What even are internet cookies?

A hand coming out of a laptop, holding a cookie.

It’s become a universal – and somewhat annoying – part of the web browsing experience: pop-up banners asking you to accept a website’s cookies (and not the edible kind). Some cookie prompts promise better user experiences while others won’t even let you use the website without them.

But what really goes on behind-the-scenes when we click ‘accept all’? Contact is on a mission to find out in the first instalment of our new series ‘What even is…?’ This series is here to break down the everyday topics you’ve always been curious about.  

We recruited UQ Lecturer in Cyber Security Dr Priyanka Singh to decode the mystery behind these chocolate chip-free data trackers.

Dr Priyanka Singh

The short story

What even are internet cookies?

If you’ve ever thought that the internet knows you a little too well, cookies are to thank.

In short, “cookies are small pieces of data that are stored on the user’s device when websites are visited,” said Dr Singh.

“These data chunks are moved around between the browser and the website's server to customise the individual’s experience.”

The long story 

Why do websites use cookies?

According to Dr Singh, “cookies help websites to give users more personalised experiences.”

Cookies do this by retaining information about you. They can know your login credentials, preferences, language choices and even the items you add to the shopping cart.

“For example, on a social media site, cookies can allow a user to stay logged in without having to re-enter the username and password during revisits,” said Dr Singh.

How do internet cookies even work?

Cookies work by adding small files to your device. For instance, let’s say that you’re online shopping.

When you visit your website of choice, that site “creates a cookie that stores a unique session ID,” said Dr Singh.

“Each time a user clicks a new product, the session ID cookie is sent back to the server. The server can check the cookie to remember what items you’ve purchased.”

If you’re logged onto the website, the site might create a persistent cookie. According to Dr Singh, these cookies keep you “logged in for the next few visits”. They “store an authentication token or the username.”

Finally, you add items to your cart.

“The cookie might track the items in the shopping cart and keep a record of the last visited page, so when the user goes to check out, they don’t need to re-enter their details,” said Dr Singh.

Website pop up with an image of a baked cookie that says "manage cookies".
Mouse clicking on a website pop up with an image of a baked cookie that says "manage cookies".
Hands holding cookies.

Why are cookie pop-ups suddenly everywhere?

There is a legal reason why every website now requests your cookies rather than just taking them.

Dr Singh explains that this is “due to stricter privacy regulations like the European Union's General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). These laws require websites to obtain explicit consent before storing or accessing information on users' devices, including cookies.

“While cookies offer conveniences, like remembering logins, they also raise privacy concerns. Websites now ask for your consent to use cookies in order to comply with these regulations and respect user privacy. By giving you control, they ensure transparency and allow you to make informed decisions about how your data is used.”

Dr Singh outlines some of the main privacy concerns associated with cookies:

  • Tracking: “Cookies can track online activity across multiple websites, creating detailed profiles of interests and browsing habits. This data can be used for targeted advertising, which can be intrusive or even manipulative."
  • Data breaches: “If a website's security is compromised, the cookie data could be accessed by malicious actors, potentially exposing sensitive information.”
  • Lack of transparency: “Many websites use complex cookie systems, making it difficult for users to understand exactly what data is being collected and how it's being used.”

Will there be a ‘cookieless’ future?

Kind of – but we can’t exactly toss away the cookie jar.

According to Dr Singh, “the ‘cookieless future’ refers to the gradual phasing out of third-party cookies, which track you across different websites. Unlike first-party cookies set by the website being visited, third-party cookies are placed by advertisers and other companies.

“These cookies enable extensive tracking of online behaviour, allowing for highly targeted ads but also raising significant privacy concerns.”

Dr Singh explained that the move away from third-party cookies is driven by a growing emphasis on user privacy and regulations like GDPR. This will make it harder for advertisers to create ads that target you.

“It will also likely lead to increased reliance on first-party data, such as customer information collected directly from users, and the development of new, privacy-preserving technologies for online advertising.

“Essentially, the ‘cookieless future’ aims to create a more privacy-conscious digital landscape while still enabling businesses to reach their target audiences,” said Dr Singh.

Should you clear website cookies?

Dr Singh said the best way to manage cookies is to take control.

“Clear your cookies regularly to maintain privacy and prevent websites from tracking your activity and building your individual profile. These profiles sometimes become potential targets for cyber criminals. Accumulation of too many cookies can even slow down the browser, causing frustration.”

It is important to be selective when accepting or rejecting cookies.

“Block third-party cookies to limit online tracking. Major browsers like Chrome, Firefox and Safari have already taken steps toward phasing out third-party cookies. [You can also] customise cookie settings by allowing only a handful of websites to set cookies and improve the overall privacy posture.”

What do you want to learn about next?