What are Cookies?

For a simple definition: Website cookies or HTTP cookies are small pieces of information that are stored on a user’s computer while they’re surfing the Web.

Web servers and browsers typically use cookies to capture information for subsequent communications, which provides continuity and state across HTTP connections.

The simplest comparison is a cloakroom number tag. By itself, it has almost no value, but by presenting it, you can get your coat back. So, it obtains value only at the moment when you turn it in: The number helps the cloakroom attendant “recognize” you as the owner of a particular item. 

So, following the analogy, we can say cookies serve as a piece of data supplied by a web server to a browser, in response to a call for resource, for the browser to then store impermanently and return to the server on following visits.

How cookies work 

The principle of operation is quite simple. When you visit a site, the server sends you not only the page’s data, but also an HTTP response header. Those HTTP response headers contain cookie information, which is saved as files on your computer, usually in the working files of the browser itself. As you browse the site, the file is supplemented with information about your visit. If you revisit this site, your browser will send a cookie to the server via HTTP request headers so that the site “recognizes” you – Well, not always you, but rather your browsing preferences, the language, and the light or dark mode of the site you prefer to see. 

Cookie types by expiration 

All cookies can be divided into several main groups:

  • Session cookies. Stored for one session and automatically deleted after the browser is closed.
  • Permanent cookies. They remain on your computer even after you restart your browser. They can be removed manually through the settings.
  • Zombie cookies. These are hard-to-delete files that may be stored in other storages associated with the browser. For example, cookies can be hidden in HTTP ETag, IndexedDB, Microsoft Silverlight, or Java APIs. The best way to protect your computer against such files is to only use an HTTPS connection. These files are considered forbidden, many search engines block sites that try to download zombie cookies to your computer.

Cookie types by function 

  • There are four main types of cookies:

    Strictly necessary. Without them, the site will not display correctly in the browser. These cookies include files that are used to remember information from data entry forms and items in the shopping cart. This also includes technical data storage files for audio and video files and information about the selected language and font. Additionally, they may include authentication cookies, e.g. WordPress authenticates users using cookies, if you remove such cookies, you will be logged out and kicked out of the WP admin dashboard.
  • Preference cookies. These files allow a site to remember information that changes its appearance, such as the user’s language or region.
  • Statistical cookies. These files help the owners of websites to understand how visitors interact with the website. They allow them to collect aggregated depersonalized information for all users.
  • Marketing cookies. These files are used to track visitors’ itineraries. With their help, the advertiser can learn about the user’s preferences and show him or her the most relevant ads.

Anonymous vs non-anonymous 

In the case of respectable websites, the majority of data stored in the cookies record anonymous information, that is info that can’t trace back to an individual. In some cases, a website needs to record your preferences when the cookies record non-anonymous cookies. And in other cases, anonymous cookies may be identifying cookies. A cookie’s value is in the form of an ID. So the next time you visit the site, it would be understood that you are the same person, however, you will be anonymous to that site. But if they trace you back to your email via cookies, it indicates that it is not anonymous.

First vs third-party cookies

There are two main ways to set cookies, first-party and third-party. The former means cookies set by the site you’re visiting. The latter means cookies set by another domain, not the one you’re currently visiting. Third-party cookies belong to third-party domains. For example, if the site has an advertising banner with a different domain, then the browser, in addition to the main cookies, will also send files from a third-party site. They may help evaluate the effectiveness of advertising. Third-party cookies are very often tracking cookies because they monitor your behavior to show you more relevant ads. 

Say you search up a particular smartwatch on Amazon. Then, you go to another site and see an Amazon advertisement for the same exact product. If you aren’t on an Amazon-owned site, it’s very possible that this advertisement was triggered by third-party cookie data.

You may safely block third-party cookies, if you don’t care for targeted ads. 

Cookie laws (US, EU) 

It is impossible to completely prohibit sites from using cookies since they allow site owners or managers to identify users. But how exactly these files dispose of the information received can be regulated at the legislative level in order to eliminate the risk of data leakage.

European Union. The EU has the most developed legislation on the use of cookies, as well as the strictest requirements for the collected information. The EU’s General Data Protection Regulation (GDPR) states that an individual can be linked to online identifiers, such as cookies. Thus, cookies are considered personal data.

In Europe, there’s a ban on pre-filled checkboxes for all categories of cookies except those strictly necessary. The company must obtain the user’s consent to process each individual type of cookie. In the EU, site visitors can also opt-out of using cookies altogether, and the user must have access to the consent and refusal buttons.

The United States. In the United States, there is no single law that regulates the processing of personal data in all states. There is such a law in California, Virginia, and Colorado. However, it is only in California that cookies are explicitly identified in the text. The document says that cookies are a “unique identifier” along with web beacons, pixels, and other similar technologies.

Also, the United States has passed a federal law that protects the privacy of children on the Internet. It applies to children under the age of 13. According to the document, personal data includes persistent identifiers that can be used to recognize a user over time on different websites. A cookie file is an example of such an identifier.

Do not track 

When you check the “Do Not Track” box in your browser settings, your browser adds an HTTP header to all your web traffic. This lets websites know that you don’t want them to track you; You don’t want to be tracked via cookies be it for analytics or advertising and don’t want your browsing information to be shared with social networks.

Ideally, this would mean that you won’t receive browser cookies that allow ad retargeting or bulk data collection about your browsing habits. Unfortunately, as you may have guessed, this HTTP header could theoretically be ignored by the website. Nothing prevents an organization from tracking you, even after you ask not to.

Only a handful of websites, such as Medium, Twitter, Reddit, and Pinterest, respect “Do Not Track” these days. Many will ignore the request, and some will even show you privacy-related ads assuming they match your interests.

As a result, the tech world’s faith in “Do Not Track” is slowly waning.

Cookie banner 

Cookie banners began to appear after the ePrivacy directive, adopted by the European Union in 2009, came into force. The emergence of the GDPR and large fines for non-compliance exacerbated the situation: banners appeared on all sites operating in the European market.

But there’s an interesting nuance: According to the ePrivacy Directive and the GDPR, banners are completely optional.

The text of the GDPR specifically says nothing about banners. According to the law, the site is obliged to notify the user about collected cookies, if they can be used to determine the identity of a person. You may not obtain the user’s consent if cookies are needed only to save session data, play video and audio content, load balancing on the site, and operate third-party plugins allowing visitors to share content on social networks.

The ePrivacy Directive (PDF), also obliges site owners to notify users about the cookies’ processing only if they are related to analytics and marketing campaigns. Notice however that there’s nothing about the form of these notifications.

Why WordPress core uses cookies 

By default, WordPress uses cookies to manage login sessions and authentication. The CMS also uses cookies to remember the username and email address when a comment form is filled out.

Note that many WordPress plugins installed on your site can also set their own cookies. For example, the OptinMonster plugin allows a user to display different email forms for new users and returning visitors, and this is done through the use of cookies.

If you use third-party services on your websites, such as Google Analytics or Google AdSense, they may also set up cookies on your site.

As an instruction from Chrome, you can see all cookies of any website in your browser settings.

How to add cookies to a WordPress website?

There are 2 ways to add cookies to your website. You could either:

  • Custom coding them. With JavaScript codes on either the header or footer of your website. Your JS codes should include Cookie Name and Cookie value. Including an expiration date, as in the period of time after which the cookie expires, Path, Domain type, and Security measures are optional.
  • Using WordPress Plugins. An efficient alternative to lengthy JS codes are plugins that essentially do the same job. Complianz is all-in-one cookie creator, meaning it also offers banner customization. Top features you should look for in cookie creating plugins (these features are present in Complianz as well) are legal help ( generating all required legal documents), consent management, and support of a wide range of regions.

Alternative plugins include:CookieYes, iubenda (includes auto-configured scan to thus match your site’s specific cookie related needs) , and GDPR Cookie Compliance.

How to add a cookie banner?

WordPress presents a good range of plugins for creating and customizing a cookie banner. Not unlike the cookie creator plugin, there is a leader in the cookie banner plugins also. Cookie Notice has all the standard features of a cookie banner (customization, consent bar, etc…)

Other options include (in order) CookieYes, Complianz, Termly, and  WP Cookie Notice for GDPR, CCPA & ePrivacy Consent. 

As the runner-up, CookieYes offers the additional focus on the cookie policy generation page and the option to manually add cookies to the list.

Compliantz, has the top feature of a setup wizard for configuring the optimal compliance features made for your site.