This feature first appeared in the Winter 2022 issue of Certification Magazine. Click here to get your own print or digital copy.
Over the holiday season, I indulged in a lot of treats. My favorite? A chocolate chip cookie — well, let’s be honest, I love all cookies. What does this have to do with a technology article? Have you ever noticed how the internet seems to follow you around, looking over your shoulder and taking notes about everywhere that you go, and everything that you click?
The tracking tool that marketers, for years, have used to observe and record your interactions — the better to push content and advertising tailored to your interests — is called a cookie. Anyone who does just about anything online should expect to be up to their ears in cookies, and it’s been that way for decades. Cookies are not new.
So how come, over the past handful of years, we are suddenly and constantly seeing notifications about cookies? And what would it mean if the internet’s favorite snack suddenly wasn’t on the menu? It may happen sooner than you think: Google’s popular Chrome browser will be updated later this year, and some cookies could vanish entirely as 2022 rolls over into 2023.
What are cookies?
Cookies were invented by internet pioneer Lou Montulli in 1994, when he was working for Netscape. The leading web browser at the time, Netscape was just entering into a fierce competition against Microsoft’s then-new Internet Explorer. Netscape was trying to help web sites become viable money-making enterprises, in particular by enabling sales and commerce.
Early web sites were not very good at customer relations. For one thing, the shopkeeper can’t be on the premises at all times to see what everyone is picking up and inspecting, and provide helpful assistance, like in the physical world. Site owners needed a way to track where people were going and what they were doing.
Website cookies can be divided into two major categories, with many subsets of two major types:
Session cookies stay on/in a browser and retain your information until the browser is closed. When a new browser window is opened, the same user is treated as a new visitor and must input their login credentials within that browser.
Persistent cookies have a designated lifespan and remain in a browser until that period (set by the cookie developer) elapses, or until the cookie is manually deleted. Websites that use persistent cookies will remember users even after they close a browser.
Persistent cookies enable features such as persistent shopping carts, which retain products added to a cart between sessions. When a user lands on an e-commerce website, or any website, for the first time, the webpage makes a record of the activity on its remote execution server and it places a cookie in the user's browser files.
How do cookies work?
It’s important to keep in mind that websites now can, and most often do, run in a serverless environment and work by executing code to make the web site function. This makes it difficult to see where cookies even come from anymore.
A cookie is only a short line of text. It contains no information about the user or the user's machine. Instead, it typically contains the URL of the website that placed the cookie, a unique generated number, and an expiration date for the cookie that’s “baked in,” you might say.
As the user browses the website, each new page the user visits queries the user’s browser, looking for the cookie. If the cookie's URL matches the website's URL, then the website retrieves the user information from its server by utilizing the unique generated number. In this way, the website adjusts the user's experience to reflect her or his browsing history.
It uses that unique number to “remember” who you are: where you left off on your last visit, or that you browsed the “cats” section the last time that you were around. If the user searches the site for cats, then the next time the user comes to the site, the website will retrieve the user's record and serve up ads featuring cat toys, kitty litter, or what have you.
Perhaps the single most important job of a cookie, however, is to keep a user logged in as they browse from page to page. A user's browsing history becomes part of a database which the website then uses to improve the customer experience.
Cookies = controversy
This type of database and its contents are at the center of the cookie debate when it comes to privacy. E-commerce sites use a combination of session cookies and persistent cookies to create a seamless shopping cart experience. As the user adds items to her cart, session cookies keep track of the items.
If the user abandons the cart, persistent cookies will retrieve her or his selections from the database the next time she or he visits, or allow the e-tailer to create personalized retargeting campaigns that encourage shoppers to revisit their carts. This is a huge help in encouraging so-called “conversions,” where a browser becomes a buyer.
Cookies are an essential part of the Internet. Without them, web pages would be a great deal more cumbersome. E-commerce would be next to impossible. They give websites the ability to adapt and improve your overall user experience.
Without cookies, websites would have no mechanism for collecting such information — every visitor to a site would show up and depart the same way, as an anonymous stranger. So it should hardly come as a big shock that cookies are widely used across the internet. They are simply a part of the way the internet works.
You may have recently noticed that cookies are “in the news” a lot. This is a result of their very function. They are designed to track and report on you. They allow a company that owns a web site you visit to know how you behave and what, in a limited sense, your interests are. Companies can look at other cookies and know you went to other sites, and what you looked at over there.
All of this tracking and tailoring, of course, raises concerns about privacy. Recent laws, like the GDPR passed by the European Union, or California’s OPPA, really crack down on this personal data collection. Whenever web companies can connect behavioral data gleaned from cookies with your actual real-world identity, that combo is pure marketing gold.
In the past, users of websites were often not aware that such data was being collected, or what such data is used for, or with whom it is shared. Now new laws mandate that whenever data, particularly from cookies, is being actively harvested, website users must be notified. Other U.S. states are likely to follow the example set by California.
The uncertain future of cookies
The real issue lies with the fact that the data about website users is stored and maintained. Such data can be used for the targeted advertising, with advertisers providing users with more “relevant” advertisements based on past behavior. This improves the success of an ad campaign, or a certain product.
In keeping with new privacy protection laws, however, any website needs to get a user’s informed consent before they collect any behavioral or tracking data. Hence, the recent and ongoing flood of pop-ups informing you about cookies.
And hence also a degree of danger: When data breaches occur, much of what gets stolen can be sold or used by the thieves to target individuals. Your personal data gradually leaks out into the world, along with data about your preferences and habits. It’s a potentially deadly combo when a bad actor is aiming to destroy your reputation, say, or take your money.
Some of the laws now being passed, as discussed above, place restrictions on what websites can do. Visitors to websites, however, are also newly empowered. You can request to know what data is being held about you, and request that it not be sold, or even that it be deleted altogether. All of this kerfuffle is happening because of a tiny text string and a unique numerical ID.
Google steps in
Internet search titan Google is reimagining cookies with a thing they call a “privacy sandbox.” In terms of ad targeting, Google is “exploring how to deliver ads to large groups of similar people without letting individually identifying data ever leave [the] browser.”
The plan, then is to remove so-called “third-party cookies” — non-native cookies placed on a website by scripts or tags — while still acquiring browser data and (naturally) selling it to the highest bidder. In other words, Google is not saying it won’t track you anymore. Such tracking will just be fully transparent — and no vendor is going to receive your data for free.
Critics will accuse Google of trying to assert more control over digital advertising. For its new approach to work, however, Google will need to build consensus among a broad community of publishers, advertisers, technology companies, and even browser competitors like Apple and Mozilla (creator of the Firefox web browser).
So far as the common user will know, their browsing experience will not change much. You may notice some tools that give you the ability to control to what extent you are willing to allow third-party sites to track your activity. This won’t stop your browser from tracking your activity, but it will stop third parties from helping themselves to that data.
Never forget that, on the modern internet, you are a prized commodity. Your data is the gold, and the digital economy is in the throes of a rapacious gold rush. No matter what Google does to alter the online landscape, cookies and privacy will be both a focus and hotly contested battleground for a long time to come.