Not to be confused with the popular baked good, a web cookie is a small piece of data given to a web browser by a web server. The browser stores the data in a text file so it can be sent back to the server each time the browser requests a page from the server.
The name “cookie” was derived from UNIX objects called magic cookies. These are tokens that are attached to a user or program and change depending on the areas the user or program enters.
Cookies are also sometimes called Internet cookies, browser cookies, or HTTP cookies. They can be erased when a browser is closed, as in the case of session cookies, or they may be stored until a specified time, as in the case of persistent cookies.
Are cookies good or bad?
While the information contained in a cookie is not inherently good or bad, the potential for how that information is used is important for internet security. A cookie could store personally identifying information a user provides like name, home address, and phone number, or stateful information like preferred language, login credentials, and abandoned shopping cart items.
The benefit of accepting cookies comes in the form of an improved user experience; not only do cookies help web pages load more quickly, they can also tailor advertisements, create an effortless authentication process, and maintain site preferences for repeated visits. Sometimes this can create more work for users who want every experience visiting a site to be as if they were accessing it for the first time, but cookies are often unsung heroes of web browsing efficiency and personalization.
As with most internet security concerns, a major downside of the convenience that cookies offer is the vulnerability for cookie data to be tracked and used for malicious intentions. When the connection between a browser and server is targeted by an attacker, the cookies that are intercepted can be sold to third parties or “hijacked” and used to impersonate the user in other places of the Internet.
Cookies and GDPR
In addition to the security risks mentioned above, cookie use presents a number of concerns for internet privacy a somewhat related issue that was put under the spotlight in 2016 when the European Union (EU) passed the General Data Protection Regulation (GDPR).
This legislation addresses the policies and practices of data controllers and mandates that an individual’s data may only be collected under six circumstances: unambiguous consent from the individual, vital interest of the individual, legitimate interest of the controller, contractual necessity, public interest, or legal requirement. To that end, the GDPR also stipulates how much data can be collected, how the collected data can be stored, and how an individual can go about having their data erased.
What does this mean for cookies? Because cookies are some of the smallest, most ubiquitous pieces of personal data on the internet, GDPR compliance has major implications for a website’s cookie processing. The enforcement of GDPR standards has led most websites regardless of where their servers are based to institute overt, explicit cookie opt-in/opt-out practices as well as options for individuals to revoke cookie consent at any point. This means visitors to a website can dictate whether cookies are collected before they engage with a site’s content and have greater control over their data privacy.