Can you imagine online shopping without saving items in your cart or YouTube without video recommendations based on your viewing history?
Cookies make those user experiences possible.
As a website owner, you should know the function of cookies and how to implement them so your site operates efficiently and competitively — like using tracking cookies to recommend products your users are most interested in.
But you must do it legally.
Our tracking cookies guide will give you the information you need about tracking cookies, how they work, and your legal responsibilities when using cookies on your website.
- What Are Tracking Cookies?
- How To Detect If Your Website Uses Tracking Cookies
- How Do Tracking Cookies Work?
- Are Tracking Cookies Bad or Dangerous?
- What Data Do Tracking Cookies Store?
- Examples of How Tracking Cookies Are Used
- How Data Privacy Laws Regulate Tracking Cookies
- What Will Replace Tracking Cookies?
- Summary
What Are Tracking Cookies?
Technically, internet cookies are small text files that get saved onto a user’s browser.
They perform various tasks, like helping a website function properly, remembering user preferences, and enhancing their online experience.
Tracking cookies are a type of internet cookie primarily used for analytics and advertising.
As a user surfs the web, tracking cookies follow them, collecting information about their habits, past website visits, and purchases.
With this data, you can send targeted advertisements to the user to show them the products and services they’re most likely interested in.
What Are Third-Party Tracking Cookies?
Unlike first-party tracking cookies, which are placed on browsers by the website operator to track user activity, third-party tracking cookies are put on browsers by external services — like Facebook or Google Adsense.
Most tracking cookies are third-party tracking cookies.
Third-party tracking cookies are a standard tool used for advertising, which can help enhance your users’ online experience.
However, data privacy laws regulate these tracking tactics, and you must balance the benefits of tracking cookies with your users’ concerns about data privacy.
How To Detect If Your Website Uses Tracking Cookies
To detect if your website uses tracking cookies, manually perform a comprehensive cookie audit or use an automatic cookie scanning tool.
To manually identify any cookies on your website, follow these steps:
- Right-click on your web page and choose ‘Inspect’
- Select ‘Application,’ then choose ‘Cookies’ under the ‘Storage’ section
- Analyze the purpose of the cookies
- Inform you of the user information collected by the cookies
Or you can enter your website URL into our free cookie scanning tool to automatically detect tracking cookies on your website.
It scans for tracking cookies and gives you a list of all cookies your site uses, classifying them into the following six categories:
- Essential
- Performance and functionality
- Analytics and customization
- Advertising
- Social networking
- Unclassified
You can then control what cookies your website uses and block any you don’t want or need.
How to Block Tracking Cookies and Manage User Consent Using Termly
Because data privacy laws dictate how your site uses tracking cookies, there are two main things you must know how to do to ensure compliance:
- How to block tracking cookies
- How to approach user consent
You can easily configure Termly’s Cookie Consent Manager directly in your dashboard based on user location.
For EU users, you can automatically block first and third-party cookies from your website to meet the guidelines of laws like the GDPR and the EU Cookie Law.
You can also change the settings for your California users to meet the opt-out rights described by the CCPA.
Our consent solution also provides a customized cookie banner, a compliant cookie policy, and a consent preference center so you can use cookies on your website while appropriately logging users’ consent choices.
How Do Tracking Cookies Work?
Now that you know what tracking cookies are, let’s discuss how they work.
When a user visits your website, you can place a third-party tracking cookie on their device that follows them as they surf the web, collecting personal information about them.
Examples of some of the data tracking cookies can store include:
- Which websites the user visited
- The web pages they viewed on those websites
- Any products purchased
- Advertisements the user clicked on
You can then use this information to tailor marketing campaigns to the specific user.
Are Tracking Cookies Bad or Dangerous?
When used in a legally compliant way, tracking cookies are not bad or dangerous.
They generally don’t cause harm to users’ devices and actually enhance the online experience.
However, many people have grown uncomfortable with the idea that website operators are following them and storing their data.
You don’t have to stop using cookies on your website.
Instead, you should be aware of your consumers’ concerns and provide them with transparency and the appropriate controls regarding tracking cookies as required by applicable laws.
Are Tracking Cookies Illegal?
Tracking cookies are not illegal as long as you use them in a way that complies with all data privacy laws that impact your website.
Most of these laws require you to:
- Inform the user that you’re using tracking cookies
- Provide them with a way to opt out of the use of these cookies
- Give them a way to change their minds easily and at any time
However, under the GDPR, you must obtain active opt-in consent from users before placing any tracking cookies on their browsers.
The doomsday for tracking cookies is approaching as Google has announced it will be phasing out third-party cookies for good starting early 2025. Therefore, applying a coordinated approach to address these changes is more important than ever.
Are Tracking Cookies Dangerous to Your Visitors?
Tracking cookies are not dangerous to your users and will not damage your website or the devices your users operate.
They only pose a risk if your site falls victim to a cyberattack and they’re laced with a virus or some other malware or spyware.
Websites that use cookies possess a lot of control over a user’s online activities, and it can be dangerous if that information isn’t handled securely.
You must protect user information and prevent their data from getting into the wrong hands, which is why many governments have implemented laws controlling the use of tracking cookies.
What Data Do Tracking Cookies Store?
Tracking cookies can store various bits of personal information from your users, including the following:
- Type of device the user used (e.g., computer, tablet, mobile phone)
- Name and age
- Website preferences, themes, and settings (language, notifications, time zone)
- IP address
- Email address and passwords
- History and prior purchases
- Time spent on webpages
- Browsing history
- Websites visited
- Advertisement interactions and clicks
- Search engine inputs
Examples of How Tracking Cookies Are Used
Here are three common examples of how you can use tracking cookies to improve your website operations:
- Example 1: A user visits a rock band’s website and social media page. The next day, they see an advertisement to buy tickets to the band’s concert in their city.
- Example 2: A user searches for slippers on Amazon. The next day, on their email homepage, they see an advertisement for slippers from Amazon.
- Example 3: A user searches for plane tickets to Prague for a summer vacation. The next day, they see advertisements for hotels in Prague.
In all cases, tracking cookies followed the users and learned details about them, like their location via their IP address, their browsing history, and their interests.
How Data Privacy Laws Regulate Tracking Cookies
Let’s look at some data privacy legislation that regulates how websites use tracking cookies so you can ensure you’re following all laws that apply to your site and avoid penalties and fines.
How the ePrivacy Directive Regulates Tracking Cookies
The ePrivacy Directive (EU Cookie law) was passed in 2009 by the European Union (EU) to regulate how websites use cookies and process the personal information of EU visitors.
You’re subject to this law if your users are from:
- the European Union
- Iceland
- Norway
- Liechtenstein
The ePrivacy Directive requires you to obtain user consent before placing cookie trackers on users’ browsers to collect their personal data.
For consent to be valid, the ePrivacy Directive requires you to provide the user with clear and comprehensive information about the purposes of the processing.
Your website must also give visitors a choice to opt into the use of cookies, and you cannot use tracking cookies if they don’t provide it.
How the GDPR Regulates Tracking Cookies
The General Data Protection Regulation (GDPR) entered into force in May 2018 and created a uniform data privacy law for the region, providing ways for residents of the EU to protect their personal data.
Under the GDPR, you must get user consent to process a user’s personal data, which includes personal data collected from tracking cookies.
The GDPR also grants users the right to delete their data in Article 17 of the GDPR, which explains “the right to be forgotten,” subject to certain exceptions.
If you violate the GDPR by improperly using tracking cookies, you could face a GDPR fine of up to €20 million or 4% of your annual revenue, whichever is higher.
How the CCPA Regulates Tracking Cookies
The California Consumer Privacy Act (CCPA) was amended in 2023 and protects the personal data of residents of California.
While the CCPA does not have an opt-in consent requirement like the GDPR, you still need to explain to your users what personal information you collect and why, including data from tracking cookies.
You must also provide users with multiple opt-out mechanisms regarding collecting their personal information for specific purposes, including using tracking cookies for targeted ads.
If your targeting cookies share data with third parties, you must also present users with a “Do Not Sell or Share My Personal Information” link.
How Other US State Data Privacy Laws Regulate Tracking Cookies
There are now several U.S. state privacy laws in effect besides the CCPA, which include the:
- Colorado Privacy Act (CPA)
- Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
- Virginia Consumer Data Protection Act (VCDPA)
Several other states passed privacy laws in 2023 that are scheduled to enter into action over the next few years.
Under most U.S. state laws, you must allow users to opt out of targeted advertising, impacting your use of tracking cookies.
If your website falls under any of the jurisdiction of the new U.S. state laws, provide a way for your protected consumers to opt out of tracking cookies used for targeted advertising purposes.
How the LGPD Regulates Tracking Cookies
The Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil’s data privacy law enacted in August 2020 and applies to websites that use tracking cookies and collect and process data from users in Brazil.
Under the LGPD, you can only process personal data with the user’s consent, including tracking cookies.
Consent must be given in writing or “by other means able to demonstrate the manifestation of the will of the data subject.”
The LGPD separates personal data from sensitive personal data, but the collection of either requires user consent before that data can be used for tracking and processing.
How the POPIA Regulates Tracking Cookies
The Protection of Personal Information Act (POPIA) is a data protection law enacted by the South African government in June 2021.
It requires user consent to process the personal information of South African residents, including the use of tracking cookies.
The POPIA defines consent as “any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information.”
Like the GDPR, opt-in consent is required from users if you want to place tracking cookies on their browsers.
How the PIPL Regulates Tracking Cookies
The Personal Information Protection Law (PIPL) was enacted in China in November 2021 as China’s equivalent of Europe’s GDPR.
If you collect the personal information of the inhabitants of China, it applies to your website no matter where you’re located.
Under the PIPL, you must obtain a user’s consent before you process their data or put tracking cookies on their browsers.
The PIPL defines consent as permission given “under the precondition of full knowledge, and in a voluntary and explicit statement.”
Therefore, users must voluntarily give consent in an explicit statement after being given the knowledge about how you will use their personal information.
Users can withdraw their consent at any time, and you must provide an easy-to-understand method for them to follow through.
The PIPL protects a user’s personal information only from the private sector, not the Chinese government.
How PIPEDA Regulates Tracking Cookies
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the data privacy law of Canada, and it entered into action in 2001.
PIPEDA applies to businesses in the private sector in Canada that collect, use, or share personal info when performing a commercial activity.
Under PIPEDA, you must obtain valid consent to collect, use, and share the personal data of your users.
While the regulation doesn’t mention cookies explicitly, it requires you to inform users about what data you collect and obtain their consent for commercial activities, including using tracking cookies for targeted advertising.
How COPPA Regulates Tracking Cookies
If your website targets children under 13 in the U.S., you must follow the Children’s Online Privacy Protection Act (COPPA).
COPPA prohibits behavioral advertising, including using tracking cookies for targeted ads, for most websites and apps directed at children.
In fact, COPPA requires you to obtain parental consent before collecting and processing any data about a child.
What Will Replace Tracking Cookies?
A multi-year initiative led by Google called the Privacy Sandbox seeks to replace third-party tracking cookies and aims to phase out tracking cookies and block covert tracking methods midway through 2024.
Google’s initiative recognizes the necessity of websites to utilize ads to keep their online content free and is developing alternatives, but says the new technology will better protect users and their privacy.
To prepare, Google recommends performing an audit to look for third-party cookies and taking specific actions to ready your site.
For more information about what some online have called the Cookiepocalypse, read our thoughts on what a cookieless future might entail.
Summary
Websites use tracking cookies to collect vital information about user behavior, online activity, and demographics to improve marketing strategies and enhance the online experience.
But, the ability to track a user across the digital world is a big responsibility, and you must do so respectfully as the website owner.
With the help of compliance solutions like Termly, you can get the information you need while keeping user data safe and remaining in line with applicable data privacy laws.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
