What Are Cookies?

Cookies are small text files that websites store on your browser. When you visit a website, the server can send a cookie along with the page content. Your browser saves this cookie and sends it back to the server with every subsequent request. This simple mechanism — store a value, send it back — is the foundation of almost every personalized web experience.

Understanding what cookies are, how they work, and what they are used for is the essential first step toward cookie compliance. You cannot regulate what you do not understand.

How Cookies Work Technically

At their core, cookies are key-value pairs. A cookie has a name, a value, and a set of attributes that control its behavior. When a web server wants to set a cookie, it includes a Set-Cookie header in its HTTP response:

Set-Cookie: session_id=abc123; Path=/; Expires=Thu, 16 Mar 2027 00:00:00 GMT; Secure; HttpOnly

This tells the browser: "Store a cookie named session_id with the value abc123. Send it with every request to any path on this domain. Keep it until March 2027. Only send it over HTTPS. And don't let JavaScript access it."

On every subsequent request to that domain, the browser automatically includes the cookie in the Cookie header:

Cookie: session_id=abc123

The server reads this value and knows who the request is coming from. That is the entire mechanism. Cookies are not programs. They cannot execute code, access your file system, or install anything. They are passive data — text strings that travel back and forth between browser and server.

What Cookies Are Used For

Cookies serve four broad purposes on the modern web:

Authentication and Session Management

When you log into a website, the server creates a session and stores a unique session identifier in a cookie. Without this cookie, the server would have no way to know that your next page request comes from the same logged-in user. Every page load would feel like a first visit. Shopping carts, user accounts, admin dashboards — none of them work without session cookies.

User Preferences

Cookies remember your choices. Language preferences, theme settings (dark mode vs. light mode), currency selection, cookie consent choices themselves — these are all typically stored in cookies. When you return to a site and it already knows you prefer German, that knowledge lives in a cookie.

Analytics and Performance

Services like Google Analytics, Matomo, and Plausible use cookies to distinguish between unique visitors and returning visitors, to track which pages are viewed in a single session, and to measure how visitors navigate through a site. The analytics cookie does not usually contain personal information directly — it contains an anonymous identifier like _ga=GA1.2.123456789.1710000000.

Advertising and Tracking

This is where cookies become a privacy concern. Advertising networks use cookies to track users across multiple websites, building profiles of browsing behavior that enable targeted advertising. When you visit a news site and later see ads for a product you viewed on a different site, cross-site tracking cookies made that possible. These third-party cookies are the primary target of modern privacy regulation.

A Brief History of Cookies

Cookies were invented in 1994 by Lou Montulli, a programmer at Netscape Communications. The original purpose was humble: Netscape needed a way to implement a shopping cart for an e-commerce client without storing every user's cart contents on the server. Montulli adapted the concept of "magic cookies" from Unix computing — small tokens passed between programs to maintain state.

The first cookies were a practical engineering solution. But their potential for tracking was recognized quickly. By 1996, the Financial Times published the first mainstream article raising privacy concerns about cookies. By 2002, the EU had passed the ePrivacy Directive specifically addressing them.

Over the following two decades, cookies evolved from a simple session management tool into the backbone of the digital advertising industry — and the primary target of privacy legislation worldwide.

Why Cookies Are a Privacy Concern

The privacy issue with cookies is not about the technology itself. A cookie that remembers your language preference is harmless. The concern arises from three specific uses:

1. Cross-site tracking. Third-party cookies allow advertising networks to follow users across the web, building detailed profiles of browsing behavior. A user who visits a medical information site, a political organization's site, and a dating site has revealed sensitive information — and all of it can be connected via cookies.
2. Lack of transparency. Most users have no idea how many cookies are set when they visit a typical website. A single news site might set 50-100 cookies from dozens of different domains. The user sees one website; behind the scenes, dozens of companies are observing their visit.
3. Persistence. Cookies can last for years. A tracking cookie set in 2024 can still be identifying the same user in 2026. This long-term tracking capability, combined with cross-site reach, creates a surveillance infrastructure that operates without most users' knowledge or meaningful consent.

These concerns are why the ePrivacy Directive (Article 5(3)) requires informed consent before placing non-essential cookies, and why the GDPR (Articles 4(11) and 7) sets strict conditions on what valid consent looks like.

Beyond Cookies: Other Tracking Technologies

Modern privacy regulation does not only cover cookies. The ePrivacy Directive refers to "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." This language deliberately covers any client-side storage mechanism, including:

• localStorage and sessionStorage — Web Storage APIs that let websites store larger amounts of data in the browser. Unlike cookies, this data is not automatically sent to the server, but it can still be used for tracking and requires consent under the same rules.
• IndexedDB — A more powerful client-side database. Same consent rules apply.
• Browser fingerprinting — Collecting device characteristics (screen resolution, installed fonts, browser plugins, timezone) to create a unique identifier without storing anything on the device. While fingerprinting does not use cookies, it is increasingly recognized as a tracking technology that requires consent. The French CNIL and several other DPAs have issued guidance confirming this.
• Tracking pixels — Tiny invisible images loaded from a third-party server. The request itself reveals the user's IP address, browser, and the page they are on. Tracking pixels often work in conjunction with cookies but can function independently.
• ETags and cache-based tracking — Techniques that exploit browser caching to store and retrieve identifiers. These are less common but demonstrate why regulation focuses on the outcome (tracking) rather than the specific technology.

The practical takeaway: if your website stores or accesses information on a user's device for non-essential purposes, or if it employs techniques to track users across sessions, consent is almost certainly required — regardless of whether the mechanism is technically a "cookie."

Passiro's cookie scanner detects all cookies and tracking technologies on your website, including localStorage usage, third-party scripts, and tracking pixels — giving you a complete picture of what your site collects.

Key Takeaways

• Cookies are small text files stored by the browser and sent back to the server with every request.
• They serve legitimate purposes (authentication, preferences) and privacy-sensitive purposes (analytics, advertising).
• Third-party tracking cookies are the primary concern of privacy regulation.
• Other technologies (localStorage, fingerprinting, pixels) are subject to the same consent requirements.
• Understanding what cookies your website uses is the first step toward compliance.

Next, let's look at the different types of cookies in detail — because the type determines the consent requirements.