate, and the Web browser repeats the unique ID back to the website every time it sends a message so that a website can remember who you are and tell that your messages are coming from the same individual.”
What information do cookies collect?
“There are many different types of cookies, and they collect varying types of information,” Hamerstone says. “This information can be as simple as your preferences as you visit a website or what pages of that website you have already visited, or cookies can collect and store extensive information about your browsing history over time.”
So, what exactly are cookies on a website collecting?
The cookies that give us a better user experience are the ones that collect stuff like our log-in information, our news preference, and whether we’ve left items in an online retailer’s shopping cart. These first-party cookies are often referred to as “essential” or “necessary” cookies. “Cookies are generated by the host domain,” Arntz explains. “And they gather some basic information about your system and browser to optimize the communication regarding your behavior on the site, such as which pages you visited and how long you stayed there before moving on.”
OK, but what are cookies best known for? Privacy concerns. And third-party cookies are the ones that give cookies a bad reputation.
“They’re intended for cross-site tracking, which advertising companies use,” Arntz says. “And advertisers like Google and Facebook use them to track users as they travel around the Web from site to site, building up profiles of the kinds of sites they like to visit and showing them targeted advertising.”
Why do websites have cookies?
By now, we understand some of the basics about what cookies are and why they exist, which can be summed up in a word: tracking. First-party cookies make it easier for users—so they don’t have to constantly log in, for example—and third-party cookies make it easier for advertisers.
First-party cookies also help website owners understand which pages work, meaning (among other things) which pages people stay on longer and which ones need optimizing.
Third-party cookies use more advanced user analytics and are typically set up for commercial reasons. They’re a way for companies to advertise to you across the Internet—not just on a single site.
Why do they call it a cookie?
“In the Unix programming language, there is something called a magic cookie, which is a way for data to be sent within a program,” Hamerstone explains. “The ‘magic cookie’ name came from fortune cookies, which have a message in them, much like the ‘magic cookie’ carries data. When the idea of using cookies to save data came about in the early 1990s, the term was coined.”
Are cookies bad?
Cookies aren’t inherently good or bad. “Cookies are just files of text information about you, your device, your browsing history, and your behavior,” says Pierson, who’s currently the CEO of cybersecurity company BlackCloak. “However, if you do not specifically limit cookies or set up privacy settings, then they may infringe upon your privacy beliefs. The key lesson is to learn what they are, how they are used, and then determine what role you want them to play in your browsing life.”
So let’s start with the positive: What are cookies good for? “Cookies, by nature, are meant to be a convenience to all parties,” says Rob Holmes, a second-generation private investigator who has handled digital cases for 30 years. “Without cookies, you would have to provide your log-in info every time to return to Amazon, Netflix, or any other website you frequent.”
Yet online security is a valid concern. Most of us worry about the cookies we feel forced to accept, wondering if they can disclose something sensitive about us, something we wouldn’t want just anybody (or practically everybody) to know. The prevalence of phishing, spyware, and computer hacking makes us fear that cookies could lead to our identity being compromised or stolen.
But despite all the risks, there are some best practices for staying safe online—like avoiding sketchy sites—that make it unlikely cookies will pose cybersecurity threats. “Unless you spend a lot of time surfing websites operated by untrustworthy or unscrupulous people in the first place, you probably don’t need to worry about cookies leading to hacking,” says Mike Wills, a certified anti-money-laundering specialist and professor at Embry-Riddle Aeronautical University.
Should I accept cookies?
“It depends,” says Jason Glassberg, cofounder of cybersecurity firm Casaba Security. “Do you want a convenient Web experience? If so, then you need cookies.”
You can change your browser settings to block cookies, but websites will still be able to get personal information about you; they just won’t share it with your browser. “Therefore, your data will still be collected, but you won’t benefit from it by having a more convenient time using the Web,” Glassberg says. “The only real option to avoid data collection from websites is to abandon the Internet altogether.”
That’s all well and good when you’re simply browsing, but you’ll want to give more thought when sensitive information is in play. “Consumers need to think long and hard about whether they want to be sharing sensitive information with cookies—like your passwords, payment card, and home address—as hackers can steal cookies,” Glassberg says.
Accepting cookies so that websites can save your login information is a convenience with little risk, but you might think twice when a website offers to save your payment information.
But what’s the alternative if you don’t want to accept cookies? While websites make it easy to accept, they often send users down a button-click rabbit hole to block cookies. But you’ll most likely have the option, since it’s required under European law.
“The [European Union’s] ePrivacy Directive requires that the user must be presented with adequate explanation as to the cookies that will be placed on their device and how they will track the individual,” explains Donata Stroink-Skillrud, a certified information privacy professional and chair of the American Bar Association’s ePrivacy Committee. “If the user doesn’t consent, then companies may not place cookies on their device. If a user does consent, the user must also be presented with a choice to revoke that consent at any time. Revoking consent must be as easy as providing it, meaning that the process to revoke consent must be quick and easy and not hidden from the user.”
That’s looking more and more appealing to users who are reckoning with the large amount of personal data found on the Web. Not convinced? Google your name. Thankfully, you can remove your personal info from Google search results, and you can opt out of cookies.
What happens if you don’t accept cookies?
“For some websites, not accepting cookies can break the content, and it will not display properly,” says Andy Rogers, senior assessor at Schellman, a global cybersecurity assessor. “And if you’ve clicked on ‘keep me logged in’ on websites and you clear your cookies, you’ll have to log in to them all over again.”
Glassberg puts it more bluntly: “You will have a little more privacy, but surfing the Web will be an aggravating experience.”
He points out that accepting cookies may keep us a bit safer, assuming everyone has replaced easy-to-guess passwords with good passwords and two-factor authentication. “Without cookies, you’d have to remember 12 to 20 unique passwords every day just to use basic Web services like Gmail, Amazon, Netflix, Facebook, Twitter, etc.,” he says. “So without cookies, people would have one password they used for everything, which would make them more vulnerable. Cookies make it easier to use good password hygiene, and they allow you to surf the Web without a million sign-ins.”
That said, a good password manager will hold your hard-to-guess passwords so you’re not tempted to use an easy phrase for every log-in. In that case, cookies simply save you the hassle of having to enter your password each time you land on a site.
How do I clear cookies?
“The process to clear cookies varies by device and browser,” Hamerstone says. “You’ll need to visit the settings section of your browser or device and look for the option to clear cookies. You will usually have options to remove selected cookies or all cookies. There will also be options to disallow cookies, and these options will usually allow a user to deny cookies by type. For example, a user can choose to deny only third-party cookies.”
To clear your history in the Chrome browser, follow the steps below.
- In the top-right corner of your browser, click on the three vertical dots.
- Click “More Tools.”
- Click “Clear Browsing Data.”
- Adjust the time range to determine how many cookies are deleted. To get rid of them all, select “All time.”
- Make sure “Cookies and other site data” is checked.
- Click “Clear data.”
Not everyone uses Chrome, though, so if you’re stumped by how to clear cookies from your favorite browser, your best bet is to google it. We’ll get you started with step-by-step instructions for the most commonly used browsers:
- Windows: Ctrl + Shift + Delete
- Apple: Command + Shift + Delete
Those commands will take you to the page where you’ll be given options to clear your browsing history, clear cookies and other site data, and/or clear cached images and files. There are more advanced options, where you can click a box if you want to clear passwords and other sign-in data or uncheck that box if you’d prefer to stay signed in. The advanced option also lets you know how many sites you’ve visited and how many have saved cookies and other site data.
You should also know how to clear cookies from your iPhone:
- In Settings, scroll down to Safari.
- Select “Clear History and Website Data.”
- Your history will be cleared from all devices signed in to your iCloud account.
Once you understand what cookies are and how they affect your digital privacy, it’s time to tackle other online security issues. Download the security apps cybersecurity experts use, learn how to protect yourself from doxxing, and be careful when using public Wi-Fi to ensure your private information stays just that: private.
- Chris Pierson, PhD, former privacy attorney and current CEO of BlackCloak
- Alex Hamerstone, director of advisory solutions at TrustedSec
- David Finkelstein, cofounder and CEO of BDEX
- Pieter Arntz, threat intelligence expert at Malwarebytes
- Rob Holmes, private eye and founder and CEO of MI:33
- Mike Wills, certified anti-money-laundering specialist and professor at Embry-Riddle Aeronautical University
- Jason Glassberg, cofounder of Casaba Security
- Donata Stroink-Skillrud, Esq., certified information privacy professional, chair of the American Bar Association’s ePrivacy Committee, and president of Termageddon
- Andy Rogers, senior assessor at Schellman