"This Website Uses Cookies": What It Means and Why
Learn what "this website uses cookies" really means, why sites display cookie notices, and what happens when you accept or reject them.
"This website uses cookies" is a message that appears on nearly every website you visit. It shows up in banners, pop-ups, and notification bars, asking you to accept, reject, or customize your cookie preferences. But what does it actually mean when a site uses cookies, and why are websites required to tell you about it?
This guide explains what cookies are, why websites use them, what the different types do, and what your choices actually mean when you see that familiar banner. This is educational content and not legal advice. For guidance on your specific obligations or rights, consult a qualified attorney.
What Are Cookies and Why Does This Website Use Them
A cookie is a small text file that a website places on your device (computer, phone, or tablet) through your web browser. When you visit a website, the server sends a cookie to your browser, which stores it locally. The next time you visit that same site, your browser sends the cookie back, allowing the website to recognize you and remember information from your previous visit.
Cookies were invented in 1994 by Netscape engineer Lou Montulli to solve a basic problem: the web is stateless. Without cookies, every single page load would be a fresh encounter. The website would have no way to know you are the same person who logged in 30 seconds ago or added an item to your shopping cart on the previous page.
When a site uses cookies, those files serve a range of purposes:
- Keeping you logged in so you do not have to enter your password on every page
- Remembering your shopping cart contents as you browse a store
- Storing your preferences such as language, currency, or dark mode settings
- Measuring traffic through analytics tools like Google Analytics
- Delivering targeted advertising based on your browsing behavior across the web
- Preventing fraud and verifying that form submissions come from real users
The reason websites now explicitly tell you "this site uses cookies" is because data protection laws, particularly in the European Union, require them to disclose this information and obtain your consent before placing most types of cookies.
The Different Types of Cookies Websites Use
Not all cookies serve the same purpose, and the legal treatment of cookies depends heavily on their function. Understanding the categories helps you make informed choices when a cookie banner appears.
Strictly necessary cookies
These cookies are essential for the website to function. Without them, basic features like logging in, adding items to a cart, or submitting a secure form would break. Examples include session identifiers, authentication tokens, CSRF protection tokens, and load-balancing cookies.
Strictly necessary cookies are the only type that do not require your consent under the ePrivacy Directive (Article 5(3)). They are exempt because the website literally cannot deliver the service you requested without them.
Analytics and performance cookies
Analytics cookies measure how visitors use a website: which pages are popular, how long people stay, where they click, and where they leave. Google Analytics is the most common example, but tools like Matomo, Hotjar, and Mixpanel also fall into this category.
These cookies collect data about your behavior, including your IP address, browser type, pages visited, and time spent. Under the GDPR and ePrivacy Directive, they require your consent before they load. A website that fires Google Analytics before you click "accept" on the cookie banner is violating the law.
Advertising and tracking cookies
Advertising cookies track your activity across multiple websites to build a profile of your interests. Ad networks like Google Ads, Meta (Facebook), and programmatic advertising platforms use these cookies to show you targeted advertisements based on your browsing history.
These are the most privacy-invasive type of cookie. A single advertising cookie can follow you across hundreds of websites, recording every page you visit, product you view, and article you read. These cookies always require explicit consent.
Functionality cookies
Functionality cookies remember choices you make beyond the strictly necessary scope. Examples include remembering your preferred language when the site defaults to another, your chosen display density, or that you dismissed a promotional banner.
While less invasive than tracking cookies, these still require consent under the ePrivacy Directive because they are not strictly necessary for the service you requested.
Third-party cookies
A third-party cookie is set by a domain other than the website you are visiting. If you visit example.com and it loads a Facebook Like button, Facebook places a cookie on your device from facebook.com. You did not visit Facebook, but now Facebook knows you were on example.com.
Third-party cookies are being phased out by major browsers. Safari and Firefox already block them by default. Google Chrome has implemented tracking protections that limit their function. This shift is pushing the advertising industry toward alternative tracking methods, but the legal consent requirements remain the same.
Why Websites Are Required to Display Cookie Notices
The "this website uses cookies" banner exists because of specific laws that regulate how websites can store data on visitors' devices.
The ePrivacy Directive (EU)
Article 5(3) of the ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) is the primary cookie law. It states that storing information on a user's terminal equipment, or accessing information already stored, requires prior informed consent. This applies to all websites accessible to EU residents, regardless of where the website operator is based.
The only exception is for cookies that are "strictly necessary" to provide a service the user explicitly requested. Everything else, from analytics to advertising to preference cookies, requires opt-in consent before the cookie is placed.
The GDPR
The GDPR (Regulation 2016/679) does not specifically mention cookies, but it defines the rules for valid consent that apply to cookie consent. Under GDPR Article 4(11), consent must be freely given, specific, informed, and unambiguous. Article 7 adds that consent must be as easy to withdraw as to give.
Together, the ePrivacy Directive and the GDPR mean that when a site uses cookies beyond the strictly necessary category, the website must:
- Tell you what cookies it uses and why (informed)
- Get your active agreement before placing them (prior consent)
- Let you refuse without losing access to the website (freely given)
- Allow you to change your mind later (withdrawable)
Violations carry penalties up to 20 million EUR or 4% of annual global turnover under the GDPR. The French data protection authority CNIL fined Google 150 million EUR in 2022 specifically for cookie consent failures.
Laws outside the EU
Cookie notice requirements are not limited to Europe:
- Brazil's LGPD requires consent for non-essential data processing, which includes cookies
- South Africa's POPIA similarly requires consent for processing personal information
- US state laws such as the CCPA (California), VCDPA (Virginia), and CPA (Colorado) require disclosures about tracking technologies, though the specific consent mechanisms differ from the EU approach
- Canada's PIPEDA requires meaningful consent for the collection and use of personal information, including through cookies
What Happens When You Accept or Reject Cookies
When you interact with a cookie banner, your choice has real consequences for what the website can and cannot do during your visit.
When you accept all cookies
The website loads every cookie and tracking script it uses. Analytics tools begin recording your visit. Advertising networks start building or updating your profile. Functionality cookies store your preferences. The website can personalize your experience, show you targeted ads, and measure the effectiveness of its marketing.
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate NowYour browsing data may be shared with dozens of third parties. A study by the University of Cambridge found that the average website loads trackers from 10 or more external companies.
When you reject non-essential cookies
The website should load only strictly necessary cookies. Analytics tools should not fire. Advertising scripts should not run. Your visit is anonymous from a tracking perspective.
The core website functionality should remain intact. You can still browse pages, make purchases, and use interactive features. What changes is that the website cannot personalize your experience, and advertisers cannot track you through that site.
Under GDPR requirements, rejecting cookies must be as easy as accepting them. A website that makes you click through five pages to reject cookies while offering a single "accept all" button is violating the law. The European Data Protection Board (EDPB) has specifically addressed this in its Guidelines 03/2022 on dark patterns.
When you customize your preferences
Most compliant cookie banners offer a way to select which categories you consent to. You might choose to allow analytics cookies (so the website can improve its content) but reject advertising cookies (so your browsing is not tracked for ad targeting).
This granular control is what the GDPR envisions. Article 7 states that consent should be specific to each purpose of processing. A blanket "accept all" without the option to choose by category does not meet this standard.
How Websites Should Handle Cookie Consent
For website owners, displaying a "this site uses cookies" message involves more than placing a banner on the page. Proper cookie consent implementation has specific technical and legal requirements.
Technical requirements
A compliant cookie consent mechanism must:
- Block non-essential cookies by default until consent is given
- Load cookies only after consent for the specific category is recorded
- Store the consent choice so the banner does not reappear on every page
- Allow withdrawal by providing a way to change preferences at any time
- Record proof of consent including when it was given, what was consented to, and what information was presented
What the banner must communicate
The cookie notice must clearly state:
- That the website uses cookies
- What categories of cookies are used (analytics, advertising, functionality)
- What each category does in plain language
- How to accept, reject, or customize cookie preferences
- A link to the full cookie policy with detailed information about each cookie
Common compliance failures
Many websites implement cookie consent incorrectly:
- Pre-checked boxes: Consent must require an affirmative action. Pre-selected consent checkboxes are invalid under the GDPR, as confirmed by the Court of Justice of the European Union in the Planet49 case (C-673/17).
- Cookie walls: Blocking access to the website unless cookies are accepted does not constitute freely given consent, according to EDPB Guidelines 05/2020.
- Ignoring the choice: Some websites display a banner but load all cookies regardless of the visitor's selection. This is a direct violation.
- No reject option: The banner must offer a way to reject non-essential cookies that is equally prominent as the accept option.
Cookies, Privacy, and Your Rights as a Visitor
When you encounter a "this website uses cookies" notice, you have specific rights depending on where you are located.
Under the GDPR (EU/EEA residents)
- Right to be informed about what data is collected and how it is used (Article 13)
- Right to withdraw consent at any time, and it must be as easy to withdraw as it was to give (Article 7(3))
- Right to access the personal data that has been collected about you (Article 15)
- Right to erasure of your personal data, including data collected via cookies (Article 17)
- Right to lodge a complaint with your national data protection authority (Article 77)
Under the CCPA (California residents)
- Right to know what personal information is collected and how it is used (Section 1798.100)
- Right to delete personal information collected about you (Section 1798.105)
- Right to opt out of the sale or sharing of your personal information (Section 1798.120)
- Right to non-discrimination for exercising your privacy rights (Section 1798.125)
Practical steps you can take
Beyond responding to cookie banners, you can manage cookies through your browser:
- Clear cookies regularly through your browser's settings or history menu
- Block third-party cookies in your browser preferences (already the default in Safari and Firefox)
- Use private/incognito browsing to prevent cookies from persisting between sessions
- Install browser extensions like uBlock Origin that block tracking scripts before they load
- Check a website's cookie policy to understand exactly what data is collected
The Future of "This Website Uses Cookies" Notices
The cookie consent landscape is changing. Browser-level tracking protections, the decline of third-party cookies, and evolving regulations are reshaping how websites track visitors.
The EU's proposed ePrivacy Regulation, intended to replace the ePrivacy Directive, may shift some consent mechanisms to the browser level rather than requiring each website to present its own banner. However, this regulation has been in development for years and its final form remains uncertain.
Meanwhile, website owners need to implement proper cookie consent today. Tools like TermsBox provide a consent management platform (CMP) that handles the technical and legal requirements of cookie consent, including blocking scripts before consent, recording consent proof, and providing a compliant banner interface.
Whether you are a website visitor trying to understand your choices or a website owner building a compliant cookie consent system, the key takeaway is straightforward: cookies are a standard web technology, but their use must be transparent and, in most jurisdictions, subject to your informed choice.
Frequently Asked Questions
What does it mean when a website says it uses cookies?
It means the website stores small text files on your device to remember information about your visit. These files can track your login status, shopping cart contents, language preferences, and browsing behavior. The notice appears because data protection laws like the GDPR and ePrivacy Directive require websites to inform visitors about cookie usage and, in most cases, obtain consent before placing non-essential cookies.
Are cookies dangerous or harmful to my computer?
No. Cookies are plain text files, not executable programs, so they cannot contain viruses, malware, or run code on your device. However, tracking cookies can monitor your browsing activity across multiple websites, building detailed profiles of your interests and behavior. The privacy concern is about surveillance and profiling, not device security. You can delete cookies at any time through your browser settings without any risk.
What happens if I reject cookies on a website?
If you reject non-essential cookies, the website should still function for its core purpose, but some features may be limited. Analytics will not track your visit, personalized content will not appear, and advertising will not be targeted to your interests. Strictly necessary cookies, such as those for login sessions and shopping carts, will still work because they do not require consent. The website cannot deny you access solely because you rejected optional cookies.
Do all websites have to show a cookie notice?
Not universally, but most do. Under the EU ePrivacy Directive (Article 5(3)) and the GDPR, any website accessible to EU visitors must inform users about cookies and obtain consent for non-essential ones. Similar requirements exist under Brazil's LGPD, South Africa's POPIA, and various US state laws. A website that uses only strictly necessary cookies and has no EU visitors may not need a notice, but this is rare in practice since most sites use analytics or advertising tools that set non-essential cookies.