What Do Cookies Do on Websites? A Complete Guide
Learn what cookies do on websites, why sites use them, the different types, and what the law requires. Practical guide for website owners.
If you have ever wondered what cookies do on websites, you are not alone. Website cookies are one of the most common and least understood technologies on the internet, yet they play a role in nearly every interaction you have online.
A cookie is a small text file that a website stores on your browser. When you revisit that site, your browser sends the cookie back, allowing the site to remember who you are, what you were doing, and how you prefer to use the service. This article explains what cookies are for on websites, the different types that exist, the legal rules governing them, and what website owners need to know. This is educational content and not legal advice. For questions about your specific obligations, consult a qualified attorney.
What Are Cookies on Websites?
Website cookies are small data files, typically just a few kilobytes, that a web server sends to your browser during a page visit. Your browser stores the cookie locally and sends it back to the server with every subsequent request to that domain. This mechanism was invented in 1994 by Lou Montulli at Netscape to solve a fundamental problem: HTTP, the protocol that powers the web, is stateless, meaning the server has no built-in way to connect one request to the next.
Each cookie contains several pieces of information:
- Name and value: The actual data being stored, such as a session identifier or a language preference
- Domain and path: Which website and URL paths the cookie applies to
- Expiration date: When the browser should delete the cookie (or "session" to delete when the browser closes)
- Secure flag: Whether the cookie should only be sent over HTTPS connections
- HttpOnly flag: Whether JavaScript on the page can access the cookie
- SameSite attribute: Whether the cookie is sent with cross-site requests
When people ask "what is cookies on websites," they are usually asking about this entire mechanism: the storing, sending, and reading of these small data files that make modern web experiences possible.
What Do Cookies Do on Websites? Core Functions
What cookies do on websites falls into several distinct categories. Understanding these categories is essential for both users who want to protect their privacy and website owners who need to comply with data protection laws.
Authentication and session management
The most fundamental use of cookies is keeping you logged in. When you enter your username and password, the server creates a session and sends your browser a session cookie. On every subsequent page load, your browser sends that cookie back so the server knows you are the same authenticated user. Without this cookie, you would need to log in again on every single page.
Shopping carts and form data
E-commerce sites use cookies to track what you have added to your cart as you browse different product pages. Similarly, multi-step forms use cookies to remember your progress. If you close the browser tab and return later, cookies allow the site to restore your cart or form data.
Personalization and preferences
Cookies store your preferences such as language selection, dark mode settings, currency choice, accessibility options, and regional content preferences. These are often called "functionality cookies" because they enhance how the site works for you without being strictly necessary for the service.
Analytics and performance
Website owners use analytics cookies to understand how visitors interact with their site. Tools like Google Analytics place cookies that track page views, session duration, bounce rates, and navigation paths. This data helps site owners improve their content and fix usability problems.
Advertising and tracking
Advertising cookies are what most people think of when they hear the word "cookies" in a privacy context. These cookies track your browsing activity across multiple websites to build a profile of your interests, which is then used to serve targeted advertisements. Third-party advertising cookies are the primary reason for cookie consent regulations.
Types of Cookies on Websites
Understanding the different types of cookies helps clarify what cookies are for on websites and why privacy laws treat them differently.
First-party vs. third-party cookies
First-party cookies are set by the website you are visiting directly. If you visit example.com, any cookies set by example.com are first-party. These typically handle authentication, preferences, and basic analytics.
Third-party cookies are set by a domain other than the one you are visiting. If example.com loads an advertising script from adnetwork.com, and that script sets a cookie, it is a third-party cookie. These cookies can track you across every website that uses the same advertising network.
Major browsers are increasingly blocking third-party cookies by default. Safari and Firefox already do, and Chrome has implemented significant restrictions through its Privacy Sandbox initiative.
Session vs. persistent cookies
Session cookies exist only for the duration of your browser session. When you close your browser, these cookies are deleted. They are commonly used for authentication and shopping cart functionality.
Persistent cookies have a specific expiration date and remain on your device until that date arrives or you manually delete them. A "remember me" login cookie might persist for 30 days. An advertising cookie might persist for a year or longer.
Strictly necessary vs. non-essential cookies
This distinction matters most for legal compliance:
- Strictly necessary cookies are required for the website to function. Session cookies, authentication tokens, CSRF protection cookies, and load balancer cookies fall into this category. These do not require consent under the ePrivacy Directive.
- Non-essential cookies include everything else: analytics, advertising, personalization, and social media cookies. Under the GDPR and ePrivacy Directive, these require informed consent before being placed on a user's device.
How Cookies Work: A Technical Overview
When your browser sends an HTTP request to a website, the server can include a Set-Cookie header in its response. This header instructs your browser to store the cookie. On every subsequent request to that domain, your browser automatically includes the cookie in a Cookie header.
Here is a simplified flow:
- You visit a website for the first time. No cookies are sent because none exist yet.
- The server responds with the page content and one or more
Set-Cookieheaders. - Your browser stores the cookies according to their attributes (domain, path, expiration).
- On your next request to the same domain, your browser sends the stored cookies in the request headers.
- The server reads the cookies and uses them to personalize your experience, maintain your session, or track your behavior.
JavaScript running on the page can also create and read cookies through the document.cookie API, unless the cookie has the HttpOnly flag set. This is how many analytics and advertising scripts work: they run in the browser and create cookies directly rather than receiving them from the server.
Modern websites often set dozens of cookies. A typical news site might set five to 10 first-party cookies and 20 to 50 third-party cookies from advertising networks, analytics providers, and social media widgets. Tools like a cookie policy generator can help website owners document and disclose these cookies properly.
Legal Requirements for Cookies on Websites
The legal landscape around website cookies has changed dramatically over the past decade. Understanding what the law requires is now a core responsibility for any website owner.
The ePrivacy Directive (EU Cookie Law)
Article 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) is the primary law governing cookies in Europe. It requires prior consent before any non-essential cookie is placed on a user's device. This law applies to all websites accessible to EU visitors, regardless of where the website operator is based.
The directive establishes a simple rule: if a cookie is not strictly necessary for the service the user explicitly requested, you need consent before setting it.
The GDPR and cookies
The General Data Protection Regulation (Regulation 2016/679) does not specifically mention cookies, but it defines what valid consent means. Under Article 4(11), consent must be freely given, specific, informed, and unambiguous. Article 7 adds requirements for demonstrating consent and allowing easy withdrawal.
Together, the ePrivacy Directive and GDPR require that cookie consent:
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate Now- Is obtained before non-essential cookies are placed
- Uses clear, plain language to explain what each cookie category does
- Provides a genuine choice with equal prominence for accept and reject options
- Does not use pre-ticked checkboxes or implied consent through continued browsing
- Can be withdrawn as easily as it was given
Violations can result in fines up to 20 million EUR or 4% of annual global turnover under the GDPR.
CCPA and cookies
The California Consumer Privacy Act takes a different approach. Rather than requiring opt-in consent for cookies, the CCPA gives California residents the right to opt out of the "sale" or "sharing" of their personal information. Since many advertising cookies share data with third parties, websites serving California users must provide a "Do Not Sell or Share My Personal Information" link. Violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation.
Other cookie laws
Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act, and numerous other national laws impose varying requirements on cookie usage. The common thread across all of them is transparency: website owners must tell users what cookies they set and why.
What Website Owners Need to Know About Cookies
If you operate a website, understanding what cookies do on your site is not optional. You are legally responsible for every cookie your site sets, including those placed by third-party scripts you have embedded.
Audit your cookies
The first step is knowing exactly what cookies your website sets. Many site owners are surprised to discover that third-party scripts they embedded months ago are placing dozens of tracking cookies. A compliance scanner can identify every cookie, categorize it, and flag potential legal issues.
Implement a consent management platform
A cookie consent banner, properly implemented, collects and records user consent before non-essential cookies are activated. The banner must block analytics, advertising, and personalization scripts until the user makes a choice. Simply displaying a notice that says "this site uses cookies" without blocking them is not sufficient under EU law.
Create a cookie policy
Your cookie policy generator output should list every cookie your site uses, its purpose, its lifespan, and whether it is first-party or third-party. This document must be easily accessible from your cookie consent banner and your main website navigation.
Review third-party scripts regularly
Every time you add a new marketing tool, analytics service, or social widget, it may introduce new cookies. Regular audits, ideally automated through a compliance tool like TermsBox, ensure you stay on top of changes and keep your cookie policy accurate.
Common Cookies You Will Find on Most Websites
Most websites share a common set of cookies across several categories. Here are the ones you will encounter most frequently:
Authentication cookies:
- Session ID cookies (e.g.,
PHPSESSID,connect.sid) - Remember-me tokens
- CSRF protection tokens
Analytics cookies:
_ga,_gid,_gat(Google Analytics)_hjid,_hjSessionUser(Hotjar)_fbp(Facebook Pixel)
Advertising cookies:
IDE,DSID(Google DoubleClick)fr(Facebook)_uetsid(Microsoft Advertising)
Functionality cookies:
- Language preference (e.g.,
locale,lang) - Theme preference (e.g.,
dark_mode) - Currency selection
Consent cookies:
- Cookie consent status (e.g.,
cookieconsent_status) - Consent timestamp and version records
A comprehensive cookie database helps identify these cookies quickly. TermsBox maintains a database of over 1,000 known cookies to automatically categorize cookies found during website scans.
How to Manage Cookies as a User
Understanding what cookies do on websites gives you more control over your online privacy. Here are practical steps:
- Review your browser's cookie settings. Every major browser lets you block third-party cookies, clear cookies on exit, or manage cookies on a per-site basis.
- Use cookie consent banners properly. When a site presents a consent banner, take the time to review the categories and decline what you do not want. Clicking "accept all" without reading grants permission for extensive tracking.
- Clear cookies periodically. Deleting cookies removes accumulated tracking data. Most browsers offer options to clear cookies for specific time periods or specific sites.
- Consider browser extensions. Tools like uBlock Origin, Privacy Badger, or Cookie AutoDelete give you granular control over which cookies are accepted and how long they persist.
- Use private browsing for sensitive activities. Private or incognito mode starts each session with a clean slate and deletes all cookies when the window is closed.
Cookies and the Future of Web Tracking
The cookie landscape is shifting. Third-party cookies, the backbone of online advertising for two decades, are being phased out across all major browsers. This change is pushing the industry toward alternative tracking methods:
- Server-side tracking: Moving analytics processing from the browser to the server, reducing reliance on client-side cookies
- First-party data strategies: Businesses collecting data directly from their users through registrations, subscriptions, and surveys
- Privacy Sandbox APIs: Google's Topics API and Attribution Reporting API aim to enable advertising without individual tracking
- Fingerprinting: A controversial technique that identifies users based on browser and device characteristics without cookies. Most privacy laws treat this the same as cookies.
For website owners, the practical takeaway is that cookie compliance is not a one-time task. The technology, the regulations, and the enforcement landscape all continue to evolve. Maintaining a current privacy policy and cookie policy is an ongoing responsibility.
Frequently Asked Questions
What do cookies do on websites?
Cookies are small text files that websites store on your browser to remember information about your visit. They serve purposes ranging from keeping you logged in and remembering your shopping cart, to tracking your browsing behavior for analytics and advertising. Each cookie contains a name, a value, and an expiration date, and is sent back to the server with every subsequent request.
Are website cookies dangerous?
Cookies themselves are not dangerous because they are plain text files and cannot execute code or carry viruses. However, third-party tracking cookies can follow your activity across multiple websites to build detailed profiles of your browsing habits. This is why privacy laws like the GDPR and CCPA regulate how websites use cookies and require transparency about data collection.
Can I block all cookies on websites?
You can block all cookies through your browser settings, but doing so will break many website features. You will be logged out of every site on each visit, shopping carts will not persist, and language or accessibility preferences will reset every time. A better approach is to block third-party cookies while allowing first-party cookies, which preserves core functionality while limiting cross-site tracking.
Do all websites use cookies?
Nearly all modern websites use at least some cookies. Even simple static sites often use cookies if they include analytics tools, embedded content, or advertising. A website can technically function without cookies, but any site with login functionality, personalization, or third-party integrations will rely on them. The ePrivacy Directive requires sites to disclose cookie usage and obtain consent for non-essential cookies.