Cleaning up some cookie crumbs.
Generally speaking, they are, yes.
Cookies have gotten a bad rap, and some well-intentioned but horrific legislation has made it worse.
Become a Patron of Ask Leo! and go ad-free!
Accepting cookies
Accepting "Legitimate Interest" cookies is generally okay since they're part of how websites implement features and functionalities. The European GDPR legislation requires sites to ask for consent, leading to frequent, typically ignored consent dialogs. Cookies are used for various purposes and are not designed to leak personal data.
What's a cookie?
A cookie is just a small bit of data that's left on your computer when you visit a website. For example, if you visit askleo.com, one of the cookies the site will place on your computer might look like this:
- Name: _ga1
- Content: GA1.1.2055007366.1707163485
The next time you visit askleo.com, your browser will send:
- Please fetch the page askleo.com
- Here's a cookie you left before: _ga:GA1.1.2055007366.1707163485
As you can see, the cookie name and contents are pretty meaningless to you and me. What matters is the server-side software that's using them.
Cookies are domain-specific. This means that askleo.com will only be sent the cookies left by askleo.com.
If displaying the page also includes displaying something from another domain -- say bigadvertisingnetwork.com -- that website will not see the cookies saved by askleo.com, but it can set its own cookies if it wants. These are so-called third-party cookies: you're the first party, askleo.com is the second party (the page you asked for), and any other website involved in displaying the page (such as an ad) is a third party.
Why cookies concern some
Consider bigadvertisingnetwork.com. When you visit a site, say site A, that uses ads from bigadvertisingnetwork.com, bigadvertisingnetwork.com can leave its own cookies.
When you visit site B, which also uses advertisements from bigadvertisingnetwork.com, bigadvertisingnetwork.com will be given the cookies it left from your prior visit to site A. The cookies were left for bigadvertisingnetwork.com, and thus bigadvertisingnetwork.com can see them.
Bigadvertisingnetwork.com can now see that you've visited both sites A and B. It's this "tracking" that concerns people.
It doesn't concern me. They're not interested in me as an individual. What they care about is the aggregate: the number of people in general who visit site A and then site B. The relationship between those two sites allows them to display more targeted/relevant ads. I don't care.
Different types of cookies
Besides the simple "tracking" example above, cookies can be used for a variety of things.
- Keeping you signed in from page to page.
- Remembering other information from page to page to make the site work, such as what might be in a shopping cart.
- Performance and behavior analysis to see exactly how the site is being used with an eye to future improvements.
- Various degrees of advertising personalization.
There's probably more. Cookies are a very simple concept with a wide variety of applications.
That silly law
Almost every site on the internet uses cookies. I'd be hard-pressed to think of one that doesn't use at least one. To me, this is obvious and necessary for websites to offer the features and functionality they do.
And yet, the European GDPR (General Data Protection Regulation) legislation requires websites to ask you if it's OK. While some websites choose to embrace the ramifications only in the EU, many websites simply follow the GDPR requirements everywhere.
The result is that the first time you visit a website, up pops a cookie-permission dialogue (or, ironically, the first time you visit again after clearing cookies).
Most people ignore them because they're so annoying. Even if they are an attempt to offer granularity, average folks just aren't prepared to understand it and shouldn't have to.2
And it's particularly annoying for me because the answer is always "Well, yeah, of course! All sites use cookies, you don't have to remind me!"
The law has probably done more to desensitize us as we blindly hit Accept over and over and over than anything else.
Do this
To be clear, I always hit Accept All and recommend you do so as well.
Cookies aren't evil. They're not scary, and they're not leaking your personal data. They're just a part of how the web works -- something that lawmakers fail to grasp.
If you remain concerned, I recommend you use a privacy-focused browser extension such as Privacy Badger from the EFF or an adblocker of some sort.
Want more about cookies, internet security, computers, and Windows? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Read the agreement box carefully. Make sure it says accept cookies and not something else. They might throw up a link that you just blindly click. And even worse, I haven’t heard of this happening but someone can throw in a pop-up that says accept cookies which is actually a link to another site.
One difference between humans and animals is that animals would never choose the dumbest of their species to lead them.
“The result is that the first time you visit a website, up pops a cookie-permission dialogue (or, ironically, the first time you visit again after clearing cookies).” Not always. I’ve been to sites where I get the cookie warning every time. Apparently, those web designers don’t know how to properly use cookies to avoid that from happening.
There are free browser extensions that agree to cookies in the background so you don’t have to see them.
Ok, so cookies are not harmful, but can they be? Suppose a website has xxx innocent cookies, but some disgruntled or just plain naughty employee has inserted a guilty cookie in amongst them to collect personal information not relevant to the site. I know most of us are just not important enough, but the question remains… can this be done? I would think yes, which leaves room for ulterior motives. Personally I accept cookies for trusted sites and deny them for others I am not familiar with, or seem shady.
A cookie is just a few bytes of information a website saves on your browser. All the website can do is retrieve that string of data and read it. The cookie doean’t give them access to anything else on your computer.
“can this be done?” If it were possible, hackers would be exploiting this all over the place.
From Mark J: “A cookie is just a few bytes of information a website saves on your browser”. But that’s not the point. It doesn’t matter if a cookie is a few bytes or a few megabytes, or if it’s text or some other format. In conjunction with Leo’s other article “Why do ads follow me around the internet”, the issue is the effect of cookies on what you see and experience online. Here is a quick experiment to see how cookies affect you online experience: (1) Use Firefox browser and clear out all your cookies and history. Then go to Google News and note what articles are presented to you. (2) Now use Edge or Chrome and log into one or more of your online accounts, such as Google, Microsoft, and Yahoo. First, go to different websites and just browse around and do some random searches. Then go to Google News and see what articles are presented to you. You’ll see a difference. The difference is Google, in it’s infinite wisdom, has now decided on what you need to see as “news”.
All this may not be harmful or it may be exactly what you want, but it’s not just about some file stored on your computer. It’s about the control of what you experience.
P.S. The reason that I distinguished between using Firefox, Chrome and Edge is because on the latter two browsers you can never be sure that all your online activity is actually deleted.
Obviously, cookies have an effect on your experience. My comment never denied that.
The question I was answering is asking if cookies can be dangerous. I answered it accurately. It’s just a number a site saves to your browser and can only be retrieved by the site that saved it.
If you consider tailored ads harmful, browse in a private tab or use the DuckDuckGo browser.
Leo/Mark: I have my browser(s) set to block 3rd party cookies such as bigadvertisingnetwork.com. Yet I still see targeted ads on different sites. Either 3rd party cookies aren’t being blocked or targeted ads are using another mechanism.
I personally don’t care if I get targeted ads. I’m just curious if the block 3rd party cookies setting is working.
Cookies aren’t the only way sites track you. Websites have other ways of identifying your computer such as IP address, browser fingerprinting (identifying a browser by it’s unique charicteristics), and websites can store data
Supercookies and Evercookies and No Cookies at All: Resistance Is Futile
What is a Digital Fingerprint?
How else can websites get my information?
This Firefox article seems to contradict your advice about cookies. Can you please comment on that?
https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/?entrypoint=mozilla.org-whatsnew131