Cookies have been around for a very long time on the web. In a nutshell, the idea is that a site can set a cookie on a user’s browser via the Set-Cookie response header once a resource has been requested. This cookie can contain whatever data strings the site owners wish, and is generally used to provide state to websites.
For example, a cookie allows websites to retrieve information such as whether the user previously logged in, what they added to their shopping cart, their theme preferences and other personalization settings, saved game state, etc.
Note: Cookies used to be the primary method of storing client-side site data, although now more useful technologies exist for that purpose such as Web Storage and IndexedDB.
The above use cases can all be achieved with cookies set for documents existing on the same domain as the URL loaded in the browser. These are referred to as first party cookies.
Problems can arise when cookies are set for components that exist on different domains than the embedding document, such as images, or other documents embedded via <iframe>s. These cross-site cookies are commonly referred to as third-party cookies—but the behavior and potential issues are the same whether you own all the involved sites or not.
Third-party components can store information in their cookies from any and all documents they are embedded in. The originating third-party domain can then get access to all those third-party cookies, aggregating information from each one. This may sound harmless at first, and there are many legitimate uses of third-party cookies — for example a company might want to share user login state and profile information across multiple sites that it owns that are on different domains, or record analytics across its different properties to investigate user journeys and build more usable experiences. An ad tech company might want to infer user interests from the sites they visit to serve them more relevant ads.
However, in the worst cases, third-party cookies are used to track users around the web, building up a detailed profile of them that could include not only interests but also deeply personal information such as gender, sexuality, religion, political affiliation, etc. This information can be used to build creepy, invasive online experiences and is also sold to other third parties. In such cases, they are referred to as tracking cookies.
Legislation such as the General Data Privacy Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) have helped by making it a legal requirement for companies to be transparent about the cookies they set and the information they collect, for example by asking customers to opt in to such data collection, allowing them to see what data a company hold on them, and allowing them to delete it if they wish. However, it is still not always crystal clear to customers how their data is being used.
