Every cookie dropped on a user's device comes with a built-in expiration date. This single timestamp dictates whether a user stays logged in, how long an abandoned shopping cart survives, and when a privacy-conscious browser steps in to delete the tracking data.
Understanding cookie duration requires balancing technical capability with legal compliance. Privacy regulations across Europe and beyond strictly limit how long you can hold onto user data. At the same time, major web browsers are actively rewriting the rules by overriding your chosen lifespans. Website owners who ignore these limits face inaccurate analytics data, broken user experiences, and substantial regulatory fines.
The technical lifespan of a tracker depends on whether it operates as a session file or a persistent identifier. Identifying the difference is the first step in auditing your site's data collection behaviour.
Session vs. Persistent Cookies
Session cookies exist only in temporary memory while the user navigates your website. Web browsers automatically delete them the moment the user closes the window or quits the application. These trackers never contain an explicit expiration date in their underlying code. They handle immediate, essential tasks like keeping a user authenticated as they move between pages or remembering the items added to an e-commerce basket.
Because they disappear so quickly, regulators generally view session cookies as low-risk for user privacy.
Persistent cookies operate entirely differently. They remain on a hard drive until they reach a specific expiration date coded by the developer, or until the user manually clears their browser cache.
A persistent cookie might remember a language preference for your next visit, or it might track your browsing behaviour across multiple websites for targeted advertising. You can spot them by looking at the HTTP response header, which will contain a Max-Age or Expires attribute. Without these limits, a persistent cookie could theoretically track a user forever. This exact privacy threat prompted lawmakers to intervene with strict duration caps.
What Privacy Laws Say About Cookie Duration
The cookie categories on your site dictate how long you can legally store them. The ePrivacy Directive, the General Data Protection Regulation (GDPR), and the CCPA work together to enforce the principle of data minimisation.
Article 5 of the GDPR states that personal data must be kept for no longer than is strictly necessary for the purposes of processing. This means you cannot set a Google Analytics cookie to expire in 2099 just to capture returning visitor data indefinitely. Most European Data Protection Authorities (DPAs) interpret this storage limitation strictly. They require website owners to set proportionate lifespans based on the specific function of each tracker.
Setting an excessive duration invalidates the original user consent.
The French regulator, CNIL, provides some of the clearest guidance on acceptable lifespans. They explicitly recommend limiting cookie duration to a maximum of 13 months.
According to the CNIL guidelines, you must ask users to renew their consent at least every 13 months. The regulator actively enforces these rules. In recent years, the CNIL has issued hundreds of corrective measures and millions in fines to companies like Doctissimo and Criteo for failing to respect consent requirements and data retention limits. This storage limitation principle is mirrored in global frameworks, including Brazil's LGPD.
If a user rejects tracking, you must respect that choice. The CNIL explicitly recommends remembering a user's refusal for at least six months.
How Browsers Are Forcing Shorter Cookie Lifespans
Even if privacy laws permit a 13-month lifespan, web browsers are aggressively overriding these settings. Apple and Google now enforce hard technical limits on how long trackers can survive on a user device.
Apple's Safari browser uses Intelligent Tracking Prevention (ITP) to block cross-site tracking. Since 2019, ITP caps the lifespan of all first-party cookies created via JavaScript's document.cookie to a maximum of 7 days. If Safari detects tracking parameters in the URL - a technique known as link decoration - it slashes that duration to just 24 hours. This severely impacts affiliate marketers and analytics platforms that rely on long-term browser memory to attribute conversions.
Safari will even delete server-side cookies after 7 days if the IP address of the tracking server does not perfectly match the main website.
Google Chrome takes a broader but slightly more generous approach. Since version 104, Chrome caps the maximum lifespan of all cookies at 400 days.
If a developer tries to set an expiration date further in the future, Chrome simply rewrites it to 400 days from the moment it was set. Firefox is also considering adopting this 400-day limit to align with draft HTTP specifications. Microsoft Edge offers Tracking Prevention features that also limit the effectiveness of long-lasting third-party trackers. These browser-level interventions prove that relying solely on client-side storage for long-term user identification is no longer a viable technical strategy.
| Browser | Cookie Duration Limit | Enforcement Mechanism |
|---|---|---|
| Apple Safari | 7 days (or 24 hours) | Intelligent Tracking Prevention (ITP) caps JavaScript and some server cookies. |
| Google Chrome | 400 days | Hard cap on all cookies since Chrome version 104. |
| Mozilla Firefox | Varies (likely 400 days soon) | Currently reviewing draft HTTP specifications for maximum limits. |
Balancing Analytics and User Privacy
Shortened lifespans cause major headaches for marketers relying on Google Analytics 4 or similar platforms. When a Safari user returns to your site after eight days, they appear as a completely new visitor.
This artificial fragmentation inflates your unique user counts and destroys your ability to track multi-touch attribution over long sales cycles. Some developers attempt to bypass these limits by using complex server-side tracking setups or storing identifiers in LocalStorage. Browser engines quickly close these loopholes. Safari's ITP deletes all non-cookie data from a website after 7 days if the referring domain is classified as a cross-site tracker.
The only sustainable solution is to respect the user's privacy choices and adapt your reporting to shorter attribution windows.
You must ensure your consent management platform clearly communicates these retention periods to your visitors. Transparency builds trust and keeps you out of the crosshairs of data protection authorities.
Best Practices for Setting Expiry Dates
Auditing your data retention settings requires a systematic approach. You should review every tracker currently active on your domain and justify its lifespan. If a tracker processes personal data, tie its duration directly to the business purpose you declared when collecting consent. Pay special attention to third-party marketing tags, as these frequently attempt to set excessively long retention periods by default.
Functional cookies that remember language preferences or regional settings can generally last for several months, as users expect this convenience. Marketing trackers should have much shorter lifespans, typically between 3 and 6 months.
Reviewing your technical configuration is just as critical. Check your cookie definitions for Max-Age attributes and ensure they match your publicly stated privacy policy. Run regular compliance checks to catch third-party scripts that inject trackers with infinite lifespans. If you operate in Europe, configure your systems to automatically clear user data and prompt for consent renewal after 12 or 13 months.
Frequently Asked Questions
How long does a session cookie last?
A session cookie lasts only until the user closes their web browser or quits the application. It is stored in temporary memory and does not contain a specific expiration date.
What is the maximum cookie duration under GDPR?
The GDPR does not state a specific maximum duration, but requires data to be kept no longer than necessary. European regulators, like the French CNIL, recommend a maximum lifespan of 13 months before requiring consent renewal.
Why do Safari cookies expire after 7 days?
Apple Safari uses Intelligent Tracking Prevention (ITP) to limit cross-site tracking. ITP automatically caps the lifespan of first-party cookies set via JavaScript to 7 days, or 24 hours if tracking parameters are present.
Does a consent banner need to state cookie lifespans?
Yes. Privacy regulations require you to inform users about how long their data will be stored. Your cookie policy should list the exact duration for every tracker used on your website.
Can I set a cookie to never expire?
No. Browsers will override cookies without expiration limits. Chrome enforces a hard 400-day limit, and privacy laws prohibit retaining user data indefinitely.
Take Control of Your Cookie Compliance
If you are struggling to map the lifespans of third-party trackers on your site, start a technical audit on our free plan. Kukie.io detects, categorises, and helps you document the exact duration of every script so you remain compliant with global privacy laws.
