SecurityCategory

What are website cookies?

14 min read
Shani Leead
cookies on a marble countertop

Over the last few years, you might’ve noticed that every website asks if you want to accept cookies or not. And, if you’re like a lot of people, you asked yourself, “what are website cookies?” While these cookie pop-ups have spawned a million memes and cookie monster gifs, they are actually referring to a fascinating piece of technology.

  • Website cookies let consumers shop online, stay logged into sites, and enjoy personalized website content.
  • For website owners, cookies let you understand your users better and serve them personalized experiences online.
  • Cookies are also at the center of a larger debate surrounding privacy, personal data security and user tracking across the internet.

To build and manage your business’ website, it is important to learn the basics of cookies. Use this post to understand the nuances of cookie law, the power of cookie data and the personalization that’s possible with cookie customization.

What are website cookies: A comprehensive guide

  • What are website cookies?
  • How do cookies track my visitors?
  • What information can I learn from cookies?
  • Do I have to use cookies on my site?
  • Why do I need a consent pop-up or banner for cookies?
  • Best practices for using website cookies

Grab a glass of milk and let’s dig in.

What are website cookies?

Cookies, also called HTTP cookies, are text files that contain data that helps identify the user and the computer browsing a website. That piece of data might include a username, password or preferred site settings. It can also provide behavioral tracking information about that user.

Cookies are intended to make browsing the web more convenient.

Websites remember the user and can save login information and customization settings, so visitors don’t have to start from scratch every time they open a web page.

The downside is that cookies can be used maliciously to spy on users, and the cookies stored in a user’s computer can be accessed and used to get sensitive information.

The simplest way to think of cookies is as a conference badge. The first day you visit a conference, you get an ID, choose your dietary preferences, and set up your schedule for the weekend. You take it home at the end of the night. The next day you return to the conference, present your badge, and it tells the conference organizers who you are and what your preferences are, so you don’t have to set them up again every day.

Here are some common terms related to website cookies:

  • Cookie: A text file that contains information about the computer that is using a website.
  • Session: A period of time a visitor is using a website. A session can be defined as a specific period of time or the time a user spent on a website before closing their browser.
  • Cache: A browser cache is similar to cookies, but it serves a different purpose. A cache is where a browser stores long-term web content to help sites load faster. Cache data is stored on the browser, not on the server, while cookies are stored on both.
  • Browser: A web browser is a program on the visitor’s computer that is being used to access the web, such as Mozilla Firefox, Safari, Internet Explorer (RIP) or Google Chrome. The web browser is half of the system that handles cookies for a website.
  • Server. The server is where the content of your website is stored on the web. The web server communicates with the user’s browser to transfer cookies and load the website.

Types of cookies

All cookies aren't created equal. There are multiple types with different functions, lifespans, security concerns and privacy regulations.

The list of cookie types below isn’t exhaustive, but it does cover the most important categories. Keep in mind a given cookie could have multiple different attribute types. For instance, a given cookie could be a third-party and a tracking cookie. Another might be an authentication and a session cookie.

Types of cookies by lifespan

  • Session cookies: Cookies that are only saved for the duration of the user’s session (until they close their browser).
  • Persistent cookies: Cookies that stay on the user’s computer until they are erased or expire. All cookies have an expiration date, generally one year, and users can clear cookies manually when they want to.

Types of cookies by their essential impact

  • Strictly necessary cookies: Cookies that are essential to a site’s ability to function. These cookies are not optional and cannot be turned off. They might include the cookies that keep users logged in or keep track of products in their cart. Users cannot opt out of necessary cookies, and they are exempt from cookie laws.
  • Non-necessary cookies: Cookies that are non-essential to the basic functionality of a website. They might still improve the user experience, such as cookies that make a chat widget function. This includes analytical and advertising cookies. Users are often allowed to opt out of these cookies.

Types of cookies by source

  • First-party cookies: Cookies that come directly from the website the user is visiting.
  • Third-party cookies: Cookies from a third party on a website, such as an analytics system or advertiser. These are generally used to track user behavior across the web to deliver ads. Third-party cookies are usually what is being discussed in conversations about internet privacy, and they might disappear entirely in the future.

Types of cookies by function

  • Authentication cookies: These cookies verify whether a user is logged in and what their account authentication info is. Web servers use them to authenticate that a user is logged in. Without these cookies, users would have to log into every new page. It’s important that authentication cookies are secure and encrypted, so the login information on them is kept safe.
  • Tracking cookies: Usually third-party, these cookies gather long-term information about a user's browsing history. They help advertisers and website owners understand user behavior and serve them customized content. These are the cookies that are subject to the most scrutiny and regulation.

Back to top

How do cookies track my visitors?

The website server creates a cookie with a unique identifier for each user when they visit your website. That cookie is then stored on the user's computer. The next time that user visits your website, the cookie is exchanged from the computer to the network server, so the website knows what information to present to that specific user.

To monitor visitors with cookies, you can add a tracking code to the header or footer of your website. You can also use third-party plugins to add tracking cookies to your site. Those cookies will give you anonymized data about the overall behavior of the visitors to your website.

Back to top

What information can I learn from cookies?

Cookies allow your website to customize the experience for each visitor in a personalized way based on their individual browsing history.

However, website owners can’t use them to identify and track individual visitors.

Programs like Google Analytics use cookies to help you analyze visitor behavior. The information you receive about users is aggregated and anonymized. You get big-picture data about your users from cookies without compromising their individual privacy.

Cookies will collect demographic information, such as a visitor’s geographic location and what device they are using to browse your site. They will also collect behavioral information, such as users’ browsing data, how often they return to your page, and which pages they visit.

Back to top

Why should I use cookies on my site?

Cookies are a highly useful piece of internet technology both for you as a business website owner and for consumers. They help make the internet more personalized and more useful for your users. They also help you understand your users better, so you create tailored content that keeps people on your site.

Cookies personalize the website experience

Cookies store basic information that lets users log in, stay logged in and perform actions, like adding items to their shopping cart and keeping those items there. The website remembers what has been added to a user’s cart, so the consumer can take their time browsing.

Cookies can also personalize your website for a user based on their past interactions. You can recommend products to them based on what they’ve browsed and/or bought, deliver content on a blog that’s tailored to their interests, and show ads that are relevant to their needs.

Cookies adapt your site to user preferences

Cookies also track users’ site preferences — such as language, night mode/day mode and what region they are shopping from. Cookies help those selections continue through the different pages of your site that the visitor passes through and automatically remain when visitors return to your site.

Cookies create a seamless experience for your website visitors.

For example, if a user selects the French version of your site, it would be annoying for them to have to reselect French every time they open your website. Cookies identify that user when they return and automatically set your site’s language to French, creating a seamless experience for the user.

Cookies help you understand user behavior

Cookies collect information about how each user interacts with your website. That data is aggregated and used to improve website functions. These cookies are called “statistics cookies” or “performance cookies.”

These cookies can tell you how many times users visit your website, how long they spend looking at certain pages and what links they click on. Use this information to improve the user interface of your website, understand your audience and what kinds of content they are interested in, and ultimately optimize conversion rates.

Cookies reduce server costs

Cookies free up storage space on your server by storing user information on the visitor’s computer instead. They help you personalize the web browsing experience for your users without you having to spend extra money on server maintenance and storage.

Back to top

Do I have to use cookies on my site?

In addition to asking, “what are website cookies,” you’re probably wondering if you need to use them on your website. The short answer: yes.

Modern websites rely on cookies for a lot of essential functions. User logins, shopping carts, content management systems, website analytics programs, third-party advertising and social media buttons all require the use of cookies to work.

The long answer: yes. You have to use the strictly necessary cookies for your site to function properly. You also probably want to use cookies for non-strictly necessary functions as well since they can improve the user experience and help you understand your users better.

Revisit the “Types of cookies” section above for more information on the distinction between necessary and non-necessary cookies.

Back to top

Consent banners and pop-ups are advised but not necessarily required (yet) by regulations in most of the world. It’s still best practice to include them both to ensure you’re meeting regulations wherever your site is being used and to keep your users’ confidence.

It is required by law in some places

Data privacy laws might require you to add a consent pop-up or banner to your website if you are using cookies. Legislation varies by country and state. Since the web is accessible in many places around the world, a lot of websites opt to include cookie consent and disclose pop-ups to cover all their bases.

Europe currently has a number of data protection regulations, including the EU ePrivacy Directive, updated in 2009, that legislates how companies can track users across the web and how electronic communications must be kept private. Specifically, it requires disclosure of and consent to cookie use via a banner or pop-up when a visitor opens a site.

The General Data Protection Regulation (GDPR) that was enacted by the European Union in 2018 required much more stringent data privacy measures on the web. It mentions cookies briefly to say that they qualify as “personal data” under the GDPR. That means companies need to either ask for consent to save cookies or have “grounds of legitimate interest” to use them.

So if your website is accessible in the EU, you need to ask visitors’ consent to use cookies and provide them with clear, simple information about what the cookies are being used for.

You must record and keep that consent, give visitors the option to revoke consent, and let visitors use your site even if they opt out of cookies.

The California Consumer Privacy Act (CCPA) has been under enforcement since July 2020. It contains similar privacy regulations to the EU versions, including disclosure and consent requirements. It applies to for-profit businesses that have more than $25 million in revenue and/or access the personal information of at least 50,000 California residents per year. It’s likely that similar legislation will follow in other states around the country.

Transparency builds user trust

It’s best practice to be transparent with your users about what you are doing with their data and how you are tracking their activity. Pop-ups might annoy some, but users have come to expect them and are used to being able to opt in or out. Some users may feel strongly about being able to opt out, and you want to give them that option to build a lasting relationship with them.

Back to top

Best practices for using website cookies

Using cookies makes you responsible for your user’s personal data and the security of that data.

For that reason, it’s important that you have clear policies on how your website handles cookies and the resulting information.

We recommend the following best practices:

Follow privacy regulations

  • Use a pop-up or banner to disclose to visitors what cookies your website is using.
  • Allow users to choose to consent or decline to consent to the use of cookies.
  • Allow visitors to use your website whether or not they consent to non-necessary cookies.

Be transparent with your users

  • Keep your opt-out policy clear and simple.
  • Provide additional details about your cookies and privacy policy for users who want this information.

Design a seamless user experience

  • Make your pop-up or banner easy to use, unobtrusive and consistent with your site experience.
  • Don’t make design an afterthought — your cookie banner or pop-up should feel like part of your brand and a seamless part of entering your site.
  • Put policies in place on how you store and retain user data.
  • Use session cookies where you can, and set reasonable expiration dates for persistent cookies.
  • Monitor your cookie use on a regular basis to make sure it's consistent with your privacy policies.

Ensure third-party cookies are secure

  • Be discerning about what types of third-party cookies you allow on your site.
  • Ensure the third-party cookies you allow on your site are consistent with your privacy policy.

Back to top

Strengthen your business' website with cookies

Web development technologies are rapidly evolving, and we are all part of an ongoing conversation about privacy and personal information online. Regulations are being passed, and the companies that set the standards for the rest of the web, like Google and Apple, have been reconsidering how they use cookies for tracking and collecting data.

However, these regulations aren’t a reason to ignore cookies entirely, and they aren’t an indication that cookies are all harmful technology.

Cookies are an essential piece of the modern web experience.

They let you personalize your website to your visitors’ needs. They help you understand your customers and adapt to their needs. They help you build a website that is better tailored to grow your business and serve your audience.

While the topic might seem complex and ever-changing, the presence or absence of a cookie isn’t actually what makes the difference. The most important thing is for website owners to understand web security and compliance. If you are building a website that is secure, handling people’s personal information with care, and building a business that understands its users, cookies will easily fit into your web presence.