What Are Cookies? How Browser Cookies Work in 2026
Learn what cookies are on a website, how browser cookies work, and why they matter for privacy. Covers tracking cookies, consent, and compliance.
Cookies are one of the most fundamental technologies on the web, yet most website owners have only a vague understanding of what they actually are and what legal obligations come with using them. If you have ever wondered what are cookies on a website and why regulators care so much about them, this guide breaks it down from both a technical and legal perspective.
This article is educational content and does not constitute legal advice. For questions specific to your business, consult a qualified attorney.
What Are Cookies? A Clear Definition
Cookies are small text files that a website instructs your browser to store on your device. Each cookie contains a short piece of data, typically a name-value pair like session_id=abc123, along with metadata that tells the browser when the cookie expires and which domain it belongs to.
When you visit a website, the server includes a Set-Cookie header in its HTTP response. Your browser reads this header, saves the cookie locally, and attaches it to every subsequent request to that same domain. This mechanism allows websites to remember information about you between page loads and across multiple visits.
Cookies were invented in 1994 by Lou Montulli at Netscape to solve a basic problem: HTTP, the protocol that powers the web, is stateless. Every request a browser sends to a server is independent. Without cookies, a website could not tell whether two requests came from the same person, making features like shopping carts and user accounts impossible.
How Browser Cookies Work Step by Step
Understanding what browser cookies are requires following their lifecycle from creation to deletion.
- You visit a website. Your browser sends an HTTP GET request to the server.
- The server responds with content and cookies. The response headers include one or more
Set-Cookieheaders, each defining a cookie with a name, value, and attributes. - Your browser stores the cookies. Each cookie is saved locally and associated with the domain that set it.
- You navigate to another page on the same site. Your browser automatically includes the stored cookies in the request's
Cookieheader. - The server reads the cookies. It uses the cookie data to identify your session, load your preferences, or track your activity.
- The cookie expires or you delete it. Cookies with an expiry date are removed automatically when that date passes. Session cookies are deleted when you close your browser. You can also manually clear cookies at any time.
Cookie attributes that control behavior
Every cookie can include several attributes that determine its scope and security:
- Expires / Max-Age: Defines how long the cookie persists. Without this attribute, the cookie is a session cookie that disappears when the browser closes.
- Domain: Specifies which domain can read the cookie. A cookie set for
.example.comis accessible toshop.example.comandblog.example.com. - Path: Restricts the cookie to a specific URL path on the domain.
- Secure: Ensures the cookie is only sent over HTTPS connections, preventing interception on unencrypted networks.
- HttpOnly: Prevents JavaScript from accessing the cookie, which protects against cross-site scripting (XSS) attacks.
- SameSite: Controls whether the cookie is sent with cross-site requests. Options are
Strict,Lax, orNone. Most modern browsers default toLax.
Types of Cookies and What They Do
Not all cookies serve the same purpose. Regulators and privacy laws typically classify cookies into categories based on their function.
Strictly necessary cookies
These cookies are essential for the website to function and cannot be turned off. Examples include:
- Session cookies that keep you logged in as you navigate between pages
- Shopping cart cookies that remember items you added
- Security cookies that detect authentication abuse
- Load balancer cookies that route your requests to the correct server
Because these cookies are required for basic functionality, most privacy laws exempt them from consent requirements.
Performance and analytics cookies
These cookies collect information about how visitors use a website, such as which pages receive the most traffic, how long people stay, and where they arrive from. Google Analytics, for example, sets cookies like _ga and _gid to distinguish individual users and track session behavior.
Analytics cookies provide valuable data for improving your site, but they qualify as non-essential under the GDPR and ePrivacy Directive, meaning you must obtain consent before setting them for users in the EU.
Functionality cookies
Functionality cookies remember choices you make to personalize your experience. Common examples include:
- Language preference cookies
- Region or currency selection cookies
- Font size or display preferences
- Cookies that remember whether you dismissed a notification banner
These improve the user experience but are generally classified as non-essential, requiring consent in jurisdictions that follow the GDPR model.
Targeting and advertising cookies
Tracking cookies are the category that attracts the most regulatory attention. These cookies, almost always set by third parties, build profiles of your browsing behavior across multiple websites to serve targeted advertisements.
When you visit a news site that includes a Facebook pixel, Facebook sets a cookie on your device. When you later visit an online store that also has the Facebook pixel, the same cookie is sent, allowing Facebook to connect your browsing on both sites. This cross-site tracking is the core mechanism behind behavioral advertising.
Common tracking cookie providers include Google Ads, Meta (Facebook), Amazon Advertising, and numerous ad exchanges. A single web page can set dozens of third-party tracking cookies without the site owner's full awareness, which is why auditing your cookies matters.
What Are Tracking Cookies and Why Do They Matter?
Tracking cookies deserve special attention because they sit at the center of most cookie consent regulations. A tracking cookie is any cookie whose primary purpose is to follow a user's activity across websites for profiling or advertising.
How tracking cookies build profiles
The process works through three steps:
- Placement: An advertising network's script, embedded on thousands of websites, sets a unique identifier cookie in your browser.
- Collection: Every time you visit a site that runs the same network's script, the cookie sends your identifier along with the page URL, time of visit, and other metadata.
- Profiling: The ad network aggregates this data to build a behavioral profile: your interests, shopping habits, content preferences, and demographic indicators.
This profile is then used to serve you targeted ads in real time through programmatic ad auctions that happen in the milliseconds before a page loads.
The decline of third-party cookies
Major browsers have been restricting or eliminating third-party cookies. Safari and Firefox block them by default. Google Chrome has introduced the Privacy Sandbox initiative as an alternative to cross-site tracking, moving toward Topics API and other mechanisms that aim to support advertising without individual-level tracking.
For website owners, this shift means that reliance on third-party cookies for analytics and advertising is becoming less viable. First-party data strategies and server-side tracking are replacing traditional cookie-based approaches.
Cookie Laws: What Website Owners Must Know
Multiple privacy laws regulate the use of cookies, and the requirements vary by jurisdiction. Here is what applies in the major markets.
GDPR and the ePrivacy Directive (EU/EEA)
The GDPR, combined with the ePrivacy Directive (often called the "Cookie Law"), establishes the strictest cookie rules. Key requirements under Article 5(3) of the ePrivacy Directive include:
- Prior consent is mandatory for all cookies except strictly necessary ones. Users must actively opt in before non-essential cookies are set.
- Consent must be informed: Users must know what cookies you set, what they do, and who receives the data.
- Consent must be freely given: Rejecting cookies must be as easy as accepting them. Cookie walls that block content unless you accept all cookies are generally not compliant.
- Consent must be recorded: You need to store proof of when and how each user consented.
- Users must be able to withdraw consent at any time, and withdrawal must be as straightforward as giving consent.
Violations of cookie consent rules carry GDPR penalties of up to 20 million EUR or 4% of annual global turnover. France's CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for making cookie rejection more difficult than acceptance.
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate NowCCPA/CPRA (California)
California's privacy laws take a different approach. The CCPA does not require prior consent for cookies, but it does require:
- Disclosure of tracking technologies in your privacy policy
- A "Do Not Sell or Share My Personal Information" link if cookies are used for cross-context behavioral advertising
- Honoring Global Privacy Control (GPC) signals sent by browsers
Violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation.
UK GDPR and PECR
After Brexit, the UK adopted its own version of the GDPR alongside the Privacy and Electronic Communications Regulations (PECR). The cookie consent requirements mirror the EU model: prior informed consent for non-essential cookies.
Other jurisdictions
Brazil's LGPD, Canada's PIPEDA, and South Africa's POPIA all include provisions that affect cookie usage, generally requiring transparency and, in many cases, consent. The global trend is toward stricter regulation, not less.
How to Audit and Manage Cookies on Your Website
If you run a website, you need to know exactly what cookies it sets. Many site owners are surprised to discover cookies they never intentionally placed, often from third-party scripts, embedded content, or tag managers.
Manual cookie inspection
You can check cookies using your browser's developer tools:
- Open the website in Chrome, Firefox, or Edge.
- Press F12 to open developer tools.
- Navigate to the Application tab (Chrome) or Storage tab (Firefox).
- Click on Cookies in the left sidebar to see all cookies grouped by domain.
This gives you a snapshot, but manual inspection has limitations. It only captures cookies set on the specific pages you visit, and it may miss cookies that appear only after certain user interactions or on specific pages.
Automated scanning
A website compliance scanner crawls your entire site, loading every page and recording every cookie that gets set. This catches cookies from embedded videos, social media widgets, chat tools, and analytics scripts across all pages. Automated scans also detect changes over time, alerting you when a new script starts setting cookies you have not disclosed.
What to do with the results
Once you have a complete cookie inventory:
- Classify each cookie into one of the standard categories (necessary, analytics, functionality, advertising).
- Document each cookie with its name, provider, purpose, duration, and type (first-party or third-party).
- Remove unnecessary cookies by eliminating scripts and embeds you no longer need.
- Update your cookie policy with accurate disclosures. A cookie policy generator can help you create a compliant document based on your actual cookie inventory.
- Implement a consent mechanism that blocks non-essential cookies until the user opts in.
Cookie Consent Banners: Getting Them Right
A cookie consent banner is the visible interface where users make their cookie choices. Getting it right is both a legal requirement and a user experience challenge.
Requirements for a compliant consent banner
Under the GDPR and ePrivacy Directive, your banner must:
- Present a clear choice between accepting and rejecting non-essential cookies, with both options equally prominent
- Offer granular controls so users can accept some cookie categories and reject others
- Not use pre-checked boxes or assume consent from continued browsing
- Include a link to your full cookie policy with details about each cookie
- Remember the user's choice so they are not asked repeatedly
- Allow users to change their preferences at any time
Common mistakes to avoid
Many cookie banners fail compliance standards. Watch for these issues:
- Dark patterns: Making the "Accept All" button visually prominent while hiding the reject option behind multiple clicks
- Implied consent: Treating continued scrolling or browsing as consent, which does not meet GDPR standards
- Pre-loaded scripts: Setting analytics or advertising cookies before the user has made a choice
- No granular options: Offering only "Accept All" or "Reject All" without category-level controls
- Missing withdrawal mechanism: Not providing a way for users to change their cookie preferences after the initial choice
TermsBox provides a cookie consent banner that handles these requirements automatically, blocking non-essential scripts until the user consents and recording consent proof for compliance audits.
Frequently Asked Questions
What are cookies on a website in simple terms?
Cookies are small text files that websites save on your device through your browser. They store information like your login status, language preference, and shopping cart contents so the website can remember you between page visits and return visits. Cookies cannot run code or install software on your device.
Are browser cookies dangerous?
Cookies themselves are not dangerous. They are plain text files that cannot execute code, carry viruses, or access other files on your device. The privacy concern comes from third-party tracking cookies, which can follow your activity across multiple websites to build detailed advertising profiles. Laws like the GDPR and ePrivacy Directive require consent before these tracking cookies are set.
What is the difference between first-party and third-party cookies?
First-party cookies are set by the website you are currently visiting and typically handle functions like keeping you logged in or remembering your preferences. Third-party cookies are set by external domains embedded in the page, usually advertising networks or analytics services, and can track your browsing activity across every website that includes their code.
Do I need a cookie consent banner on my website?
If your website serves users in the EU or UK, the GDPR and ePrivacy Directive require you to obtain informed consent before setting non-essential cookies such as analytics or advertising cookies. Strictly necessary cookies like session cookies for login are exempt. The CCPA does not require prior consent for cookies but does require disclosure and an opt-out mechanism for sale of personal information.
How do I know what cookies my website sets?
You can inspect cookies manually using your browser's developer tools under the Application or Storage tab. For a thorough audit, a website compliance scanner will crawl your site automatically and catalog every cookie set by your pages, including third-party cookies from embedded scripts you may not be aware of.