Glossary Contents

Article 30

CA CCPA

Consent

CPRA

Data Governance

Data Inventory Explained

Data Privacy

Data Security Management

Data Subject Access Request (DSAR Management) for GDPR Compliance

Delete Act

Do Not Sell My Information

Ethical AI

GDPR

How to automate privacy compliance?

LGPD – Brazil’s Privacy Law

Nevada’s SB 220

Personally Identifiable Information (PII)

Preference Management

Quebec Bill 64

Record of Processing Activities (RoPA)

Verifiable Consumer Request (VCR)

What is AI governance?

What is CCPA Compliance?

What Is Consent Management?

What is Data Mapping? (Defined & Explained)

What is Shadow AI?

What to include in a Privacy Policy

Cookies

Summarize this content with:

ChatGPT

Perplexity

Claude

Grok

What are website Cookies?

The term "cookies" refers to small text files stored on a user's device or browser when they visit a website. While they may be generated for a variety of purposes, their most common function is to store and remember user-specific data, such as login credentials and browsing preferences, in order to optimize the user's overall experience.

Cookies are a convenient way for a website to personalize user interactions, but they also have the potential to make a user's personal data vulnerable to unauthorized access or misuse.

For these reasons, regulations in many jurisdictions require websites to disclose the use of cookies. Depending on the jurisdiction, regulations may require websites obtain consent before setting non-essential cookies and/or provide opt-out mechanisms for the processing of personal data with them.

Major frameworks include the GDPR and ePrivacy Directive in Europe, the CCPA and other state-level privacy laws in the United States, the UK's PECR, Brazil's LGPD, and similar regulations across Asia-Pacific, among others.

In the U.S., state privacy regulations do not require consent prior to processing personal data with cookies, but most do require that use of cookies to process personal data is clear and conspicuous to the consumer and that consumers can opt-out as desired. Typically this opt-out is offered through a link in the website footer, a link in the privacy policy, and/or a consent notice banner that appears on page load.

For most regulations, this now includes honoring universal opt-out mechanisms (UOOMs) such as Global Privacy Control (GPC) signals.

How are Cookies used?

Cookies work by identifying users through their specific devices. When a user visits a website for the first time, a small text file is created based on the user's activity and labeled with an ID unique to the device. When the user returns, the ID is recognized, enabling the website to present information specific to the user's account or preferences.

Some cookies are stored in the browser's memory and deleted automatically when the browsing session ends (session cookies), while others are written to the device's storage with a defined expiration date and persist between sessions for authentication and tracking purposes (persistent cookies).

Cookies allow websites to communicate with users in efficient and familiar ways: remembering usernames, saving the contents of shopping carts, and storing individual preferences. In this way, cookies provide benefits to both users and web developers and have become a nearly indispensable component of the modern internet.

Are cookies dangerous?

Cookies are simple text files and do not themselves contain viruses or malware. However, they can become problematic if the data they contain is compromised or accessed by a malicious third party. In the worst cases, attackers can exploit cookies to gain access to a user's browsing history or session credentials.

This is one of the primary reasons cookie regulations require websites to inform users about what cookies are being set and for what purposes. The specific obligations vary by jurisdiction. Some frameworks, such as the GDPR and ePrivacy Directive, require organizations to obtain prior opt-in consent before setting non-essential cookies. That consent must be freely given, specific, informed, and unambiguous, and must involve a clear affirmative action such as clicking a button or ticking a box. Pre-ticked boxes, continued browsing, or inactivity do not constitute valid consent under these frameworks. Other laws, such as the CCPA and most U.S. state privacy laws, follow an opt-out model: businesses must disclose the categories of personal information they collect and honor opt-out requests when cookies are used to sell or share personal information for targeted advertising, typically through a "Do Not Sell or Share My Personal Information" link.

Cookie Consent

One important distinction: not all cookies are treated the same under privacy law. Under opt-in frameworks like the GDPR and ePrivacy Directive, cookies that are strictly necessary for a service the user has requested, such as those that enable a shopping cart or maintain a login session, are exempt from the consent requirement, while all other cookies require prior consent. Under opt-out frameworks like the CCPA, the question is not whether a cookie is "necessary" but whether the personal information collected through it is being sold or shared; if so, the business must provide notice and honor user opt-out requests.

Regardless of where a website operates, users should have enough information to make informed decisions about which cookies to allow, reject, or manage. As a general rule, users should pay particular attention to third-party cookies, which originate from domains other than the website being visited and are commonly used for cross-site tracking and targeted advertising.

Resources

ICO – Cookies and Similar Technologies ICO – What are PECR? EU ePrivacy Directive GDPR – Consent

Back to Glossary

Related Terms

Verifiable Consumer Request (VCR)

Data Security Management

What is CCPA Compliance?

What is Shadow AI?