I know many of my customers keep asking me “What are cookies?” So, I am going to create this blog post to answer that and to help you understand.

What are cookies?

Cookies are small files with a few characters that website can create. Each individual cookie has a name and a website identification. Each individual cookie also has an expiration date that can be whatever the website wants it to be. Cookies can be set to expire as soon as you leave the website. After the cookie expires, the web browser automatically deletes it. A cookie can only be created if your web browser accesses a website. For instance, facebook.com cannot create a cookie on your computer unless you go to facebook.com or unless the page you are viewing gets data from facebook.com.

1st party cookies are those created by the website you actually visit. 3rd party cookies are those created by websites which are accessed by the website you are on. Many, but not all, 3rd party cookies are created by advertisers.

It is important to remember that websites cannot access cookies for different websites.  For instance, the website facebook.com cannot view the cookies that google.com created.

Why are they called cookies?

I don’t know.

What is the purpose of a cookie?

Like all tools, there can be a good and a bad use. A pocket knife, for example, is a useful tool. But it can be used to harm people. The same is true of cookies. It has good and bad use.

Cookies can contain information that makes it useful for you to browse a website. For example, if you go youtube.com, there will be a cookie that will tell Google that you have already signed in to the website. Now, you do not have sign in every time you go to youtube.com to get access to your preferences. And when you go to another part of youtube.com, you again will not need to sign back in. The cookie keeps track of you account details while you are visiting the website until the cookie expires. Banking websites will set their cookie to expire as soon as you leave the website, forcing you to sign in again for extra security. Cookies can make websites much more convenient. Websites that require extra security will create a cookie that tells the website to trust you, allowing you to bypass the extra security steps.

Take the website centurylink.net. When you visit centurylink.net, it attempts to access the websites cloudquote.net, doubleclick.net (Google), googletagmanager.com, syn-api.com, syn-cdn.com, synacor.com, taboola.com, and technoratimedia.com. Believe it or not, that is not that many. Some websites will talk to over 20 different other websites, and this can really slow down even the fastest computer. Almost all of those websites will set a cookie. Some are by the same company — syn-api.com, syn-cdn.com, and synacor.com — so only one of those will create a cookie.

In the list above, the websites doubleclick.net and taboola.com are advertisers. When these websites are first seen by your browser, they will generate a really long list of random letters and numbers to create a unique ID. To help you understand this concept, pretend the advertiser website created the unique ID abc123. Because of how the internet works, the website will also know you went to centurylink.net. Each page of centurylink.net will also have some hidden information that will also be sent to the advertisers. Pretend you clicked on a story about cats on centurylink.net, and then later you click on another story about dogs. Google, which own doubleclick.net, will see that abc123 clicked on two stories about animals. It will start to think abc123 is interested in pets. Then you will start to get ads about pet food. The more pages you visit, the more the advertiser learns about you. However, quite often what happens is you will get ads for things you just bought. Advertisers try to put a nice spin on their creepiness by calling it “relevant advertising”.

There is a way to stop most advertiser tracking: delete the cookies of the advertisers. For example, if I delete all the cookies doubleclick.net put on my computer, Google will have to generate a new random unique ID and start the process all over. And the same is true for the other advertisers. Other people take different options. Some buy a very portable computer called Raspberry Pi and install a program on it called Pi-Hole to block advertisers. Some install software that secretly clicks on random websites and thus gives very inaccurate information to the advertiser. That is called poisoning the well. The easiest option is to install software that deletes any cookie not on a whitelist. This is because there are hundreds of creepy advertisers which makes it impractical to delete only advertiser cookies. It is just easier to tell a program what cookies to keep.

Because of the creepy ad tracking, web browsers are starting to limit 3rd party cookies. Mozilla Firefox and Apple Safari are leading the charge for this. The European Union also stepped in and required websites to provide an opt-out for creepy ad tracking. The directive was the GDPR.

Can you just block all cookies? Yes. But, unfortunately, most websites today will not work unless cookies are allowed. One thing you can do is to tell your web browser to delete all cookies when you close your browser.

As an aside, advertisers do not need cookies to track you. Facebook knows who you are because you gave them your personal information. The Facebook smartphone app doesn’t use a cookie but it can be used to track you. If you delete the facebook.com cookie, as soon as you sign back in to Facebook, the tracking can start where it left off. That is because the tracking is based on your personal information that you gave, not on a unique ID. Other unethical advertisers use other tricks to track you without cookies.