Cookies: Tracking your Internet experience

Internet cookies are an inherent part of Internet use. Many sites cannot function without them. Cookies are confusing, particularly because many myths surround their use. While cookies are not the source of viruses or spam, they do present potential privacy issues in their ability to track a user’s internet activity. Some of this tracking is benign, allowing for an easier, more personalized browsing experience. However, other uses of cookies are far more questionable.

How do cookies work?

When an Internet user attempts to view a website, either by clicking on a hyperlink or typing its URL, the user’s web browser sends a request to the server hosting the files of the website for the information. The web server then sends the required information back. Often this information contains a text file–the cookie–which is placed on the user’s hard drive.

A cookie is a simple text file containing name-value pairs. For example the name might be “User ID” and the value is “ABC123,”– the string of characters representing the user’s unique ID assigned to them when they first visited the website. They also usually include an expiration date set to sometimes in the future. Cookie preferences can be controlled by a user’s web browser. They can be viewed and deleted by the user at will. A user can prevent cookies from being placed on their machine, however, many websites now require the use of cookies in order to view the site.

The use of cookies should be mentioned in a website’s privacy policy, which states how information about a user is collected as well as how it is used.

Types of Cookies

Persistent Cookies–are set, by the web server, to expire some time in the future (days, weeks, months, years) and will remain on the user’s computer even after they have navigated away from the website. They are the most common type of cookie used by websites.

Session Cookieused most often with ecommerce websites that allow the purchasing of products. Session cookies are stored on the user’s computer only when they are connected to the specific web server. It allows the server to store information regarding cart contents. It also used by other types of sites to  manage online chat sessions and allow for interactive opinion surveys.

How are cookies used?

Cookies serve a variety of function which can improve the browsing experience of users and help web servers track visitors.


Many international or multilingual websites use cookies to set language and location preferences, so the user does not need to specify their preference every time they visit the site. Sites like My Yahoo! also use cookies to store information such as the widgets, articles, and elements a user wishes to view when they visit their personalized Yahoo homepage. A cookie may also store the viewing preferences of the user such as the appearance of a website or how many search results to return to the page.

Session Management

Most websites that sell products use cookies to keep track of a user’s activity during each shopping session. Each session is usually given a cookie with a unique session ID. This allows websites such as Amazon to display to the user information such as recently visited products as well as how many items are in the current cart and their subtotal, while the user continues to shop.

Cookies are also used frequently for websites that require the user to log in with a username and password before accessing all features of the site. A cookie placed on the user’s computer will allow the website to customize content and sometimes automatically input the user’s log in information when the user next returns to the site.


Cookies are often used to track an Internet user’s activity. Every time a user visits a website, the site’s server checks their machine to see if a cookie exists. If none exists one is created and they are counted as a first-time visitor. If one does exist, they are counted as a repeat visitor.  This allows websites to keep an accurate count of their traffic.

How do cookies affect privacy?

There are common misconceptions about what cookies can and cannot do. However, just because they may not be capable of the more malicious things they are accused of doesn’t mean that they are harmless.

Cookies cannot:

  • Install viruses on a computer
  • Increase the amount of pop-ups a computer experiences
  • Increase the amount of spam received
  • Erase or read files from the user’s computer

Cookies can perform actions that are questionable invasions of privacy.

When visiting a website, usually if the site makes use of web-advertising, a third-party cookie may be placed on the user’s computer. The web advertiser that created that cookie can then track their activity as they visit other websites in which the advertiser places content, creating a unique  profile of the user’s browsing preferences. This allows advertiser’s to display ad content based on the user’s profile. Many web users are concerned that their internet activity may be tracked and recorded by third-parties without even being aware of such activity. Further more, personal information may be stored in a cookie, if the user first inputs such information into a web form on a site. With the use of third party cookies, personal information may be shared with other parties all without the user’s consent or knowledge.

A new type of cookie called a Flash Cookie may not be deleted when a user’s delete their cookie files. These cookies make use of the capabilities in the Adobe Flash plug-in installed on most web browsers and are not stored with other cookie files. Flash Cookies may even replace the cookie files that have been deleted with new ones. Most websites do not even mention the use of such technology in their privacy policies or provide users with a way to opt-out of the service, violating the Fair Information Practice Principles.

Web users should also be aware of the potential for cookie tampering. Session cookies may often include sensitive information that has been inputed by the user into a web form. Such cookies are necessary for carrying out particular types of transactions. However, while login cookies may make use of encryption technology, many session cookies do not, leaving personally identifiable information vulnerable to hijacking.

Managing Cookies as a Web User

A web user concerned about their privacy has a few options.

Manage your Browser Preferences All web browsers offer several different options for the management of cookies. These include options to automatically accept or reject all cookies, an option to reject cookies from specific websites and reject third-party cookies. Be aware that many sites require the use of cookies to function properly.

Opt-out of third-party cookies– Many advertisers offer an opt-out option by allowing users to download an opt-out cookie. However there are several major advertisers for which cookies may have to be downloaded to prevent tracking activities. If a user makes use of multiple browsers, the process must be completed for each one.

Managing Cookies and Privacy Preferences as a Website Owner

As a website owner that makes use of cookies, there are several things to do in order to maintain client trust and follow the fair information practice principles.

State use of cookies in the privacy policy– Privacy policies deal with the Fair Information Practice Principle of Notice, which requires that data subjects be informed what, how, and why information is collected about them, and how it might be shared. Any sharing of information with third-parties and the use of third-party cookies should be disclosed in the privacy policy.

Allow users to opt-out of third-party cookies– The Fair Information Practice Principle of Consent deals with a user’s right to decide how and where their information is used. Providing an opt-out option complies with this principle.

Encryption–Use encryption technology for all cookies, which includes session cookies. This prevents a user’s sensitive information from unauthorized access by hijackers. As the collector and maintainer of an individual’s personal data, an entity is responsible for the protection of their information.

In Conclusion

Cookies have become an essential part of web browsing. While the reasons behind the use of the cookie (user preferences, session management, maintaining accurate web traffic records) are not inherently problematic in terms of privacy, the ability of a cookie to track user activity can be considered invasive. Making sure users are aware of the use of first and third party cookies as well as providing options for managing and opting out of such cookies puts some of the control back in the consumer’s hands. Web users should be continually aware of how and where their information is being used and take preventive measures to avoid any unnecessary disclosures.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

  • Online Privacy:  “Online identification Mechanisms” (Foundations: III.B.g.i)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>