Updated: Nov 18th 2020

When a user visits a website, a packet of information is sent from the website to be stored on their computer. These packets of information are known as cookies and can be used to help business owners keep track of the user’s behavior on the site. For example, if a user places an item in their shopping cart, cookies enable the item to stay in the cart, even if the user clicks off the page. Cookies can also be used to keep a record of a user’s most recent visit or to record login information, making it so users don’t need to remember their password every time they visit the site. While cookies are used as a catch-all term, there are different types of cookies that perform different tasks and pose varying levels of security risks.

Session Cookies

Session cookies are used to track a user’s behavior only when they actively navigate the website. Once they leave the site, the session cookie disappears. As a result, these cookies pose a lower security risk than more long-term cookies. Typically, session cookies are used to power e-commerce shopping carts and to control webpage elements during a user’s multi-page visit.

Persistent Cookies

Persistent cookies are more long-term cookies that are tagged with an expiration date. These cookies are stored on a user’s browser even after they exit the site and are reused whenever the user returns to the site. These cookies can be used to track user’s online behavior beyond the site that issued the cookie, as long as it includes a resource issued by the original site. For example, clicking on an ad will enable the original cookie to track the user when they visit the ad’s site. This is the method that Google and Facebook use to create comprehensive logs of user behavior. Another example of a persistent cookie is the remember me option on most sites. The cookie enables the website to remember the user’s login information every time they visit the site.

First-Party vs. Third-Party Cookies

First-party cookies are those created by the site the user visits. This includes session and persistent cookies such as remembering user login information. In contrast, third-party cookies are those added by a domain from outside the site, such as an ad. The most common use of third-party cookies is tracking users who click on advertisements and associate them with the referring website. While third-party cookies are an omnipresent part of the modern internet and necessary to a degree, they also pose the highest security risk.

Cookie Consent Platform

Because cookies contain personal information, some users can be uncomfortable with their behavior being tracked online. As a result, rules and regulations were established over the past few years in order to be more transparent about the use of cookies. The largest of these regulations is the General Data Protection Regulation (GDPR), a regulation in EU law that addresses the transfer of personal data outside EU areas. There are also Federal Trade Commission (FTC) requirements for third-party cookies and privacy policy requirements for several countries, including the United States, the UK, Australia, and the EU. Basically, to stay in compliance you must abide by the following guidelines:

  • If you are targeting EU consumers, you must give them acknowledgment that your site uses cookies.
  • If you allow paid advertisements or affiliate links on your site, you must disclose this information.
  • If you track user activity or collect user data, you must provide a comprehensive privacy policy explaining how the data is gathered and used.

There are a few tools available to set up cookie consent platforms, such as Cookiefirst and Osano, which is open source. Tools like these ensure that you stay on the right side of the law regarding your cookie usage inside and outside the US. You can also use services such as Rocket Lawyer to create free customized privacy policies for your site.