What the title says. I remember, let’s say 10/15 years ago cookies were definitely a thing, but not every website used it. Nowadays you can rarely find a website that doesn’t give you a huge pop-up at visit to tell you you need to accept cookies, and most of these pop-ups cleverly hide the option to reject them/straight up make you deselect every cookie tracker. How come? Why do websites seemingly rely on you accepting their cookies?
In: Technology
Cookies are the easy way to let the website know who you are and store information like preferences. It’s like using an ID to show who you are instead of filling out paperwork all the time.
Websites make them hard to reject because they can’t store information without them. Even the fact that you rejected the cookie can’t be stored, so you will get asked again.
Any web site that saves any kind of user settings (e.g. language etc.) or let you log in will use cookies.
Additionally, any web site that wants to count visitors, and distinguish between the same person visiting the web site 5 times and 5 different people visiting the web site, or more advanced “analytics” (how do people use the site), uses cookies.
On web sites that don’t have ads, these will usually be the two answers. Additionally, third party content embedded into the site (e.g. youtube videos, tweets, …) may set cookies.
The main answer, however, is ads. That’s why “they and their 1300 partners value your privacy” (spoiler: they don’t). They want to be able to re-identify you, track you across multiple web pages, and be able to serve you personalized ads – because if they show you an ad that’s actually relevant to you, you’re more likely to click it, and thus they’ll, on average, make something like 10x as much money from a visitor that “accepts cookies” vs. one that “rejects cookies”.
It’s about a *lot* more than cookies. They’re also asking for consent to collect/analyze your data. Usually pseudonymized, but not always (e.g. if you have an account there, and look at power drills, they may tell Facebook “person with email X is interested in power drills, please haunt them with our ads wherever they go for the next two weeks”).
Every time you visit a web site, they share what you looked at with some of their hundreds (300 is low, most sites are somewhere between 200 and 800) “partners”, who may share it with others. Then, in the milliseconds between your initial request and the ads loading, ad companies start bidding on who is willing to pay the most to shove an ad in your face, based on the data they collected. If one of them knows you’re an easy mark for scams, for example, they might pay extra to serve you a scam ad. I think they aren’t *supposed* to store the data if they don’t win the auction, but the ad industry is a swamp of shady companies.
The reason you notice is that GDPR (a EU privacy regulation) requires them to ask for your consent before they do certain things.
# Use an ad blocker (specifically, uBlock Origin)
uBlock Origin is open source, clean, and works well. For technical users, it’s *the* ad blocker (the only browser-extension-based one worth considering, there are legit ones for other use cases like network-based blocking). If you use anything else, there’s a 50% chance you’ll end up with something scammy or dangerous. Ad blockers doesn’t block everything, but 95% of the crap that would collect your data doesn’t even load if you have an ad blocker.
Oh, did you see how I put “reject” cookies into quotes? Because that means less cookies and abuse of your data, not none. Some claim they are allowed to process data without your consent under “legitimate interest”, some let you opt out of that, some don’t at all, some make you uncheck 20 boxes. But *regardless of that*, most have a lot of “necessary” categories, many of them related to ads, that they will hit you with regardless of your “choice”. Much of what they do is likely illegal, but enforcement is lacking and happens slower than the swamp spawns new shitty companies. So…
# Use an ad blocker.
The World Wide Web basically has no memory of your actions. Each click or action sends a message to the server that grabs info at that moment and sends it to you. None of the transaction details are getting stored.
So this is a big problem when you are making transactions on the web. The state of the transaction has to be stored somewhere. That’s what cookies are for. They store those transaction details on your computer instead of on the server you are communicating to.
When you end the transaction, then it reads the cookies and finishes the transaction and that gets stored in server software.
Sadly we can also use cookies to store details about the user that have nothing to do with the transaction and other software can then scrape those cookies for that data.
Maybe better would be to require that all cookies be deleted upon end of transaction but that has lots of problems, too.
A cookie is simply a way to hold session information while you browse the web. Most websites are “stateless” which means you might bounce between multiple web servers while you are browsing. If one server gets overloaded you will be moved to another and all that happens without you knowing.
But this means the server can’t really hold your session information (there are ways to do it, and for secure sites there is a copy of your sesssion in a shared area on the servers).
But your browser needs certain information it can send back to the server.
Then there are tracking cookies that give you an unique identifier that gets sent to a tracking site (like Google analytics) which lets them monitor your overall behavior.
The GDPR in Europe said you can’t just track users without telling them which is why you see the prompts now. They need to give you the option to opt out of the tracking cookies while still allowing the session cookies.
Most sites can’t really work without keeping at least some information local so a lot of sites, especially ones you log into can’t really work without at least having a session cookie to prove you are the browser that logged in.
Cookies have been a thing for longer than that.
They first came up in the late 90s.
They are used to web-servers can remember who you are and so they can remember settings etc from page to page.
Without them most of the modern web would not work.
However while this remembering who you are also has privacy implications.
You might be okay with the news website you are visiting remembering that you like to read articles in dark mode and in English and even suggesting articles based on where it things you are and what you like. You might be less okay with the advertisements on the page remembering who you are and recognizing you across many different sites to build up a profile about you.
All this information is very lucrative to collect so the people who own websites and their advertisers would like to collect as much of it as possible.
In many places around the world the local governments didn’t care much about their people’s privacy being attacked like this or if they cared they didn’t have the power to do anything about it.
Certainly the US government wouldn’t side with consumers against big business like that.
However the way the European Union and their parliament and other institutions works means that there are a lot of people in positions of power who do care about that, they are not as beholden to big business and they do represent a large enough market that large corporations can’t just ignore or bully them.
So the EU made a number of laws about protecting people’s rights online.
Those were only applicable to sites that do business in the EU and other countries covered by those laws, but most sites complied and ended up putting up the same sort of protection for everyone just to be save.
They have to ask before they put cookies on your computer now.
Of course most of them make it as hard as possible to say no to that and they hide what their privacy invading data collection cookies are for behind confusing language, so that most people just click “yes” out of annoyance and habit just to make to popup go away.
These popups are when you started noticing cookies. You were using them long before, but not noticing it and you only became aware thanks to becoming collateral damage in the war between the EU and big tech.
As a web developer, cookies can literally be anything useful that you need to store to use later (so your browser doesn’t need to reload everything when you change pages, such as your login)
Nowadays because of data privacy laws this must be disclosed, regardless of how large or small. As others have said, this was pretty much always done (otherwise a login would be pretty pointless or you’d have to do everything on a single page and be pretty restricted), it has just become more transparent thanks to data privacy laws.
In the past I simply had cookies disallowed in my browser (Netscape) settings and as far as I can remember every site worked just fine.
Then some politicians who were clueless about ICT thought it was a good idea to introduce this ‘cookie law’ because they thought it would ‘protect’ us. That gave web sites the excuse to force cookies on people because they were ‘necessary’, but not really. Now I cannot simply block cookies in the browser anymore. Thanks politicians. Great job. /s
Actually I kind of have the opposite question. If the purpose of cookies is nefarious (so they can make money selling your data) then why do they give you an option to opt out at all?
If the answer to the above question is that they’re legally required to let you opt out, then why do some websites streamline it by giving you a “reject all” button when they could make it a pain in the ass?
Latest Answers