Here's What Really Happens When You Accept Cookies

If all the cookies you've accepted online were real, you'd probably be on a weight loss program by now. Almost all the websites you visit welcome you by asking you to accept cookies. If you're like the average internet user, you do so without thinking twice, just so you can get to what you came for.

In compliance with a GDPR transparency mandate, these sites would typically display a consent banner that contains a link to their cookie policy (which no one ever reads), and they may tell you the cookies are there to enhance your experience. But as we've learned from real life, it's probably best to only accept desserts from people you know and trust. Also, these "cookies" aren't merely nuggets of virtual hospitality — they have real implications on your online (and subsequently, real life) security and privacy, so it's important to be sure just what you're accepting.

So, to help you do that, we'll unpack what website cookies are and what really happens when you accept them.

What are website cookies?

Website cookies (or HTTP cookies) are small text files sent by the website you're visiting to the device you're using. When (or if) you accept them, these cookies are stored on the web browser of your device and can subsequently track and gather data from your browser and send that data back to the website owner (via GDPR). This data is labeled with a session ID unique to you and your computer. Subsequently, the website server reads the ID and uses the saved data to determine what information to specifically serve you.

They're like unique little stickers that websites tag on each user who visits so that the next time you stop by, the server identifies you as a returning visitor and saves you the hassle of re-introducing yourself. This identification allows websites to "remember" your preferences and provide you with a more personalized experience — for example, if you chose dark mode when you first visited a website, the feature will be automatically enabled on your next visit if you accept cookies on that website. Similarly, cookies help websites remember when you're logged in, so you don't have to enter your credentials every time you visit.

Why are they called cookies?

So, why are these things called cookies to begin with? The original idea came from Lou Montulli, a Netscape employee, back in 1994. He wanted to come up with a file that websites could use to remember prior visitors. These files would contain things like user preferences, login details, and even how many times a user has visited the website. Reportedly, this reminded Montulli of both a fortune cookie and a magic cookie, so he called his idea a cookie.

A magic cookie, for reference, is a piece of information that is passed between two software programs. You usually see magic cookies on Unix systems, and unlike internet cookies, users do not interact with magic cookies. One program comes up with a snippet of data and passes that data to another program, which eventually passes it back to the first program. This is similar to how internet cookies work, where websites pass data to users that users eventually pass back to the website. However, regular, everyday folks will rarely see or interact with a magic cookie.

There are also several types of cookies, including session cookies, user-input cookies, authentication cookies, and load-balancing cookies. Each type performs a different function depending on what the website is trying to accomplish. For example, when you log into Facebook, it will give you an authentication cookie. Later, when you come back to Facebook, it'll see that authentication cookie and take you straight to your news feed without logging in again.

How website cookies work

Cookies are a fundamental part of browsing online — without them, you'd have to rebuild your shopping cart every time you log in to an e-commerce site or start sessions afresh every time you open your browsers. Also, some websites simply won't grant you access to their domain unless you accept cookies.

Still, not all cookies are necessary. According to the GDPR, there are two broad kinds of cookies, especially as it pertains to what kind of information they collect about you and to whom that is sent:

  • First-party cookies: These are also called session cookies and are directly placed by the website you're using. They collect data about a user's session on a website, including language or appearance settings, analytics data, cart activity, or other functions that contribute to a good user experience. And they only use this data within the single, original domain you're visiting. As long as you can verify the authenticity of a website (an easy way is to check for a lock symbol in the address bar), first-party cookies are mostly harmless.
  • Third-party cookies: Also known as persistent cookies, these are created by someone other than the website owner and collect/send data to that third party. In today's online landscape, this "third party" is usually an advertiser — the cookies track your activity across different websites, then collect and send information that the advertiser can use to tailor ads to your needs or interests. Because third-party cookies aren't only tied to one website, you can continue to see super-specific ad popups even after you leave the original site you visited. And that's how ads "follow" you around the internet.

What happens when you accept cookies?

When you accept cookies online, you consent to your information being collected and stored by the website owner or advertising company (if they're third-party cookies). The data a cookie might collect about you will vary depending on the website, but here are some of the most common inclusions, according to AllAboutCookies:

  • Website name and unique session ID
  • Browsing history
  • Preferences and permissions
  • Number of visits
  • Session duration
  • Links clicked
  • Login credentials, including your username and password
  • Geo-tags, like location and IP address
  • Personal data, like phone number and zip code
  • Shopping cart activity

Website owners (or ad companies) can then use this information to provide a streamlined experience for you. Most people don't mind cookies — it'd be a hassle to start over every time you revisit a website on which you've had previous sessions. Even third-party cookies have their upsides — it can be helpful to find an ad for a website that sells something you've been searching for.

When you shouldn't accept cookies

Cookies help sites identify you, and they can be used to track your internet usage. For the most part, websites play nice with their cookies, and you can always delete them later in your browser settings. An example of this is when you log into Facebook, you'll have a cookie that tells Facebook who you are and that you're logged in, so you don't have to log in again. This is an example of a positive use of cookies. However, there are instances where you probably don't want to accept cookies.

The first and most obvious example of a time when accepting cookies is a bad idea is when dealing with sketchy websites. This can include unencrypted websites, which you can tell by looking at the URL. If it says "HTTP" instead of "HTTPS," that means the site is not encrypted. This usually means it's a low-quality website that may be doing something untoward, and you don't want to accept cookies from such websites. This is the one you're most likely to run into, so keep an eye out for that.

Two other good examples include third-party cookies as well as websites where you enter private information. Third-party cookies aren't intrinsically bad, but a lot of bad actors use them to track you from website to website to sell your browsing habits or steal your personal information. Thus, it's just a good idea to avoid it. For websites where you enter private information, it's much the same deal. Only enter private information on websites you trust implicitly, like your bank.

How to clear cookies

But, of course, personal data has become a hot commodity online, and cookies present a significant risk of being hacked online. So, if you're looking to be more intentional about what info you share, you can restrict websites from sharing cookies or choose to block all third-party cookies. Since they're stored on your computer, you could also manually remove cookies you've previously accepted.

We have clear guides to clearing cookies on Firefox, how to remove cookies on Google Chrome, and how to remove cookies on Safari. In most of the other browsers, it's as simple as opening Settings > Privacy section (or sometimes Tools, Internet Options, or Advanced) and then following the prompts to manage or remove cookies. You should know that this action will not only wipe all the cookies from your phone or computer but also log you out of most websites and make some web pages look a little different than they usually do.

Should you stop allowing cookies?

For the most part, cookies are fine, but it's great to know that you can refuse them if you want to. As the demand for user privacy online increases, most platforms and browsers are already phasing out the most easily compromised kind of cookies: third-party cookies. Google announced the phaseout from Chrome in 2020 and is working on removing them from the browser by the end of 2024, according to Cookiebot. Firefox is taking a similar approach by implementing what they call "total cookie control," a measure that will minimize cookie tracking on other sites.

Also, Apple added a feature to iOS that requires that app developers ask for your consent before tracking your activities across applications or websites. You've probably seen the pop-up as you use apps, asking if you want to allow the app to track your activity. If you decline, the app you're using will not be able to access your device's advertising identifier, effectively preventing you from targeted ads, although there's talk about Chinese ad tech bypassing Apple's tracking control.

When all is said and done, online cookies and real-life cookies should have one thing in common: You should know exactly what's in them before you bite, and you should definitely be able to say no to them.