Every website you visit quietly exchanges tiny text files with your browser. These are cookies - small packets of data that a server sends along with a web page. Your browser stores them and sends them back on subsequent requests. The whole exchange is invisible to you, but it powers most of the features you take for granted: staying logged in, keeping items in a shopping cart, loading the right language.
HTTP, the protocol that delivers web pages, is stateless. Each request your browser makes is independent - the server has no built-in way to know whether you visited five seconds ago or five months ago. Cookies solve that problem by giving the server a way to leave a note on your device and read it back later.
What Happens When a Cookie Is Set
The process starts the moment your browser requests a page. The server responds with the page content and, tucked into the HTTP response headers, one or more Set-Cookie instructions. Each instruction contains a name-value pair - something like session_id=abc123 - along with rules about when and where the browser should send it back.
Your browser reads those instructions, saves the cookie, and attaches it to every future request to the same domain. The server then reads the cookie header and knows who it is dealing with. A login session, a preferred currency, a half-filled cart - all of it rides on this mechanism.
Cookies can also be created by JavaScript running on the page, which is how many analytics cookies and advertising tags work. A script from a third-party service loads alongside the page, writes its own cookies, and reads them back the next time the script runs.
Session Cookies vs Persistent Cookies
Not every cookie behaves the same way. The two broadest categories are session cookies and persistent cookies, and the difference comes down to lifespan.
Session cookies exist only while your browser is open. Close the tab or quit the browser, and they vanish. They handle things that only matter during a single visit - keeping you authenticated as you move between pages, for instance, or remembering which items you just added to a basket. A typical session cookie has no explicit expiry date; the browser treats its absence as an instruction to delete the cookie when the session ends.
Persistent cookies stick around after you close the browser. They carry an expiry date or a maximum age, and the browser honours that until it passes. A language preference cookie might last a year. A "remember me" login token might last 30 days. Browsers cap persistent cookie lifetimes at 400 days regardless of what the server requests.
| Feature | Session Cookie | Persistent Cookie |
|---|---|---|
| Lifespan | Deleted when browser closes | Survives browser restarts |
| Typical use | Login state, cart contents | Language, "remember me" |
| Set by | No Expires or Max-Age | Includes Expires or Max-Age |
| Maximum duration | Until session ends | Up to 400 days (browser limit) |
First-Party and Third-Party Cookies
The other important distinction is who sets the cookie. A first-party cookie comes from the domain you are actually visiting. If you are on example.com, a cookie set by example.com is first-party. These typically handle authentication, preferences, and basic site analytics.
A third-party cookie comes from a different domain - usually loaded through an embedded script, pixel, or iframe. When you visit a news site that loads an advertising script from adnetwork.com, that script can set a cookie under adnetwork.com. Because adnetwork.com appears on thousands of sites, it can track your browsing activity across all of them.
This distinction matters because browsers are increasingly restricting third-party cookies. Safari and Firefox already block them by default. Chrome has moved to a user-choice model where people can opt in or out through privacy settings, rather than blocking them outright. The practical result: roughly half of all web traffic already operates without third-party cookies.
Cookie Categories Website Owners Should Know
Privacy regulations and cookie banners group cookies into categories based on purpose. The exact naming varies between platforms, but the standard grouping looks like this:
Strictly necessary cookies are the only category exempt from consent requirements under most laws. They cover session management, authentication, load balancing, and security functions like CSRF protection. Without them, core site features break. Examples include PHPSESSID, __stripe_mid, and shopping cart identifiers.
Functional cookies remember choices a visitor has made - language, region, font size, whether they dismissed a notification. They improve the user experience but are not strictly required for the site to work. Under the ePrivacy Directive, most functional cookies need consent because the visitor requested a web page, not a preference-remembering service.
Analytics cookies measure how visitors use a site: which pages get traffic, how long people stay, where they drop off. Google Analytics sets _ga and _ga_* cookies that persist for up to two years. Under GDPR, analytics cookies require prior consent in the EU because they process personal data.
Marketing cookies track visitors across websites to build interest profiles and serve targeted advertisements. The Meta Pixel (_fbp), Google Ads (_gcl_au), and LinkedIn Insight Tag all fall into this bucket. These almost always require explicit consent.
What the Law Says About Cookies
The legal framework for cookies rests on two main pillars in Europe: Article 5(3) of the ePrivacy Directive and the GDPR. The ePrivacy Directive requires informed consent before storing or accessing information on a user's device, unless the cookie is strictly necessary to provide a service the user explicitly requested. The GDPR defines what valid consent looks like: freely given, specific, informed, and unambiguous.
Pre-ticked boxes do not count. Scrolling past a banner does not count. Cookie walls that force acceptance to access content are problematic. The reject option must be as easy to reach as the accept option.
Enforcement has sharpened. France's CNIL fined SHEIN EUR 150 million in September 2025 for setting cookies before obtaining consent and using banners with inadequate explanations. The same month, CNIL fined Google EUR 325 million for displaying promotional ads in Gmail without prior consent. In the UK, the ICO reviewed the top 1,000 websites and reported that over 95% now meet its cookie compliance standards after a sustained enforcement push throughout 2025.
Outside Europe, the picture varies. The CCPA/CPRA in California follows an opt-out model - cookies can be set by default, but visitors must be able to opt out of the sale or sharing of their personal information. Brazil's LGPD requires opt-in consent in most cases. Canada's PIPEDA requires meaningful consent, and India's DPDPA will require registered Consent Managers by November 2026.
How Browsers Handle Cookies in 2026
Browser vendors have taken different approaches to cookie privacy, and the landscape looks fragmented.
Safari blocks all third-party cookies by default through Intelligent Tracking Prevention (ITP). It also caps first-party cookie expiry at seven days when the cookie is set via JavaScript rather than a server response. Firefox blocks third-party tracking cookies by default through Enhanced Tracking Protection. Both browsers have maintained these restrictions since 2020.
Chrome took a different path. After years of planning to deprecate third-party cookies entirely, Google reversed course in 2024 and adopted a user-choice model. Chrome now offers privacy settings where users can allow or block third-party cookies. In April 2025, Google confirmed it would not introduce a standalone prompt for this choice. The cookies remain active unless the user changes their settings.
For website owners, this means you cannot assume third-party cookies will reach every visitor. A significant share of your audience already operates without them.
A Quick Cookie Audit for Your Website
Most website owners have no idea how many cookies their site sets. A quick audit reveals surprises - analytics tools, chat widgets, embedded videos, social media plugins, and payment processors all drop their own cookies.
Open Chrome DevTools (F12), click the Application tab, and expand Cookies in the left sidebar. You will see every cookie grouped by domain. Note the name, expiry, and whether it is flagged as HttpOnly or Secure. Anything from a domain that is not yours is a third-party cookie.
For a more thorough scan, use a cookie scanner that crawls multiple pages and categorises each cookie automatically. This catches cookies that only appear on specific pages, such as checkout flows or forms with embedded widgets.
What to Do With What You Find
Once you know which cookies your site sets, the next step is to make sure visitors can give or withhold consent before non-essential cookies fire. A consent management platform handles this by blocking scripts until the visitor makes a choice, recording that choice, and passing consent signals to tools like Google Consent Mode v2.
Document every cookie in a cookie policy that lists the cookie name, provider, purpose, category, and expiry. Keep it updated - any time you add a new tool or plugin, check what cookies it introduces.
Frequently Asked Questions
Do all cookies require consent?
No. Strictly necessary cookies - those essential for basic site functions like authentication and security - are exempt from consent requirements under the ePrivacy Directive. All other categories, including analytics and marketing cookies, require informed, prior consent in the EU and most other jurisdictions with opt-in rules.
Can cookies store personal data?
Yes. Cookies often contain identifiers like session IDs, user IDs, or device fingerprints that qualify as personal data under GDPR. Even a randomly generated string counts as personal data if it can be linked back to an individual, which is why analytics cookies fall under GDPR scope.
What happens if a visitor blocks all cookies?
The site will still load, but features that depend on cookies will break. The visitor will not stay logged in between pages, shopping carts will not persist, and preferences like language or currency will reset on every page load. Strictly necessary cookies generally cannot be blocked without making the site unusable.
How many cookies does a typical website set?
It depends on the site's complexity. A simple brochure site might set two or three cookies. A typical e-commerce site with analytics, advertising pixels, chat widgets, and social embeds often sets 20 to 50 cookies or more. Running a cookie scan is the only reliable way to find out.
Are first-party cookies safe and third-party cookies dangerous?
Not exactly. First-party cookies are generally lower risk because they only work within the site that set them. Third-party cookies can track visitors across multiple sites, which raises privacy concerns. But both types can contain personal data, and both are subject to privacy regulations depending on their purpose.
Keep Your Cookie Setup Compliant
If you are unsure what cookies your site sets, start with a scan. Kukie.io detects and categorises every cookie on your site, blocks non-essential scripts until consent is given, and keeps a consent log that regulators can inspect.
