In the past few years, the web appears to have been overrun by cookies.
These little packets of data started out as a method to help websites keep you signed in or remember the contents of your shopping cart. Nowadays, privacy advocates argue that cookies are used to spy on your online activity and predict your behavior.
In this article, we answer your questions about cookies. For example: Do the privacy implications of cookies really matter? Is there anything you can do to avoid being tracked? And does every website really need to pester you about agreeing to cookies?
What are Cookies?
A cookie (also known as an "HTTP cookie," "browser cookie," or "web cookie") is a data file that is stored on your computer or device when you visit a website.
Cookies do several different jobs. One of the most basic jobs cookies do is to remember your activities on a website. For example:
- The contents of your shopping cart
- The text you have entered in a form
- Whether you're signed in to your account
Cookies can also be used for analytics. This is a way for a website operator to monitor how users interact with their site.
Cookies do some more complicated jobs, too, such as tracking you as you move around the internet. They can gather information about your habits and preferences, and this information can be used to deliver tailored advertising.
Why Do Websites Warn About Cookies?
Websites warn users about cookies because it's the law to do so.
And in some countries, there are also rules requiring website operators to ask permission before setting cookies on a users' device.
Due to these rules, many websites display a "cookie banner" or "cookie notice" when a user visits their site. Here's an example from The Palms Boutique Resort:
But why are cookies regulated by law in this way? The reason cookies are legally-regulated is because they can reveal information about you.
What Can Cookies Reveal About You?
Cookies can reveal a lot about you, including your web browsing history, the information you've entered into forms, your web search history, and even your location.
Cookies are not designed to "identify" you, as in your name or your "real-world" identity. They associate information with a unique ID: a random string of characters assigned to your web browser.
However, because of the volume of data you transfer over the internet, cookies can reveal some highly sensitive information. And the data sets stored by cookies could also quite easily reveal your "real-world" identity.
Are Cookies Personal Information?
Whether or not cookies count as "personal information" depends on what job a cookie is doing, and which legal jurisdiction the user is based in.
One of the first regions to recognize cookies as personal information was the European Union (EU). The EU's tough privacy laws are what has led to the abundance of "cookie banners" across the internet over the past few years.
The EU's definition of personal information (or "personal data") is found in an important law known as the General Data Protection Regulation (GDPR):
This definition includes any information relating to a person, either directly or indirectly.
So, a cookie that reveals your activity on a website might not be sufficient to identify you on its own. But it still reveals something about you, and could indirectly contribute to your identification.
It's not just the EU that considers cookies to be a type of personal information. There are other laws with similar definitions of personal information being enacted all over the world, including in the United States (specifically, California), Canada, and India.
Do Websites Need to Ask Permission For Cookies?
In the EU, website operators must ask for your consent (permission) before they set certain types of cookies. This is due to a law known as the ePrivacy Directive.
According to the ePrivacy Directive, websites have to ask consent before they set most types of cookies. There are two exceptions. Under the ePrivacy Directive, websites do not have to ask for users' consent before setting cookies that are either:
- Used for "carrying out the transmission of a communication"
- "Strictly necessary" for providing an online service that you have requested
So, under EU law, websites might not have to ask you for consent to set cookies that do the following jobs:
- Storing your items in a shopping cart as you move around the site
- Verifying your identity on secure websites (such as internet banking)
- Ensuring the website runs smoothly via "load balancing"
So what cookies do require consent in the EU? Well, any cookie that is not used for carrying out the transmission of a communication, or that is not strictly necessary for providing an online service.
This includes cookies used for:
- Analytics: Website operators use analytics to see how you navigate their website and to check how well it's working, fix bugs, and test their design. They can also use analytics to count how many people are visiting their website, and where they are visiting from.
Take a look at this cookie banner from the Information Commissioner's Office (ICO):
The ICO website sets two types of cookies. It doesn't give you an option about setting the first type of cookies because these are necessary. When it comes to analytics cookies, the website asks for your consent. This demonstrates the rule about cookies in the ePrivacy Directive.
Is it Safe to Agree to Cookies?
Technically, cookies can represent a security threat. For example, if you transmit sensitive personal information over an unsecured Wi-Fi network, the information could be collected by a session cookie. This information could, in theory, be targeted by hackers.
However, these situations are very rare. Most of the time, it's perfectly safe to agree to cookies.
Are Cookies Bad?
Cookies aren't really a security threat, so why would anyone care about cookies? Why do we even get the option to refuse them?
The reason some people object to cookies is to do with privacy rather than security. Tracking cookies allow businesses, such as Google and Facebook, to build up a "profile" about you by observing your online activities.
Given the vast amount of personal information you submit online every day, this act of profiling can give a reasonably accurate picture of who you are, where you live, and what things you might be likely to buy.
Why are Cookies a Privacy Risk?
Cookies that are used to store the information you enter into websites could certainly represent a privacy risk. However, this data is almost always encrypted. This means the only people capable of reading the information stored by these cookies are you and the intended recipient.
A greater privacy risk comes from third-party cookies. These cookies are set by companies that don't even own the website you're visiting. There could be several of these on any given website, all loading themselves onto your device so they can track you around the web.
So, for example, if you visit a website about baking that contains an advertisement from Google Ads, Google's tracking cookies will note that you're interested in baking. Some days later, you might see an ad for rolling pins when you visit a completely unrelated website.
Many people don't have a problem with this. But privacy advocates point out that the big tech companies are amassing huge quantities of data about us, often without our permission.
Can I Opt Out of Cookies?
If you live in the European Union or the United Kingdom, you shouldn't actually need to opt out of cookies because websites should be asking you whether you consent to them (opt in). However, in reality, many websites break the rules.
If you live in the United States, Australia, or many other countries outside of the European Union, there's actually no legal obligation on most companies to let you opt out of cookies.
In the US, where privacy law is very weak, there are a few laws relating to cookies. Several of these apply only to California residents.
The California Consumer Privacy Act (CCPA) requires certain big businesses and "data brokers" (companies whose main trade is in personal information) to allow California consumers to opt out of the "sale" of their personal information. This can apply to the use of certain cookies.
Even if websites don't have to let you opt out of cookies, there are several ways to avoid them. For example, you can use a privacy-focused browser like Mozilla Firefox or Brave Browser, or you can opt delete cookies using the method we describe below.
How to Delete Cookies
If you want to delete cookies from your browser, it's quite easy. Here are the steps for how to delete cookies from four popular browsers.
How to Delete Cookies from Google Chrome for Windows
- Click the three dots to open the main menu and click on Settings:
- On the left side menu, click Privacy and security. Then, click on the arrow next to the Clear browsing data; Clear history, cookies, cache, and more section:
Select whether you want to do a Basic or Advanced delete.
A Basic delete lets you quickly clear all browsing history, cookies and cached images and files:
An Advanced delete lets you delete more information including passwords, autofill form data and download history:
- Click on Clear data and you're done.
Note: You can use Incognito Mode (Ctrl + Shift + N) to automatically delete cookies and other session data when you close your browser window.
How to Delete Cookies in Firefox (Mozilla) for Windows
- From the main toolbar menu, click Options:
- In the left sidebar menu, click on Privacy & Security:
- Under Cookies and Site Data, click on Clear Data:
Visit the Mozilla support page if you need more guidance.
How to Delete Cookies on Opera for Windows
- In the Settings menu, click Advanced, then click Privacy & Security:
- Under Privacy and security, click the arrow next to Clear browsing data:
Select a time range and the types of data you wish to clear, and click Clear data. You can choose Basic or Advanced.
A Basic delete lets you quickly clear all browsing history, cookies and cached images and files:
An Advanced delete lets you clear more information:
Visit the Opera help page if you need more guidance.
How to Delete Cookies on Edge for Windows
- Open the menu and click Settings:
- Select Privacy and services:
- In the Clear browsing data section, click on the Choose what to clear button:
- Choose what you'd like to clear and click Clear now to finish: