The IT Law Wiki


A cookie is

[a] small data file that is stored on a user's local computer for record-keeping purposes that contains information about the user that is pertinent to a Web site, such as a user preference.[1]
a small text file that a website's server places on a computer's web browser.[2]


"Cookies were created by programmers working for Netscape in 1994, and the name is a reference to 'magic cookies' — a term used to describe a piece of data that a program receives and then retransmits unchanged."[3]

"Since the inception of the Internet, cookies have been the primary tools by which companies transmit information about Internet users. Best conceptualized as an identity card for a particular machine that accesses the Internet, cookies are small text files placed on an Internet user's computer hard drive or browser that store information about a user's interactions with a particular website. When an Internet user visits a website, the user's browser sends a request to the website's server to load the page in question. In addition to the request for the page, the user's browser is programmed to send along information from any cookies placed by the website's server. If there are no such cookies — either because the user has never visited the website before or because she has deleted the cookies on her hard drive — the website's server may assign a new cookie for use in the current session and potentially on subsequent visits. The most basic function a cookie serves is to identify a device. With a cookie, websites can know how many unique machines — and, by extension, roughly how many unique visitors — come to their site. By allowing a website to identify individual visitors, cookies can help websites provide useful services to visitors. For example, many anti-fraud provisions are cookie-based, and most online "shopping cart" functions need a cookie to confirm that the user who added one item to their cart is the same user who has navigated to a different part of the website."[4]

The cookie transmits information back to the website's server about the browsing activities of the computer user on the site. This includes information such as pages and content viewed, the time and duration of visits, search queries entered into search engines, and whether a computer user clicked on an advertisement.

Cookies also can be used to maintain data related to a particular individual, including passwords or items in an online shopping cart. In some contexts, such as where a number of separate websites participate in a network, cookies can be used to track a computer user across different sites.

The cookie was developed to enable a website owner to keep track of a particular user's activity within the site.[5] Cookie technology allows the website’s server to place information about a user's visits to the site on the user's computer in a text file that only that website's server can read.

Typically, a cookie comprises:

  • a name for the cookie (chosen by the website you are visiting); 

  • a value (unique number for the cookie) (determined by and stored by the website for future recognition and action); 

  • an expiration date; 

  • a valid path (details about the Web page(s) that the visitor was on when the cookie was sent); 

  • a valid domain (the name of the website that created and can retrieve the cookie); 
  • a secure connection requirement (if the cookie is marked "secure," it will only be transmitted if the visitor is connected to a secure website.

Using cookies, a website assigns each user a unique identifier (not the actual identity of the user), so that the user may be recognized in subsequent visits to that site. On each return visit, the site can call up user-specific information, which could include the user's preferences or interests, as indicated by specific web pages or documents the user accessed in prior visits or items the user clicked on while visiting the site. Cookies can store information that facilitates the interaction between the user and the website.

Cookies may be placed on an individual's computer when an individual visits a website affiliated with the online advertisement supplier; however, the exact moment of cookie placement may be different when the relevant advertising partnership is between a user’s Internet service provider (ISP) and an online advertising provider. A 2010 survey indicated that almost 80% of online service providers interviewed are collecting data from cookies.[6]

An expiration date feature allows cookies to be set to remain on a user's computer either permanently (a persistent cookie) or for a specified length of time, such as for a single Web session (session cookie).

As an example of how a permanent or persistent cookie functions, consider the online version of a newspaper. If a subscriber whose native language is Spanish informs the website that he prefers to download the Spanish edition of the newspaper, the newspaper can store that information in a cookie file on the user’s hard drive. When the subscriber next visits the newspaper's website, the site retrieves the language preference information from the cookie and automatically sends the Spanish-language edition to the user. Temporary cookies can be created during online shopping expeditions. The cookies can tag the shopper's intended purchases to facilitate the ordering process and then expire after a purchase is made.

Consumers can also delete the cookie files stored on their computers. Deletion will not erase any information stored on the advertiser's server, but it will prevent future Web activity from being associated with past activity through the identification number of the deleted cookie.

Benefits of cookies[]

The ability to place cookies is highly valuable to ad networks. In fact, advertisers are willing to pay a premium of between 60 and 200 percent for targeted advertisements based on cookies.[7]

Cookies can provide significant benefits to online users. For example, websites often ask for user names and passwords when purchases are made or before certain kinds of content are provided. Cookies can store these names and passwords so that consumers do not need to sign in each time they visit the site. In addition, many sites allow consumers to set items aside in an electronic shopping cart while they decide whether or not to purchase them; cookies allow a website to remember what is in a consumer’s shopping cart from prior visits. Cookies also can be used by websites to offer personalized home pages or other customized content with local news and weather, favorite stock quotes, and other material of interest to individual consumers. Individual online merchants can use cookies to track consumers' purchases in order to offer recommendations about new products or sales that may be of interest to their established customers. Finally, by enabling businesses to monitor traffic on their websites, cookies allow businesses to constantly revise the design and layout of their sites to make them more interesting and efficient.

Network advertisers' use of cookies and other technologies to create targeted marketing programs also benefits both consumers and businesses. Targeted advertising allows customers to receive offers and information about goods and services in which they are actually interested. Targeted advertising can also improve a consumer's Web experience simply by ensuring that she is not repeatedly bombarded by the same ads. Businesses benefit from the ability to target advertising because they avoid wasting advertising dollars marketing themselves to consumers who have no interest in their products. Additionally, targeted advertising helps to subsidize free content on the Internet.

Privacy issues[]

Once the cookie is in place, it gathers certain information related to that user’s online activity on a continuous basis and relays that information to the online advertising provider. Because the website owner determines what information is placed in a cookie, the cookie may contain personally identifiable information about the user, including bank account or credit card numbers.

The advertising provider assembles that data into an individual profile that is then used to target advertising to that user's interests. This information is often shared with third parties that are unknown to the user. This process is ongoing, but, in general, the user may opt out of continued monitoring at any point, assuming they are aware that it is occurring.

Cookies can in theory be used to infer damaging personal information about particular users, such as the fact that a user has a certain medical condition. Even less immediately controversial inferences, like the age of a user, can enable criminals to target the very young or elderly with fraudulent advertisements.[8]

In most types of behaviorally targeted advertising technology, the advertising firm gathers information about user activities on websites that are affiliated with the advertising firm. The online behavioral advertiser DoubleClick, for instance, operates on this model. Information on individual users is transmitted to DoubleClick by DoubleClick's clients.

In a newly emerging behavioral advertising model, the advertising provider is attempting to partner with the users' ISP. This partnership will presumably grant the advertising provider access to all web activity in which an ISP's subscribers engage. Both of these types of potential partnerships raise a number of questions regarding potential violations of existing privacy protections in federal law.

"Information resellers can use the information in cookies to supplement information from their databases—matching information by individuals' name and e-mail addresses — to augment profiles on individual consumers. Third parties also can synchronize their cookie files with resellers' cookie files to obtain additional information to enhance consumer profiles. Some advertisers use so-called third-party cookies — placed on a visitor's computer by a domain other than the site being visited — to track visits to the various websites on which they advertise. Although not required by law, some web browsers, such as Apple's Safari and Mozilla's Firefox, have privacy settings that allow users to block third-party cookies or turn on do-not-track features. However, honoring the do-not-track setting is voluntary on the part of website operators."[9]

Security issues[]

Cookies vary in the amount of security they provide for the information they contain. Cookies often store data in plaintext, which could allow an unauthorized party that accesses a cookie to use or alter the data stored in it. Some websites create encrypted cookies, which protect the data from unauthorized access.

Most Web browsers can be configured to prompt users to accept or reject each cookie, or to accept or reject session cookies automatically but prompt users to accept each persistent cookie or reject persistent cookies automatically. Most Web browsers also can be configured to allow cookies to be set only for the website the user visited (known as first-party cookies), not for the websites of advertisers and other parties (known as third-party cookies). Permitting first-party cookies and blocking third-party cookies can be very helpful in reducing the number of tracking cookies placed onto a system.

The browsers' default setting, however, is to permit placement of cookies without any notification. Because many website require users to accept cookies in order to view their content, or make multiple attempts to place cookies before displaying content, the notification process may unacceptably frustrate consumers' ability to surf the Web efficiently.

Regulation of cookies[]

"Cookies are not regulated in the United States. However, in 2009 the European Union modified its e-Privacy directive to regulate cookies. In particular, the Directive told EU Member States to pass laws requiring users to 'opt in' or provide consent before placing a cookie on their computer."[10]

Use of cookies on federal websites[]

Pursuant to a 2000 memorandum from the Office of Management and Budget,[11] there is a presumption that cookies will not be used on federal websites. Under this policy, cookies are not to be used on federal websites, or by contractors when operating websites on behalf of federal government agencies, unless, in addition to clear and conspicuous notice, the following conditions are met:

In addition, it is federal policy that all federal websites and contractors when operating on behalf of federal agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 with respect to the collection of personal information online at websites directed to children.


  1. Privacy Technology Focus Group Final Report, App. B, at 52.
  2. Self-Regulatory Principles For Online Behavioral Advertising, at 2 n.3.
  3. Big Data and Differential Pricing, at 9.
  4. Online Advertising and Hidden Hazards to Consumer Security and Data Privacy, at 10.
  5. In 1995, the Internet Engineering Task Force (IETF) initiated a standardisation process for cookies. In 2000, IETF published the RFC 29653: "HTTP State Management Mechanism," which specified a way to create a stateful session with HTTP requests and responses.
  6. ENISA, Survey of accountability, trust, consent, tracking, security and privacy mechanisms in online environments (2010) (full-text).
  7. Cookies: Leaving a Trail on the Web, at 13.
  8. Online Advertising and Hidden Hazards to Consumer Security and Data Privacy, at 13.
  9. Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, at 22-23.
  10. Big Data and Differential Pricing, at 9.
  11. OMB Memorandum M-00-13.


  • Privacy Law and Online Advertising: Legal Analysis of Data Gathering By Online Advertisers Such As Double Click and NebuAd.

External resources[]

  • Pam Dixon, "Consumer Tips: How to Opt-out of Cookies that Track You (World Privacy Forum 2009) (full-text).
  • David Kristol, "HTTP Cookies: Standards, Privacy, and Politics," 1 ACM Transactions on Internet Technology 151 (2001) (full-text).
  • Seth Schoen, "New Cookie Technologies: Harder to See and Remove, Widely Used to Track You" (Sept. 2009) (full-text).
  • Ashkan Soltani, Shannon Canty, Quentin Mayo, Lauren Thomas & Chris Jay Hoofnagle, "Flash Cookies and Privacy" (Technical report, Univ. of Cal. Berkeley 2009) (full-text).
  • U.S. Department of Energy Computer Incident Advisory Capability (CIAC), "I-034: Internet Cookies" (Mar. 12, 1998) (full-text).

See also[]