Pagoda Blog

When you first visit a website, it’s now commonplace for a popup to appear asking you to accept cookies. The language often goes something like this: 

 

“This website uses cookies to enhance user experience, provide basic website functionality, and analyze our traffic. To find out more, see our Privacy Policy.” 

 

After the notification is either an “Ok” button to acknowledge you understand and agree with this policy, or you may have the option to accept cookies or deny. There should always be a link to either the website’s privacy or cookie policy or a learn more link. These links will then direct you to another page where you can manage your cookie settings, granting or denying access to the different types of cookies used on that site.    

 

So, what exactly is a web cookie and when (if ever) should you accept all cookies versus deny all or manage them? And do you need to include a cookie notification on your own site? Let’s start with defining a web cookie and the different types. Then we’ll break down how to respond to cookie policy notifications. 

 

What is a web cookie?   

 According to Kinsta, “a cookie (also referred to as a web cookie, tracking cookie, HTTP cookie, browser cookie) is a small piece of data stored by a user’s browser (Chrome, Firefox, etc.) when they visit a website. It contains information regarding browsing activity and is typically used to personalize the user’s experience or for authentication and verification purposes.”

 

Web cookies are often essential for a fully functional online experience. For ecommerce sites, cookies allow the website to save the items in your shopping cart as you continue shopping. Cookies are what allow your browser to autofill form fields, such as your name, address, and username, making it easy for you to log back into your favorite sites and make a purchase. 

 

A brief history of web cookies

The web cookies’ general uses we are familiar with today were first used in 1994 by web-browser programmer Lou Montulli. Montulli’s word choice came from the term magic cookie, which is a packet of data a program receives and sends back without changing it. Going even further back, the term magic cookie comes from the popular treat, fortune cookies. Why? Because, much like a packet of data, fortune cookies contain an embedded message inside.

 

While magic cookies have always been used by web programmers to allow websites to perform basic functions, Montuilli developed web cookies so that Netscape could remember if users had previously visited the website and to remember their preferences, including what users added to their shopping cart. In 1996, privacy concerns arose around web cookies because they were stored on users’ computers without their consent. In 1998, the the U.S. Department of Energy Computer Incident Advisory Capability released a statement that explained the role cookies played in website functionality and assured the public that cookies were not a privacy threat. 

 

Today, however, web cookies are again a privacy concern — so much so that the European Union passed the GDPR (General Data Protection Regulation) to protect individual users from them. Let’s look a bit closer at how web cookies work to better understand this threat and why cookies exist in the first place. 

 

How do web cookies work? 

When you visit a website and take an action, such as logging into an account, clicking a link, or simply scrolling through the page’s content, the website sends little packets of data, or web cookies, to your device. Your device then stores it in a file within your web browser. There are different types of cookies, the three primary types being session cookies, tracking cookies, and authentication cookies. 

 

Session cookies 

A session cookie only tracks and saves your activity while you're navigating a website. Session cookies are what ecommerce sites use to save items in your shopping cart as you visit different pages on the website. Without session cookies, every time you clicked a new item to view, your shopping cart would empty. Once you close your browser, session cookies are deleted. 

 

Persistent cookies 

Persistent cookies save your data for a set period of time. For example, persistent cookies allow an ecommerce site to save the items in your shopping cart for a certain amount of time, even after you close your browser. Advertisers also use a type of persistent cookies referred to as tracking cookies to save information about your online behavior. This data helps them provide you with a personalized advertising experience with promotional content that reflects your interests, demographic, and online habits. Authentication cookies are another type of persistent cookie which allow you to remain logged into a website for an extended period of time. By law, persistent cookies must be deleted after 12 months.

    

First and third-party cookies

There are two other types of cookies that are important to understand: first-party and third-party cookies. First party cookies are those generated by the website itself. They are generally used to improve your user experience, from language settings to remembering your login credentials. They may also be used by the website to collect analytics data to better understand how people are using the site. 

 

Third-party cookies come from an entity outside of the website you’re visiting and are most often used to track your online activity for advertising purposes. These include tracking cookies and typically aren’t necessary for an optimal user experience and should generally be denied due to privacy concerns. Not all third-party cookies are tracking cookies, however, and in certain situations may serve an important purpose for the overall functioning of a website.   

   

Should I accept cookies when I visit a website? 

With the establishment of the GDPR, websites now have to ask your permission before they can use cookies. You have the option of accepting all cookies, denying permission for the website to use cookies entirely, or managing your cookies (granting the website permission to use some but not all cookies while you use their site). You can always choose to deny permission entirely, but some websites may not let you use their website at all in this case. Many websites require the use of at least some cookies for you to fully engage with their content. 

 

3 times you should NOT accept cookies: 

There are times when you should absolutely not accept web cookies. Make sure you’re aware of these scenarios to protect your privacy. 

 

1. When the website is not HTTPS

If a website is not encrypted with HTTPS, you should not accept cookies and you should not enter any personal information. When you enter data into an unencrypted site, it can easily be intercepted by a third-party. Learn more about the importance of encryption here.

 

2. When the cookies are flagged

Your antivirus software may flag some cookies as malicious — never accept these cookies. If you do accept them, you should go into your browser as soon as possible and delete them. Malicious cookies include zombie cookies (cookies that recreate themselves after you delete them) and supercookies (cookies without a specific domain origin that can manipulate requests sent to a website, allowing the supercookie to change login information or use a fake login to gain access to an account.)  

 

3. When entering PHI (personal health information) 

If you’re entering PHI on a website, accepting cookies could put that sensitive data at risk of being intercepted by a third party and exposed.

 

How to manage cookies in your browser

Cookies are stored in your web browser, so you can manage what cookies you allow websites to use by adjusting the settings within your preferred browser. Cookie storage is often found under your browser’s Privacy settings. (It’s slightly different for each browser but this is a good place to start.) 

 

Related post: Top Web Browsers for 2022 Based on Security and Functionality  

 

In your browser’s cookie storage, you may be able to delete all existing cookies and control what future cookies you allow to be collected and stored. Depending on your browser, you should be able to allow first-party cookies, keeping a website’s functionality intact, while blocking third-party cookies, protecting your privacy.   

 

Does your website need a cookie consent notification? 

If you conduct business in the EU or if a citizen based in the EU may use your website, then you must comply by the laws set forth in the GDPR which includes getting users’ consent before using cookies. Learn more about adding a cookie consent notification to your website here. 

 

Feature photo by Christina @ wocintechchat.com on Unsplash

 

Related reading: 

What the California Privacy Rights Act Means for Your Business

5 Ways a Data Breach Can Cause Long-Term Damage to Your Business

How to Measure the ROI of Your Cybersecurity Strategy 

 

Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing. 

 

 

Want IT to serve you better?

 

 

 

About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at support@pagoda-tech.com to schedule a complimentary IT consultation.