What Are Tracking Cookies and How to Detect Them

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: October 25, 2024

Scan Your Site for Cookies
What-Are-Tracking-Cookies-and-How-to-Detect-Them

Website owners must understand what tracking cookies are and how to detect them to ensure they’re being used in a legally compliant manner.

Privacy laws give users to the right to opt out having their data shared with third parties and to say no to targeted advertising, and websites often deploy tracking cookies for these purposes.

In this guide, I explain what tracking cookies are, how they work, and your legal responsibilities when using these cookies on your website.

Table of Contents
  1. What Are Tracking Cookies?
  2. How To Detect If Your Website Uses Tracking Cookies
  3. How Do Tracking Cookies Work?
  4. Are Tracking Cookies Bad or Dangerous?
  5. What Data Do Tracking Cookies Store?
  6. Examples of How Tracking Cookies Are Used
  7. How Data Privacy Laws Regulate Tracking Cookies
  8. Weren't Tracking Cookies Going Away?
  9. Summary

What Are Tracking Cookies?

Technically, internet cookies are small text files that get saved onto a user’s browser.

They perform various tasks, like helping a website function properly, remembering user preferences, and enhancing their online experience.

Tracking cookies are a type of internet cookie primarily used for analytics and advertising.

They collect the following data, some of which is considered personal information:

  • User devices
  • Name or age
  • Website preferences
  • IP addresses
  • Email address
  • Passwords
  • Time spent on webpages
  • Browsing history and webpage clicks

As a user surfs the web, tracking cookies follow them, collecting information about their habits, past website visits, and purchases.

With this data, you can send targeted advertisements to the user to show them the products and services they’re most likely interested in.

What Are Third-Party Tracking Cookies?

Unlike first-party tracking cookies, which are placed on browsers by the website operator to track user activity, third-party tracking cookies are put on browsers by external services — like Facebook or Google Adsense.

Most tracking cookies are third-party tracking cookies.

Third-party tracking cookies are a standard tool used for advertising, which can help enhance your users’ online experience.

However, data privacy laws regulate these tracking tactics, and you must balance the benefits of tracking cookies with your users’ concerns about data privacy.

How To Detect If Your Website Uses Tracking Cookies

To detect if your website uses tracking cookies, manually perform a comprehensive cookie audit or use an automatic cookie scanning tool.

To manually identify any cookies on your website, follow these steps:

  • Right-click on your web page and choose ‘Inspect’
  • Select ‘Application,’ then choose ‘Cookies’ under the ‘Storage’ section
  • Analyze the purpose of the cookies
  • Inform you of the user information collected by the cookies

Or you can enter your website URL into our free cookie scanning tool to automatically detect tracking cookies on your website.

It scans for tracking cookies and gives you a list of all cookies your site uses, classifying them into the following six categories:

  1. Essential
  2. Performance and functionality
  3. Analytics and customization
  4. Advertising
  5. Social networking
  6. Unclassified

You can then control what cookies your website uses and block any you don’t want or need.

How to Block Tracking Cookies and Manage User Consent Using Termly

Because data privacy laws dictate how your site uses tracking cookies, there are two main things you must know how to do to ensure compliance:

  • How to block tracking cookies
  • How to approach user consent

You can easily configure Termly’s Cookie Consent Manager directly in your dashboard based on user location.

For EU users, you can automatically block first and third-party cookies from your website to meet the guidelines of laws like the GDPR and the EU Cookie Law.

You can also change the settings for your California users to meet the opt-out rights described by the CCPA.

Our consent solution also provides a customized cookie banner, a compliant cookie policy, and a consent preference center so you can use cookies on your website while appropriately logging users’ consent choices.

How Do Tracking Cookies Work?

Now that you know what tracking cookies are, let’s discuss how they work.

When a user visits your website, you can place a third-party tracking cookie on their device that follows them as they surf the web, collecting personal information about them.

Examples of some of the data tracking cookies can store include:

  • Which websites the user visited
  • The web pages they viewed on those websites
  • Any products purchased
  • Advertisements the user clicked on

You can then use this information to tailor marketing campaigns to the specific user.

Are Tracking Cookies Bad or Dangerous?

When used in a legally compliant way, tracking cookies are not bad or dangerous.

They generally don’t cause harm to users’ devices and actually enhance the online experience.

However, many people have grown uncomfortable with the idea that website operators are following them and storing their data.

You don’t have to stop using cookies on your website.

Instead, you should be aware of your consumers’ concerns and provide them with transparency and the appropriate controls regarding tracking cookies as required by applicable laws.

Are Tracking Cookies Illegal?

Tracking cookies are not illegal as long as you use them in a way that complies with all data privacy laws that impact your website.

Most of these laws require you to:

  • Inform the user that you’re using tracking cookies
  • Provide them with a way to opt out of the use of these cookies
  • Give them a way to change their minds easily and at any time

However, under the GDPR, you must obtain active opt-in consent from users before placing any tracking cookies on their browsers.

Are Tracking Cookies Dangerous to Your Visitors?

Tracking cookies are not dangerous to your users and will not damage your website or the devices your users operate.

They only pose a risk if your site falls victim to a cyberattack and they’re laced with a virus or some other malware or spyware.

Websites that use cookies possess a lot of control over a user’s online activities, and it can be dangerous if that information isn’t handled securely.

You must protect user information and prevent their data from getting into the wrong hands, which is why many governments have implemented laws controlling the use of tracking cookies.

What Data Do Tracking Cookies Store?

Tracking cookies can store various bits of personal information from your users, including the following:

  • Type of device the user used (e.g., computer, tablet, mobile phone)
  • Name and age
  • Website preferences, themes, and settings (language, notifications, time zone)
  • IP address
  • Email address and passwords
  • History and prior purchases
  • Time spent on webpages
  • Browsing history
  • Websites visited
  • Advertisement interactions and clicks
  • Search engine inputs

Examples of How Tracking Cookies Are Used

Here are three common examples of how you can use tracking cookies to improve your website operations:

  • Example 1: A user visits a rock band’s website and social media page. The next day, they see an advertisement to buy tickets to the band’s concert in their city.
  • Example 2: A user searches for slippers on Amazon. The next day, on their email homepage, they see an advertisement for slippers from Amazon.
  • Example 3: A user searches for plane tickets to Prague for a summer vacation. The next day, they see advertisements for hotels in Prague.

In all cases, tracking cookies followed the users and learned details about them, like their location via their IP address, their browsing history, and their interests.

How Data Privacy Laws Regulate Tracking Cookies

The following data privacy laws may apply to your website and regulate how you use and implement targeting cookies:

  • ePrivacy Directive (EU Cookie Law)
  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • Lei Geral de Proteção de Dados Pessoais (LGPD)
  • Protection of Personal Information Act (POPIA)
  • Personal Information Protection Law (PIPL)
  • Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Children’s Online Privacy Protection Act (COPPA)
  • Other U.S. state privacy laws

Let’s look at some of these pieces of legislation to explore how they regulate how websites use tracking cookies so you can follow all applicable laws and avoid penalties and fines.

ePrivacy Directive

The ePrivacy Directive (EU Cookie law) was passed in 2009 by the European Union (EU) to regulate how websites use cookies and process the personal information of EU visitors.

You’re subject to this law if your users are from:

  • the European Union
  • Iceland
  • Norway
  • Liechtenstein

The ePrivacy Directive requires you to obtain user consent before placing cookie trackers on users’ browsers to collect their personal data.

For consent to be valid, the ePrivacy Directive requires you to provide the user with clear and comprehensive information about the purposes of the processing.

Your website must also give visitors a choice to opt into the use of cookies, and you cannot use tracking cookies if they don’t provide it.

GDPR

The General Data Protection Regulation (GDPR) entered into force in May 2018 and created a uniform data privacy law for the region, providing ways for residents of the EU to protect their personal data.

Under the GDPR, you must get user consent to process a user’s personal data, which includes personal data collected from tracking cookies. 

The GDPR also grants users the right to delete their data in Article 17 of the GDPR, which explains “the right to be forgotten,” subject to certain exceptions.

If you violate the GDPR by improperly using tracking cookies, you could face a GDPR fine of up to €20 million or 4% of your annual revenue, whichever is higher.

CCPA

The California Consumer Privacy Act (CCPA) was amended in 2023 and protects the personal data of residents of California.

While the CCPA does not have an opt-in consent requirement like the GDPR, you still need to explain to your users what personal information you collect and why, including data from tracking cookies.

You must also provide users with multiple opt-out mechanisms regarding collecting their personal information for specific purposes, including using tracking cookies for targeted ads.

If your targeting cookies share data with third parties, you must also present users with a “Do Not Sell or Share My Personal Information” link.

Other US State Data Privacy Laws

There are now several U.S. state privacy laws in effect besides the CCPA, which include the:

  • Colorado Privacy Act (CPA)
  • Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
  • Virginia Consumer Data Protection Act (VCDPA)

Several other states passed privacy laws in 2023 that are scheduled to enter into action over the next few years.

Under most U.S. state laws, you must allow users to opt out of targeted advertising, impacting your use of tracking cookies. 

If your website falls under any of the jurisdiction of the new U.S. state laws, provide a way for your protected consumers to opt out of tracking cookies used for targeted advertising purposes.

LGPD

The Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil’s data privacy law enacted in August 2020 and applies to websites that use tracking cookies and collect and process data from users in Brazil.

Under the LGPD, you can only process personal data with the user’s consent, including tracking cookies.

Consent must be given in writing or “by other means able to demonstrate the manifestation of the will of the data subject.”

The LGPD separates personal data from sensitive personal data, but the collection of either requires user consent before that data can be used for tracking and processing.

POPIA

The Protection of Personal Information Act (POPIA) is a data protection law enacted by the South African government in June 2021.

It requires user consent to process the personal information of South African residents, including the use of tracking cookies.

The POPIA defines consent as “any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.”

Like the GDPR, opt-in consent is required from users if you want to place tracking cookies on their browsers.

PIPL

The Personal Information Protection Law (PIPL) was enacted in China in November 2021 as China’s equivalent of Europe’s GDPR.

If you collect the personal information of the inhabitants of China, it applies to your website no matter where you’re located.

Under the PIPL, you must obtain a user’s consent before you process their data or put tracking cookies on their browsers.

The PIPL defines consent as permission given “under the precondition of full knowledge, and in a voluntary and explicit statement.”

Therefore, users must voluntarily give consent in an explicit statement after being given the knowledge about how you will use their personal information.

Users can withdraw their consent at any time, and you must provide an easy-to-understand method for them to follow through.

The PIPL protects a user’s personal information only from the private sector, not the Chinese government.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the data privacy law of Canada, and it entered into action in 2001.

PIPEDA applies to businesses in the private sector in Canada that collect, use, or share personal info when performing a commercial activity.

Under PIPEDA, you must obtain valid consent to collect, use, and share the personal data of your users.

While the regulation doesn’t mention cookies explicitly, it requires you to inform users about what data you collect and obtain their consent for commercial activities, including using tracking cookies for targeted advertising.

COPPA

If your website targets children under 13 in the U.S., you must follow the Children’s Online Privacy Protection Act (COPPA).

COPPA prohibits behavioral advertising, including using tracking cookies for targeted ads, for most websites and apps directed at children. 

In fact, COPPA requires you to obtain parental consent before collecting and processing any data about a child.

Weren’t Tracking Cookies Going Away?

The doomsday for tracking cookies was approaching as Google had announced it would be phasing out third-party cookies for good starting early 2025.

They called the initiative the Privacy Sandbox, and it sought to replace third-party tracking cookies and block covert tracking methods.

But in July 2024, Google said they were officially terminating these plans. 

Instead, they say they will continue to develop Privacy Sandbox alternatives.

Summary

Websites use tracking cookies to collect vital information about user online behaviors to improve marketing strategies and enhance the online experience.

But, the ability to track a user across the digital world is a big responsibility, and you must do so respectfully as the website owner.

With the help of compliance solutions like Termly, you can get the information you need while keeping user data safe and remaining in line with applicable data privacy laws.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources

Enter Your Website URL

In order to help you create a cookie solution that is GDPR and Cookie Law compliant, we must first scan your website for cookies.