It's almost impossible to use the internet for long without coming across a website asking if you accept cookies. That's because of a range of laws designed to protect your data privacy.

In this guide we'll explain what cookies are, how they work, and how you can make informed decisions about them.

Let's jump in.


What are Cookies?

A cookie is a small text file that is created by a website and stored on your computer through your browser. The idea is that the website can access the cookie at a later time and retrieve information about you. The website then customizes pages based on this information.

Many uses of cookies are uncontroversial and help the users. Examples include:

  • Storing your username (but not your password) to save you having to remember it or type it in when you return to a site
  • Keeping items in a virtual "shopping basket" for an online retailer website
  • A site such as a weather forecast service or movie theater listings 'remembering' your location and automatically displaying relevant details when you next visit

Some uses of cookies, such as tracking your online activity to deliver targeted advertising, can be more controversial.

Cookies fall into two main categories: session cookies only last until you leave the website in question, while persistent cookies will last until a set expiration date.

This is an example of the information covered by one cookie placed by the CNN website. It identifies the user's location, which could affect the order in which news stories appear on the page:

Cookies in Use - Block or Remove screen: Cookie content

This cookie is set to work on all pages on the CNN site, but will be deleted at the end of the browsing session (that is, when the user closes the browser):

Cookies in Use - Block or Remove screen: Cookie expires highlighted

There are a number of different types of cookies, and they each can serve a different purpose. Some stick around for a long time (years) while others, as seen above, are only there when you're on the related website.

What are Third-Party Cookies?

What are Third-Party Cookies?

A third-party cookie is one that is placed on a browser by somebody other than the operator of the site you are visiting. Specifically it is placed by a different domain (website). That's in contrast to a first-party cookie, which is created and placed by the domain you are visiting.

The main technical difference is that a first-party cookie is only accessible to the domain that issued it. A third-party cookie can be accessible on multiple sites that include code from the third party.

A common example of a third-party cookie would be where a website hosts advertising provided through an advertising network. Once the third-party cookie is on your browser, it could be accessed whenever you visit any website that shows ads from the advertising network.

This could help the network tell advertisers how many times an average user has seen the same ad. Alternatively, the cookie could be used to make sure you don't see the same ad repeatedly, or to make sure you see a series of ads from the same campaign in a particular order.

Some uses of third-party cookies are more controversial, particularly ones known as tracking cookies. For example, a cookie might be used to keep a record of the type of websites you visit and then deliver more targeted advertising.

Sometimes this can be very noticeable, for example if you visit a page about a product on a retailer's website and then start seeing ads for that product on other websites you visit.

By 2022, most major browsers will block third party cookies by default. Depending on the browser, users may be able to change browser settings to accept them by default or deal with each third-party cookie individually.

Why Do Websites Warn About Cookies?

Why Do Websites Warn About Cookies?

Several national and international data laws and regulations govern the way sites can use cookies. A common theme is that cookies are acceptable but only if users can make an informed decision about whether to allow them.

The European Union ePrivacy Directive

This is also known informally (if inaccurately) as the EU cookie law. It's a European Union directive, which means a set of principles that individual countries build into their own domestic law.

The key principle is that a website in an EU country can't put a cookie on your device without getting prior consent. The only exception is for a cookie that's needed for the website's basic functionality.

You will often see the ePrivacy Directive in action when a website displays a message on the page or in a pop-up window telling you that it uses cookies. It may contain links to details of how to block cookies or warn that if you don't consent to cookies you should stop using the site.

At some point this directive is likely to be replaced by a specific European Union regulation that updates the rules to take account of technological changes, but this hasn't happened yet.

The General Data Protection Regulation (GDPR)

The GDPR covers a wide range of data protection issues. Its scope covers cookies whenever they contain information about an identifiable individual. Unlike the ePrivacy Directive, the GDPR is an EU regulation, meaning it has direct legal effect in all member states.

The GDPR applies if either the website visitor, the website or the processing of personal data is in a European Union country.

Compared with the ePrivacy Directive, the GDPR requires explicit consent to collect personal data, including through cookies. While some sites have been slow to do this, legally they must be designed so that the user must actively consent, for example by clicking a button or closing a pop-up message.

The website for Gordon's confirms consent through the same process as getting an age declaration from the user. Although its wording says "by continuing to browse, you consent to such use," the user must click the Enter button to proceed, thus actively confirming consent:

Gordons Gin cookie consent notice

A court ruling in Germany set a precedent to strengthen this principle. Websites are no longer allowed to use pre-ticked checkboxes or toggles set to "on" by default when getting consent. That's because the responsibility is on the site to be absolutely clear users have intentionally given consent.

B&Q demonstrates this on its Cookie Preferences page with individual toggles for different types of cookies, both set to disabled by default:

B and Q Cookie Preferences: Performance, analytics, marketing and advertising cookies settings

United Kingdom

Although the United Kingdom is no longer a member of the European Union, the measures set out in both the ePrivacy Directive and the GDPR will remain in force in the UK until at least the end of 2020. After that the measures will remain in force through domestic law unless and until the law is changed.

Children's Online Privacy Protection Act (COPPA)

COPPA is a U.S. federal law governing websites that either are aimed at users under 13, or where the operators know for certain that people under 13 are using the site.

COPPA says that such websites cannot use "persistent identifiers" (such as persistent cookies) for users under 13 without getting and verifying the consent of a parent or guardian.

California Online Privacy Protection Act (CalOPPA)

CalOPPA is a state law that applies to "any business (regardless of location) with a website serving Californian residents. CalOPPA doesn't actually force sites to get consent to issue cookies. Instead the law requires sites to display a clear Privacy Policy detailing how it collects and uses personal data. This includes the use of cookies.

Canada

Two laws in Canada cover cookies among other personal data: Canada's Anti-Spam Legislation and the Personal Information Protection and Electronic Documents Act (PIPEDA).

In both cases cookies are something of a gray area. As a very simplified principle, sites can usually infer that a visitor consents to cookies unless they've actively signified otherwise. This could be by clicking an opt-out button (where available) or blocking cookies on their computer.

Are Cookies Personal Data?

Are Cookies Personal Data?

By most definitions, a cookie isn't personal data in itself. However, it can be classed as personal data depending on the specific law or regulation in question.

One way a cookie can be personal data is if it literally contains personal information. For example, a cookie created by a greeting card website might include a user's date of birth and name.

Another scenario is that a cookie can become part of personal data. That might happen if a website operator combines a cookie with other sources of personal information about an identifiable individual.

Is it Safe to Agree to Cookies?

Agreeing to cookies isn't really a matter of safety. The cookie itself can't do anything to your computer, access any files, or intercept any data you send to or receive from a website.

It's more an issue of privacy. You may be put off by the idea of people tracking your activity or delivering very targeted advertising. (On the other hand, you may prefer to see ads that are relevant to your interests.)

Remember that normally a cookie shouldn't identify you as an individual. A tracking cookie can help build up a picture of the activity from your browser and affect the ads you see. However, it shouldn't allow anyone to know that "John Doe of 123 Main Street, Anytown likes looking at videos of goats playing hockey."

Can I Opt Out of Cookies?

Can I Opt Out of Cookies?

Depending on what laws cover a website, you will often be given a choice to opt-out of cookies. In some cases this could simply be a "take it or leave it" option where you are told not to use a site if you don't agree to cookies. In other cases, you'll get a choice of categories of cookies.

The most basic category is the functionally necessary cookies such as the shopping basket of an online store. Most data processing laws that address cookies say websites can insist on you accepting these, simply because the site won't work otherwise.

Other cookies may simply be lumped into one category of optional cookies, or perhaps into further categories such as "session cookies" and "persistent cookies," "analytics cookies," "marketing cookies" or "tracking cookies."

Again, your choices will depend on the prevailing legislation. For example, under the GDPR a website owner can't make accepting cookies (other than functionally necessary ones) a condition of accessing the site.

This example from the Information Commissioner's Office lets users decide whether or not to use analytics cookies, while explaining that necessary cookies are placed by default:

ICO Use of Cookies toggle screen

Consider Private Browsing

One simple way to avoid cookies on a website is to use your browser's private browsing mode. These have different names in different browsers, including:

  • Incognito Mode in Chrome
  • InPrivate browsing in Edge and Internet Explorer
  • Private Browsing in Firefox and Opera

When you use this mode, your browser won't accept any cookies (or will delete them as soon as you close the window). It also won't save any other website data to your browser or add to your locally stored browsing history. (Your internet provider will still have a record of the sites you visited.)

The problem is that blocking cookies in this way can significantly reduce the functionality and convenience of many websites.

How to Delete Cookies

We'll show you how to delete cookies off of four of the most popular browsers: Google Chrome, Microsoft Edge, Mozilla Firefox and Opera.

Deleting Cookies from Google Chrome for Windows

  1. Open the main menu and select Settings:

  2. Google Chrome menu with Settings highlighted

  3. Click on Privacy and security in the left sidebar menu:

  4. Google Chrome Settings menu with Privacy and security highlighted

  5. Click to open the Clear browsing data menu:

  6. Google Chrome Privacy and security menu with Clear browsing data highlighted

  7. Choose to do a Basic or Advanced data removal. Make sure the Cookies box is checked, then click Clear data:

  8. Google Chrome Clear browsing data window with Clear data button highlighted

Deleting Cookies from Edge Browser for Windows

  1. From the main menu, select the Settings option:

  2. Edge browser menu with Settings highlighted

  3. From the Settings menu, select the Privacy and services option:

  4. Edge browser Settings menu with Privacy and services highlighted

  5. Click the Choose what to clear button:

  6. Edge browser Clear browsing data: Choose what to clear button highlighted

  7. Check the box next to Cookies and the other data that you want to clear. Click Clear now:

  8. Edge browser Clear browsing data window with Clear now button highlighted

Deleting Cookies from Firefox for Windows

  1. Open the main browser menu and click Options:

  2. Firefox menu with Options highlighted

  3. Go to the left sidebar menu and select Privacy & Security:

  4. Firefox Options menu with Privacy and Security highlighted

  5. In the Cookies and Site Data section, click the Clear Data button:

  6. Firefox Cookies and Site Data with Clear Data button highlighted

Deleting Cookies from Opera for Windows

  1. Under the Opera Tools menu, click on Settings:

  2. Opera Tools menu with Settings highlighted

  3. From the Settings menu, click on Advanced to open the sub-menu:

  4. Opera Settings menu with Advanced menu highlighted

  5. In the Advanced sub-menu, click Privacy & security:

  6. Opera Advanced menu: Privacy and security highlighted

  7. From the Privacy and security menu, click the arrow next to Clear browsing data:

  8. Opera Privacy and security menu with Clear browsing data highlighted

  9. Check the box next to Cookies and any other data you wish to browse, then click Clear data:

  10. Opera Clear browsing data menu with Clear data button highlighted

Summary

Let's recap what you need to know about cookies:

  • A cookie is a small text file created by a website and stored on your computer.
  • Cookies let websites remember details about you that help customize your experience on the site. Many uses of cookies are helpful for web users but some are more controversial.
  • First party cookies only work with the site that issues them. Third party cookies are put there by somebody other than the site you visit and can be used to track your web activity, often to target advertising.
  • Several national and international regulations require websites to tell you when they use cookies and usually to get some form of consent.
  • Cookies aren't necessarily personal data in themselves, but can be used as part of a wider profile of you.
  • Accepting cookies shouldn't normally pose any security risk. It's more of a privacy issue.
  • Private browsing/InPrivate/Incognito modes will block or delete cookies. This can limit a site's functionality.
  • Browsers let you delete existing cookies from your computer. Usually you can delete individual cookies, clear everything from a set time period, or delete all cookies.