For a simple definition: Website cookies or HTTP cookies are small pieces of information that are stored on a user’s computer while they’re surfing the Web.
The simplest comparison is a cloakroom number tag. By itself, it has almost no value, but by presenting it, you can get your coat back. So, it obtains value only at the moment when you turn it in: The number helps the cloakroom attendant “recognize” you as the owner of a particular item.
So, following the analogy, we can say cookies serve as a piece of data supplied by a web server to a browser, in response to a call for resource, for the browser to then store impermanently and return to the server on following visits.
How cookies work
The principle of operation is quite simple. When you visit a site, the server sends you not only the page’s data, but also an HTTP response header. Those HTTP response headers contain cookie information, which is saved as files on your computer, usually in the working files of the browser itself. As you browse the site, the file is supplemented with information about your visit. If you revisit this site, your browser will send a cookie to the server via HTTP request headers so that the site “recognizes” you – Well, not always you, but rather your browsing preferences, the language, and the light or dark mode of the site you prefer to see.
Cookie Types by Expiration
All cookies can be divided into several main groups:
Session cookies. Stored for one session and automatically deleted after the browser is closed.
Permanent cookies. They remain on your computer even after you restart your browser. They can be removed manually through the settings.
Zombie cookies. These are hard-to-delete files that may be stored in other storages associated with the browser. For example, cookies can be hidden in HTTP ETag, IndexedDB, Microsoft Silverlight, or Java APIs. The best way to protect your computer against such files is to only use an HTTPS connection. These files are considered forbidden, many search engines block sites that try to download zombie cookies to your computer.
Cookie Types by Function
There are four main types of cookies:
Strictly necessary. Without them, the site will not display correctly in the browser. These cookies include files that are used to remember information from data entry forms and items in the shopping cart. This also includes technical data storage files for audio and video files and information about the selected language and font. Additionally, they may include authentication cookies, e.g. WordPress authenticates users using cookies, if you remove such cookies, you will be logged out and kicked out of the WP admin dashboard.
Preference cookies. These files allow a site to remember information that changes its appearance, such as the user’s language or region.
Statistical cookies. These files help the owners of websites to understand how visitors interact with the website. They allow them to collect aggregated depersonalized information for all users.
Marketing cookies. These files are used to track visitors’ itineraries. With their help, the advertiser can learn about the user’s preferences and show him or her the most relevant ads.
Anonymous vs non-anonymous
In the case of respectable websites, the majority of data stored in the cookies record anonymous information, that is info that can’t trace back to an individual. In some cases, a website needs to record your preferences when the cookies record non-anonymous cookies. And in other cases, anonymous cookies may be identifying cookies. A cookie’s value is in the form of an ID. So the next time you visit the site, it would be understood that you are the same person, however, you will be anonymous to that site. But if they trace you back to your email via cookies, it indicates that it is not anonymous.
First vs Third-Party Cookies
There are two main ways to set cookies, first-party and third-party. The former means cookies set by the site you’re visiting. The latter means cookies set by another domain, not the one you’re currently visiting. Third-party cookies belong to third-party domains. For example, if the site has an advertising banner with a different domain, then the browser, in addition to the main cookies, will also send files from a third-party site. They may help evaluate the effectiveness of advertising. Third-party cookies are very often tracking cookies because they monitor your behavior to show you more relevant ads.
Say you search up a particular smartwatch on Amazon. Then, you go to another site and see an Amazon advertisement for the same exact product. If you aren’t on an Amazon-owned site, it’s very possible that this advertisement was triggered by third-party cookie data.
You may safely block third-party cookies, if you don’t care for targeted ads.
Cookie laws (US, EU)
It is impossible to completely prohibit sites from using cookies since they allow site owners or managers to identify users. But how exactly these files dispose of the information received can be regulated at the legislative level in order to eliminate the risk of data leakage.
In Europe, there’s a ban on pre-filled checkboxes for all categories of cookies except those strictly necessary. The company must obtain the user’s consent to process each individual type of cookie. In the EU, site visitors can also opt-out of using cookies altogether, and the user must have access to the consent and refusal buttons.
The United States. In the United States, there is no single law that regulates the processing of personal data in all states. There is such a law in California, Virginia, and Colorado. However, it is only in California that cookies are explicitly identified in the text. The document says that cookies are a “unique identifier” along with web beacons, pixels, and other similar technologies.
Also, the United States has passed a federal law that protects the privacy of children on the Internet. It applies to children under the age of 13. According to the document, personal data includes persistent identifiers that can be used to recognize a user over time on different websites. A cookie file is an example of such an identifier.
Do not track
When you check the “Do Not Track” box in your browser settings, your browser adds an HTTP header to all your web traffic. This lets websites know that you don’t want them to track you; You don’t want to be tracked via cookies be it for analytics or advertising and don’t want your browsing information to be shared with social networks.
Ideally, this would mean that you won’t receive browser cookies that allow ad retargeting or bulk data collection about your browsing habits. Unfortunately, as you may have guessed, this HTTP header could theoretically be ignored by the website. Nothing prevents an organization from tracking you, even after you ask not to.
Only a handful of websites, such as Medium, Twitter, Reddit, and Pinterest, respect “Do Not Track” these days. Many will ignore the request, and some will even show you privacy-related ads assuming they match your interests.
As a result, the tech world’s faith in “Do Not Track” is slowly waning.
Cookie banners began to appear after the ePrivacy directive, adopted by the European Union in 2009, came into force. The emergence of the GDPR and large fines for non-compliance exacerbated the situation: banners appeared on all sites operating in the European market.
But there’s an interesting nuance: According to the ePrivacy Directive and the GDPR, banners are completely optional.
The text of the GDPR specifically says nothing about banners. According to the law, the site is obliged to notify the user about collected cookies, if they can be used to determine the identity of a person. You may not obtain the user’s consent if cookies are needed only to save session data, play video and audio content, load balancing on the site, and operate third-party plugins allowing visitors to share content on social networks.
The ePrivacy Directive (PDF), also obliges site owners to notify users about the cookies’ processing only if they are related to analytics and marketing campaigns. Notice however that there’s nothing about the form of these notifications.
If you use third-party services on your websites, such as Google Analytics or Google AdSense, they may also set up cookies on your site.
As an instruction from Chrome, you can see all cookies of any website in your browser settings.
How to add cookies to a WP website
There are 2 ways to add cookies to your website. You could either:
- Using WordPress Plugins. An efficient alternative to lengthy JS codes are plugins that essentially do the same job. Complianz is all-in-one cookie creator, meaning it also offers banner customization. Top features you should look for in cookie creating plugins (these features are present in Complianz as well) are legal help ( generating all required legal documents), consent management, and support of a wide range of regions.
Alternative plugins include:CookieYes, iubenda (includes auto-configured scan to thus match your site’s specific cookie related needs) , and GDPR Cookie Compliance.
How to add a cookie banner
WordPress presents a good range of plugins for creating and customizing a cookie banner. Not unlike the cookie creator plugin, there is a leader in the cookie banner plugins also. Cookie Notice has all the standard features of a cookie banner (customization, consent bar, etc…)
Other options include (in order) CookieYes, Complianz, Termly, and WP Cookie Notice for GDPR, CCPA & ePrivacy Consent.
Compliantz, has the top feature of a setup wizard for configuring the optimal compliance features made for your site.