Skip to Navigation Skip to Content

Like it or not, tracking cookies are an essential part of the modern web. Whether you’re a web user, or a website owner, you’ll benefit from understanding what they are and how they work.

You’ll find everything you need to know about tracking cookies in this article.

Check which cookies your website uses!

Website Cookie Scanner

What are Tracking Cookies?

Tracking cookies are type of http cookie (small text files placed on a user’s browser by websites or third-party services) in order to ‘track’ their internet browsing habits.

These cookies store information such as:

  • Content a user has browsed
  • What a user searched online
  • When a user clicked on an ad
  • When a user visited a certain site
  • The IP address of a user
  • The geographic location of a user
  • The specifications of a user’s device

How do Tracking Cookies work?

To explain how cookies work, it’s easiest to explain how one would apply to you if you were to visit a website with tracking cookies enabled.

When you visit a website for the first time, the site’s server creates an ‘http cookie’ containing a name, and a value (unique identifier), and sends it to your browser. From then on, your browser automatically sends this cookie back to the server whenever you visit any page on that site.

The server can then log each page visit along with the cookie ID, timestamp, and URL.

By analyzing these logs, it is possible to piece together:

  1. Which pages you looked at
  2. How long you spent on each page
  3. The order you viewed pages in

What are tracking cookies used for?

Tracking cookies are responsible for understanding user behavior through two methods, cross site tracking and data collection.

Cross-site tracking

Cross-site tracking involves using third-party cookies to monitor your activities across various websites. This data is then used to build detailed profiles about you and deliver personalized ads based on your browsing history. While this can enhance user experiences, it also raises concerns about privacy and the collection of personal data.

Data collection

Tracking cookies collects various types of data, including your browsing history, IP address, on-site behavior, and previous purchases. Businesses use this data for e-commerce personalization, targeted advertising, analytics, and integration with social media platforms.

Types of Cookies

There are four main types of cookies: Essential Cookies, Performance Cookies, Functionality Cookies and Advertising Cookies. Depending on how these cookies are implemented on a given site, they may collect a range of identifying and non-identifying information about you.

Essential cookies

Enable core website features like shopping carts and user accounts.

Performance cookies

Track usage trends and user behavior.

Functionality cookies

Typically used for customizing a user’s website experience.

Targeting/advertising cookies

Determine what promotional content to show the user.

First-party vs Third-party Tracking Cookies

The distinction between these cookies is determined by their origin / the domain that creates them.

First-party Cookies

First party cookies are set by the website being visited. They are responsible for remembering user preferences and activities on the site and enhance the user experience by providing personalized content and recommendations.

Third-party Cookies

Third-party Cookies are created by external services or advertisers such as Google and Meta. They track user behavior across multiple websites and are primarily used for targeted advertising and cross-site analytics.

Session Cookies vs Persistent Cookies

Tracking cookies can also be categorized by when they expire.

Session Cookies

Session Cookies (AKA transient cookies, non-persistent cookies or in-memory cookies) expire once a user ends their session by closing their browser or exiting a site.

Persistent Cookies

Persistent Cookies (AKA permanent cookies) remain on a device even once a user ends a session with the goal of providing a consistent experience between visits.

Non-essential Cookies vs Essential Cookies

When it comes to compliance, the most important distinction between cookies that you need to understand is whether they are essential or not. This is because GDPR requires you to obtain ‘freely given, specific, informed and unambiguous’ consent before using any non-essential cookies.

Essential Cookies

An essential cookie is any cookie required for the site to function. Essential cookies tend to do things like keeping someone signed in during the session or retaining their language choices.

Ask yourself…

  1. Will the site break if this cookie is disabled
  2. Will the user experience during that session be impinged if this cookie is disabled.

If the answer to either of the above is yes, the cookie is essential.

Non-essential Cookies.

If essential cookies are any cookies required for a site to function, non-essential cookies are everything else.

Two rules of thumb to follow are:

  • if the cookie doesn’t expire at the end of the session, it’s likely not essential to the session. It’s a non-essential cookie and you’ll need consent to use it.
  • If the cookie is not responsible for enabling the user to use your site, it’s not essential to the user, it’s just important to you. It’s a non-essential cookie and you’ll need consent to use it.

Laws and regulations that govern Tracking cookies

The use of tracking cookies is now regulated in Europe, California, Brazil, South Africa, Canada, Australia, and many other countries and regions around the world. Some data regulations require explicit consent from end-users before activating cookies on your website (such as EU’s GDPR or Brazil’s LGPD), while others empower end-users with the right to opt-out of having their personal information collected via tracking cookies and then sold (such as CCPA / CPRA).

GDPR and Tracking Cookies

The GDPR applies to any website that collects data from users located in the European Union (EU), regardless of where in the world the website itself is located.

It’s your responsibility as the website owner/operator to ensure clear handling of website cookies and obtain explicit consent from users to collect their data.

Under the GDPR, cookie consent must be explicit or opt-in, with users having the option to withdraw consent easily.

CCPA and Tracking Cookies

The CCPA defines tracking cookies as personal information and requires websites to provide opt-out options for cookie usage.

Specific consent requirements exist for minors, and websites must include a link with the specific wording “do not share or sell my personal information” for California residents who want to opt-out of their data being sold or shared.

How to obtain ‘freely given, specific, informed and unambiguous’ consent to use Tracking Cookies

The GDPR requires websites using non-essential cookies to obtain ‘freely given, specific, informed and unambiguous’ consent before using tracking cookies. To understand how to obtain this very specific type of consent, you’ll need to break it down into several components: Freely given consent, specific consent, informed consent, and unambiguous consent.

What is freely given consent?

Freely given consent means that users have genuine choice and control over whether to accept tracking cookies

This requires:

  • No pre-ticked boxes
  • No forcing users to accept cookies to access your website
  • Clear option to decline cookies without penalty
  • Equal prominence for ‘accept’ and ‘reject’ options

How to obtain freely given consent:

Create a cookie banner that:

  • Shows accept and reject buttons with equal visibility
  • Allows full website access regardless of cookie choice
  • Separates essential cookies from tracking cookies

What is informed consent?

For informed consent to be given, users must have all of information about what they’re agreeing to.

How to obtain informed consent

In your cookie banner and policy, clearly state:

  1. Your organization’s identity
  2. What tracking cookies you use
  3. How you’ll use the collected data
  4. The purpose of tracking
  5. The right to withdraw consent at any time
  6. How to withdraw consent

What is specific consent?

For consent to be specific, each tracking purpose needs its own separate consent mechanism.

How to obtain specific consent:

  • Group cookies by purpose (essential, performance, personalization, security, tracking)
  • Allow users to accept or reject each category separately
  • Explain each purpose in plain language
  • Keep cookie purposes separate from other website terms

What is unambiguous consent?

For unambiguous consent to be given, users must take clear, affirmative action to give consent.

How to obtain unambiguous consent

Design your cookie banner / consent mechanism to:

  • Blocks tracking cookies until users click ‘accept’
  • Keep records of how and when consent was given
  • Make withdrawing consent as simple as giving it
  • Include clear ‘manage preferences’ option
  • Define a process for obtaining parental consent to use tracking cookies for users under 16.

Do I need a cookie policy for my website?

While current cookie laws in the EU and US may not apply to your business’ location, it’s considered good practice to disclose any cookies your website or app may use. As people become more concerned about protecting their privacy, the more transparency you can offer, the better.

Generally, it’s a safer bet to include cookie-related information in your privacy policy to reduce the likelihood of legal non-compliance.

Need a tool to handle cookie compliance for you?

GetTerms is a tool built by legal experts to help busy people like you meet the regulatory requirements of global privacy laws. With GetTerms, you’ll get an integrated cookie banner generator, automatic cookie blocking, support for Google Consent Mode v2, a cookie consent management platform, a website cookie scanner, a cookie policy generator, and all of our awesome policy generators.

Add a cookie banner to your website!

Cookie Banner Generator