Everything you need to know about internet cookies

Cookies are indispensable in the digital world—they store user data, improve user experiences, and help companies analyze website activities. However, the technologies behind cookies are undergoing significant changes. But what are internet cookies actually? This article explores the different types of cookies, their functions, and the technical foundations of how they work. Additionally, we examine the future of cookies and how businesses can prepare for privacy-centric alternatives.

What are internet cookies?

Cookies are small data files stored by websites on a user’s device. They help websites remember user settings, improve user experience, and collect information about user behavior. Modern browsers store cookies in databases rather than simple text files, making them more flexible and secure, even though they are often mistakenly considered mere text files (Mozilla Developer Network, 2023).

Origins and development

Cookies were developed in 1994 by Lou Montulli, an employee at Netscape Communications. They were designed to solve the problem of websites being unable to retain information about their users (Montulli, 1994). The first implementation of cookies allowed websites to store simple data, such as login information or shopping cart contents.

With the emergence of e-commerce in the late 1990s, the importance of cookies grew rapidly. They were used not only for functional purposes but also for personalizing user experiences and tracking user activities (Richter & Meyer, 2021).

A significant milestone was the introduction of third-party cookies in the late 1990s. These cookies were developed to enable content and tracking functions from third-party providers, such as advertising networks or social media plugins, on a website. This allowed users to be tracked across multiple websites, forming the foundation for targeted advertising (Mozilla Developer Network, 2023). While third-party cookies opened new opportunities in digital marketing, they also faced growing criticism.

Over time, additional standards and regulations were implemented to address cookie usage. These included browser technology adaptations to mitigate security risks like cross-site scripting (XSS) or cookie hijacking (Mozilla Developer Network, 2023).

In 2022 and 2023, significant progress was made in reducing the reliance on third-party cookies. Google announced the Privacy Sandbox, a technology aimed at replacing user tracking with anonymous groups. These changes aim to make advertising more privacy-friendly while maintaining benefits for advertisers (Google, 2023). New browsers like Brave also enforce strict cookie-blocking mechanisms to enhance user privacy (Brave Browser, 2023).

How are internet cookies created?

Cookies are created whenever a website or an embedded tool retrieves data. For example, fonts, images, or embedded services like Google Maps generate cookies stored on the user’s device. Modern websites often set cookies via JavaScript integrated into the page. These cookies have a specific lifespan, defined as their validity period. A cookie is always tied to the domain that created it and is only sent back to that domain.

A modern approach to cookie creation is server-side cookie setting, where the server, instead of the browser, manages the cookies entirely. This is often used for security-critical applications.

Types of cookies by criteria

Cookies can be categorized in various ways to understand their usage and function. Here are the key criteria:

By origin

• First-Party Cookies: Created directly by the website being visited. They store essential information such as login data or language settings and are considered more secure as they are only used within the originating domain.
• Second-Party Cookies: Generated through a partnership between two organizations where the first-party data of one company is shared with another. These are particularly relevant for targeted marketing strategies.
• Third-Party Cookies: Generated by external services embedded in the visited website, such as advertising networks or social media plugins. These cookies can track users across multiple websites.

By storage duration

• Session Cookies: Only retained during the active browsing session and deleted once the browser is closed.
• Persistent Cookies: Remain active even after the browser is closed and have a defined expiration date, often storing login information for automatic access.
• Temporary Cookies: Configured for a specific action or a one-time visit and deleted immediately after use.

By necessity

• Technically Necessary Cookies: Essential for basic website functions, such as shopping cart storage.
• Non-Necessary Cookies: Used for analytics or marketing purposes but are not essential for website functionality.

By storage location

• HTTP Cookies: Stored in browser settings and automatically sent to the server with each page request.
• Secure Cookies: Transmitted only over HTTPS connections to protect sensitive data.
• Same-Site Cookies: Prevent cross-site request forgery (CSRF) and are only sent with requests within the same domain.

By target audience or purpose

• Personalization Cookies: Help tailor content and ads to individual user interests.
• Performance Cookies: Collect anonymous data to enhance website loading speeds and functionality.

By technology and data format

• Standard Cookies: Stored in key-value format, such as userID=12345.
• Secure Cookies: Designed for use with encrypted connections.
• Zombie Cookies: Can be automatically recreated even after being deleted, making them controversial.
• Multi-Token Cookies: Store multiple identifiers to synchronize sessions across different services.

By usage location in infrastructure

• Server-Side Cookies: Created and managed by the server, often used for authentication or session management.
• Client-Side Cookies: Created and managed by JavaScript or other client-side technologies on the user’s device.

Technical functionality

Cookies are technically set through HTTP headers or JavaScript. When a user visits a website, the web server sends an HTTP header containing the cookie, which is then stored on the user’s device. Developers can also use JavaScript to set and manipulate cookies client-side.

Upon revisiting the website, the cookie is sent back to the server with the stored information, enabling the website to recognize the user and load data such as their preferred language or login status (Richter & Meyer, 2021).

Legal framework

The use of cookies is heavily regulated. Under the General Data Protection Regulation (GDPR) and the ePrivacy Directive, websites must obtain explicit user consent before setting non-essential cookies (European Data Protection Board, 2021). This is typically achieved through cookie banners that provide information about the type and purpose of the cookies used.

Cookie Script (2023) outlines the legal requirements in detail:

• Transparency: Users must be clearly informed about the data being collected.
• Consent: Non-essential cookies cannot be set without explicit user approval.
• Data Minimization: Only data necessary for the specific purpose may be collected.

These regulations present challenges, particularly for websites reliant on third-party cookies. Many operators must develop alternative technologies and strategies to remain compliant (Richter & Meyer, 2021).

Use cases

Cookies are versatile and benefit both operators and users. For instance, in e-commerce platforms, cookies store shopping cart contents even if the user leaves the website. Upon return, the products remain in the cart, reducing drop-off rates and increasing revenue.

Streaming services like Netflix or Spotify use cookies to save playlists and recently viewed content, enhancing personalization and user satisfaction.

Travel portals rely on cookies to store recently viewed offers, flights, or hotels. This simplifies booking and reduces user effort. Persistent cookies often save preferences like preferred departure airports or destinations.

Performance cookies, on the other hand, measure load times and improve a website’s technical performance. Using analyzed data, companies can address weaknesses and optimize user experience.

The future of cookies

The future of cookies is shaped by legal developments and technological innovations. As third-party cookies are increasingly restricted, first-party data is gaining prominence. These are considered significantly safer and allow companies to better understand their users while respecting privacy (Piwik Pro, 2023).

Additionally, alternative technologies like server-side tracking and Google’s Privacy Sandbox enable privacy-friendly tracking and could potentially replace third-party cookies in the long term.