Browser Cookies: The Ultimate Guide

Browser Cookies: The Ultimate Guide

All internet users should understand at least the basics of what cookies are, and how they affect your browsing and privacy online.

If you run a website, it's crucial to familiarize yourself with laws and regulations regarding browser cookies, or you could face lawsuits and fines.

This guide serves as an introduction to browser cookies, along with the EU and UK cookie laws and links to more in-depth guides, tutorials, and resources.

Use the table of contents to jump to the information you are searching for, or continue reading below.

A cookie is a small text file stored on your hard drive by web pages you visit. The file - and the information in the file - is generated by the server-side application running the web site. The server also has access to the cookie it gave you (but not to cookies created by other websites).

A cookie can be used to identify you to a website. It doesn't reveal personal information (because the data in the cookie came from the website's server in the first place) - just identifies you as the same browser that visited earlier.

This is helpful for session-management (keeping you logged-in over the course of a single user-session), login persistence (the "Remember Me" or "Stay Logged In" feature you see in many apps and websites), and multi-tab browsing.

A cookie is a small text file, so it looks like a text file. It will usually be named something like [email protected]. If you were to open one of these files, it would just look like some random numbers:

HMP1 1 0 4058205869
384749284 403847430 3449083948 *

The strings of numbers are codes which are only meaningful to the software that generated it. Usually it is little more than a unique identifying string, although sometime they are used for data-storage.

Either way, there is usually nothing meaningful to find when viewing a cookie file.

Why are cookies needed?

HTTP - the primary protocol used in web browsing to communicate with a web server - is an inherently stateless, sessionless computing experience.

That means that each page load, each request, is an independent event, unrelated to the events that come before or after it.

This is fine for viewing a few documents that someone put on their server, but anything more complicated - like logging in and getting user-specific content - requires some kind of persistence mechanism, something that will alert the server that the current request from you is related to the previous one, that they are both from the same person on the same computer.

Cookies accomplish this. The server generates one the first time you visit a site. It sends it to your browser, and your browser stores it. On subsequent page loads, the browser informs the server of the relevant cookies currently being stored. The server reads them and knows that this is the same browser as before.

Are there different sorts of cookies?

Yes. There are a few different types of cookies.

The most common are session cookies, which are temporary. They are used by nearly all commercial websites to manage a single browsing session. This allows thing like shopping carts to work, even if you aren't logged in. They simply tell the server that all of your requests within a period of time came from the same computer and should be treated as a single session.

Session cookies are sometimes called transient cookies or temporary cookies. They are not stored on your hard drive, but are rather kept in active memory. They are deleted when your session closes, or after a period of inactivity (usually 20 minutes or so).

Also common are permanent cookies, also called persistent cookies. These cookies are used to identify you over multiple independent sessions. These are the ones the handle the "Remember Me" or "Keep Me Logged In" functionality of many websites and apps.

They are also used to customize content to you, especially ads.

Besides affecting your browsing experience, persistent cookies are also used for analysis and performance data tracking. They can be used to tell how long you stay on a site, how you move through the site, and other behavioral patterns. They are also used to count the number of individual, unique visitors to a site, as well as how often returning visitors come back. Website owners use all of this information to guide their decision making regarding everything from site design to image choice to page length.

Finally, there are Flash cookies. Flash cookies are generated and stored differently than "regular" (or "HTTP") cookies - they are created and stored in the Adobe Flash browser app.

The problem with Flash cookies is that they are not deleted when you clear your browser cookies. Some websites exploit this fact and use Flash cookies as a sort of "backup" for regular cookies (even sites that don't use Flash for any obvious interactive purposes).

Flash cookies have to be dealt with from within the Flash player settings panel.

Can I get a virus from cookies?

No. Cookies are a text-based data format that cannot contain any executable code. They are not a potential security risk.

Can cookies be used to violate my privacy?

That depends on how you define "privacy," and what you consider a violation.

Cookies cannot be used to obtain personal information from your computer. The only data in a cookie is the data put into by a website's server. The only site that has access to it is the site that put it there.

However, cookies are used as a part of many large browser tracking schemes which create extremely detailed user profiles. Many websites use third-party ad networks - networks which span multiple sites. This allows central data aggregators to track user activity across many different domains. Cookies are not thing used to handle this tracking, but they do play a central role.

Some people consider this constant activity tracking to be a form of privacy invasion. Other people don't mind it at all. Mostly, the only thing that data generated this way is used for is to serve relevant ads which you are likely to click on.

Who invented cookies?

Cookies were invented by Netscape in 1995 as a way to solve the persistence problem in HTTP sessions.

Why are they called cookies?

Because the developers were American. If they had been British, they would have been called "biscuits."

The European Union (EU) has laws specifically regulating the use of cookies on websites and web applications. These rules apply to any website originating in an EU member country, and may also apply to websites which specifically target users in the EU.

What does the law actually say?

The EU itself does not make the law. Rather, the EU creates a directive which the member nations must implement in their own laws.

While each EU member state has their own specific version of the cookie regulation, they are all remarkably similar in their effects.

The UK law was one of the first implementations of the EU privacy directive. It is found in the Privacy and Electronic Communications Regulations 2011. The relevant section is quoted here:

6. - (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

What does that actually mean?

What the law is saying is this:

A website (or app) cannot store information on a visitor's computer (or device), or retrieve information off of it, without the visitor's explicit consent.

This covers HTTP cookies ("regular cookies"), Flash cookies, HTML5 storage, DOM "data-" elements, and pretty much anything else that replicates a cookie-like functionality or aides with session persistence and browser identity. (From here on out, we'll call all these things, collectively "cookies" - even though this law covers a variety of related technologies.)

Not all cookies are affected - just most

Cookies which are required in order to fulfill the requests of the website visitor do not require explicit user consent. But any others - including those used for general use statistics - do require it.

The law states that user consent must be obtained before placing a cookie on their computer.

Consent is further defined by UK law as "any freely given specific and informed indication of [the user's] wishes".

The exact nature of this consent, and how it should be obtained, is the subject of much debate among both technologists and legal experts. There is no clear guidance to be found in the regulation, no explicit set of practices to be implemented on all websites.

Common Practice

The most common solution to the problem of consent is to place an informational box, banner, or popup on the web page, providing information about the site's use of cookies. This can either give the user the chance to opt-in, or it can inform the user that continuing to use the site constitutes consent. Some sites provide a cookie-free browsing option, but that is not as common.

Here are some example Cookie announcements.

Friendly default opt-in:

This website uses cookies to allow us to see how the site is used. The cookies do not identify you.

If you continue to use this site, we assume that you are okay with this.

If you want to use the sites without cookies, you may [click here].

Formal default opt-in:

This website uses cookies in order to improve to understand user behavior. By continuing to use this website, you are consenting to the placement and retrieval of cookies on your computer by this website.

Penalty for non-compliance

The maximum fine, in the UK, for not complying with user consent regulations regarding cookies is £500,000 (between $750,000 and $800,000 USD).

Websites not originating in the EU

Websites not originating in the EU (for example, the US) probably do not need to comply with the cookie consent regulation. The possible exception is when serving content to users in the EU.

While it is by no means clear that it is a legal requirement, it is probably prudent for non-EU websites to use consent-gathering disclaimers on their websites when serving content to users in the EU.

Also see our in-depth guide to EU Cookie law, and our cookie consent tool for website owners.

If your site is based in the UK, you are legally required to comply with the UK's cookie law.

If your site is based anywhere else in the EU, you should comply with the general principles of the EU directives, which are well-represented in the UK law. (Not all EU countries have implemented the directives, but they all will eventually, as it is required.)

If you are not in the EU, but your site receives a lot of traffic from EU member nations, or specifically targets EU consumers, it is probably a good idea to comply. (If you are concerned that displaying cookie-related privacy warnings will be detrimental to your site's business, and want to minimize that impact, you could selectively show your cookie policy only to visitors located in the EU.)

How to comply

Compliance requires:

  • gaining consent before placing any cookies on the user's computer
  • informing users about what data you collect, why, and what you will do with it, and how they can delete and control cookies placed by your on their computer

Consent for placing cookies on a user's computer must be done before any cookies are placed. This means that it must be accomplished, somehow, on the first page of your site a user sees, regardless of which page that is.

The good news is that it only needs to be done one time. You do not have to repeat the notice and consent dialogue on every page.

There are two different design approaches to cookie consent:

  • an on page design, usually at the top of the page, in some type of call-out box
  • a pop-over dialog box (called a "modal")

There are downsides to each.

A modal dialogue box is separate from your page, so it is easier to "work in" as a design element. On the other hand, it might be more disruptive to the browsing experience.

An on-page banner or panel may disrupt the browsing experience less, but might interrupt your design and make your site unattractive.

You'll have to decide for your own site which option is preferable.

Either way, you need to clearly and succinctly state that your site uses cookies and what the purpose of those cookies is. You'll also need to gain consent for using cookies.

While the specific directives provide by the EU and UK seem to set-up an "opt-in," the most common approach to compliance is a sort of "soft opt-in" - that is, clearly informing users that by using your site, they are opted-in.

Typically, the language used for this type of opt-in looks like this:

This site uses cookies to collect data on usage. By continuing to use this site, you consent to this policy.

It is common practice to display a message using these or similar words until the user clicks an OK button or otherwise acknowledges the message.

Informing users of data use

Besides gaining consent to use cookies on a site, the rules also require that you inform users of what data you collect on them, how you use it, and how they can delete or control cookies you have placed on their computer.

The natural place to do this is in a privacy policy or Terms of Service document. This should - at a minimum - be linked to from the consent dialogue text. It is recommended that you link to it from every page of your site. It is easy to include a link in your footer or from your navigation menu.

The wording you use here should reflect your actual use of cookies (which you should understand). It might look something like this:

This site uses cookies to help us understand user behavior. This means that we put a small piece of text (the "cookie") in storage on your web browser. This cookie lets us know that all the different things you do on our site are done by the same person. We do not collect or harvest any personally identifiable information. The only information we have about your identity is the information you explicitly provide to us through submission forms on our website. We do not sell any personally identifiable information to any third parties. We do analyse user behavior in order to better serve you and other visitors. Tracking your activity through our site (what you click on, how long you stay) helps us make better decisions about content and design.

You also need to inform users how to delete cookies. Since every browser does this a little differently, the easiest way to handle this is to provide a link to a page that has instructions for deleting cookies. Feel free to copy and paste our code below to comply: