What Are Tracking Cookies and How to Detect Them

Cookies make the internet go round. Without them, the modern age of the internet would look a lot different.

Can you imagine online shopping without saving items in your cart or YouTube without video recommendations based on your viewing history?

Cookies are what makes that possible.

As a website owner, you need to know the function of cookies and be able to implement them for your website to operate efficiently and competitively.

But you must do it legally.

Our tracking cookies guide will give you the information you need about tracking cookies, how they work, and your responsibilities when using cookies on your website.

Table of Contents

What Are Tracking Cookies?
How Do Tracking Cookies Work?
Are Tracking Cookies Bad or Dangerous?
What Data Do Tracking Cookies Store?
Examples of Tracking Cookies Usage
How Data Privacy Laws Regulate Tracking Cookies
What Will Replace Tracking Cookies?
How to Detect If Your Website Uses Tracking Cookies
Summary

What Are Tracking Cookies?

Internet cookies are small bits of data that get saved onto a user’s computer. They are made up of collected data about the user and their browsing activity, and you can use them to remember your users’ preferences to enhance their online experience.

Tracking cookies are a type of internet cookie used primarily for advertising purposes.

As a user surfs the web, the cookies follow them, keeping track of information about the user’s preferences, habits, past website visits, and purchases.

With this information, you can send advertisements to the user and show them the products and services they’re most likely interested in — among other actions.

What Are Third-Party Tracking Cookies?

Most tracking cookies are third-party tracking cookies. Unlike first-party tracking cookies, which are placed on a website by the website operator to track a user’s activity, third-party tracking cookies are put on a website by other services — such as Facebook — to track visitor activity.

Third-party tracking cookies are a handy and standard tool used for advertising. By collecting information about a user, you can enhance their online experience.

These tracking tactics, however, can be a double-edged sword, and you will have to balance the benefits of tracking cookies with your users’ concerns about data privacy.

How Do Tracking Cookies Work?

Now that you know what tracking cookies are, how do they work?

When a user visits your website, you can place a third-party tracking cookie on their device. This cookie will follow the user as they surf from website to website and collect any personal information about them.

The tracking cookie can store:

Which websites the user visited
The web pages on those websites
Any products purchased
Any other advertisements the user clicked on, and more.

You can then use this information to tailor marketing campaigns to the specific user.

Are Tracking Cookies Bad or Dangerous?

Generally, tracking cookies do not harm a user’s device, nor do they detract from their online experience.

Despite this, tracking cookies have become a concern with users and governments.

Many people have grown uncomfortable with the idea that website operators are following them and storing their data. It is one thing for a website to save passwords or recommend past purchases on the next login, but keeping location and tracking habits across websites has begun to feel more invasive than helpful for some users.

This change in user perception does not mean you have to stop using cookies on your website, but being aware of your web users’ concerns can help you to better connect with them and find ways to be more transparent.

Are Tracking Cookies Illegal?

Using tracking cookies is not illegal, but using them out of compliance with data privacy laws and without user consent can be. Additionally, compliance with the data privacy regulations will give your website users more faith in your business and trust in your brand.

Are Tracking Cookies Dangerous to Your Visitors?

Unless they have been laced with a virus or some malware or spyware, tracking cookies are not harmful or dangerous to visitors. They will not damage your website, nor will they damage the device your user is operating.

However, websites that use cookies possess a lot of control over a user’s online activities, which can be dangerous if that information isn’t handled securely.

Some of the control that cookies have can be helpful to brands and users alike. For example, a past purchase list on a website helps a user save time by not having to search for the same product again.

But some website users view the collection of search inquiries and locations as an invasion of privacy. So to protect user information and prevent this data from getting into the wrong hands, many governments have implemented their own laws controlling the use of tracking cookies.

Generally speaking, these laws allow tracking cookies on your website as long as your users consent to their use.

What Data Do Tracking Cookies Store?

Cookies can store various bits of personal information from your users. Most of this information gets used to improve advertisement targets.

Common pieces of personal information collected include:

Type of device the user used (e.g., computer, tablet, mobile phone)
Name and age
Website preferences, themes, and settings (language, notifications, time zone)
IP address
Email address and passwords
History and prior purchases
Time spent on webpages
Browsing history
Websites visited
Advertisement interactions and clicks
Search engine inputs

Examples of Tracking Cookies Usage

When operating your website, you must know what to use tracking cookies for to improve your website operations.

Here are three common examples of tracking cookies usage:

Example 1: A user visits a rock band’s website and then goes to their social media page. The next day the user sees an advertisement to buy tickets to the band’s concert in their city. Tracking cookies followed the user and learned the user’s location via IP address and their interest in the band.
Example 2: A user searches for slippers on Amazon. The next day, on the corner of the user’s email homepage, there are slipper advertisements from Amazon.
Example 3: A user searches for plane tickets to Prague for a summer vacation. The next day the user sees advertisements for hotels in Prague.

How Data Privacy Laws Regulate Tracking Cookies

As a website owner, you must be aware of the data privacy laws you may be subject to because penalties for violating these laws tend to be steep.

These are a few of the most common data privacy laws your business will likely need to comply with:

How the ePrivacy Directive Regulates Tracking Cookies

The ePrivacy Directive was passed in 2009 by the European Union to regulate how you use cookies on your website and how you process the personal information of your visitors who live in the EU.

It’s also often called the “EU Cookie law.”

You are subject to this law if any of your users are residents of a country that is a member of the European Union, Island, Norway, Liechtenstein or Switzerland.

One of the main focal points of the legislation is that it requires you to obtain user consent before you use cookie trackers on your website to collect their personal data.

The ePrivacy Directive states that users must give you consent before you can use cookies to collect and store their information.

For consent to be valid, you must provide the user with “clear and comprehensive information…about the purposes of the processing.”

For you to be compliant with this regulation, your website must give your website visitors a choice to opt into the use of cookies. If they do not give you their consent, you cannot use tracking cookies on them.

How the GDPR Regulates Tracking Cookies

The General Data Protection Regulation (GDPR) is one of the major data privacy laws you need to comply with, and it is also one of the strictest.

Passed by the European Union in May 2018, the GDPR was enacted to create a uniform data privacy law for the European Union and to provide a way for residents of the EU to protect their personal data.

Under the GDPR, you must get user consent to process a user’s personal data, which includes personal data collected from tracking cookies.

Personal information can be:

Name
Identification number
IP address
Person’s physical, physiological, genetic, mental, economic, cultural, or social identity

The GDPR also provides users a way to have their personal information erased. Article 17 of the GDPR states that users have “the right to be forgotten.” Subject to certain exceptions, users have the right to have you delete their personal information.

If you are found to have violated the GDPR, you will face a GDPR fine of up to €20 million or 4% of your annual revenue, whichever is higher.

How the CCPA Regulates Tracking Cookies

The California Consumer Privacy Act (CCPA) is another major data privacy law. It was passed by the legislature of California in June 2018, and its purpose is to protect the personal data of the residents of California.

While the CCPA does not have a consent requirement, you must explain to your users — if they’re California residents — what personal information you will collect and why you will collect it.

Under the CCPA, personal information includes:

Direct identifying information like name, email address, social security number
IP address
Internet browsing history and past purchases
Fingerprints

To comply with CCPA, you must provide users with the reason you collect the information and an opt-out mechanism before collecting their personal information or using any tracking cookies.

Additionally, if you are using cookies to sell data, you need to give users an easy way to opt out of the sale of their personal information via a “Do Not Sell My Personal Information” link.

How the LGPD Regulates Tracking Cookies

The Lei Geral de Proteção de Dados Pessoais (LGPD) is Brazil’s data privacy law that was enacted in August 2020. You must abide by this regulation if you use tracking cookies and collect and process data from users in Brazil.

Under the LGPD, you can only process personal data with the user’s consent. Consent must be given in writing or “by other means able to demonstrate the manifestation of the will of the data subject.”

This law separates personal data from sensitive personal data, but the collection of either requires user consent before that data can be used for tracking and processing.

Personal data includes information relating to an identified person or an identifiable person and sensitive data includes:

Data concerning race or ethnic origin
Religion
Political opinion
Trade union
Organizational membership
Data on health status or sex life
Data on genetics or biometrics

How the POPIA Regulates Tracking Cookies

The Protection of Personal Information Act (POPIA) is a data protection law enacted by the South African government in June 2021. It mandates user consent for you to be permitted to process the personal information of its residents.

The POPIA defines consent as “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.”

Personal information is defined as:

Demographic information (race, gender, sexual orientation, ethnicity, national origin, social origin, or age
Physical and mental health
Disability status
Culture, religion, and language
Education status
Financial status
Employment history
Criminal record
Identifying number or other information (physical address, email, IP address)
Biometric information
Private correspondence
Personal opinions, views, or preferences

How the PIPL Regulates Tracking Cookies

The Personal Information Protection law (PIPL) was enacted in China in November 2021 as China’s equivalent of Europe’s GDPR.

The PIPL applies to your website no matter where you are located, as long as you collect the personal information of the inhabitants of China.

This regulation protects a user’s personal information only from the private sector, not from the Chinese government.

Under PIPL, sensitive personal information is defined as:

Information on biometrics
Specifically designated status
Religious beliefs
Mental health
Financial status
Location tracking
Any information regarding a minor under 14 years old

PIPL confers the following rights:

Right to know what businesses will do with their personal data
Right to decide on, prohibit, or restrict the use of their personal data
Right to access and copy their personal information
Right to correct and supplement their personal information
Right to data portability
Right to have their personal information deleted

Under the PIPL, you must obtain a user’s consent before you process their data.

The PIPL defines consent as permission given “under the precondition of full knowledge, and in a voluntary and explicit statement.” Therefore, users must voluntarily give consent in an explicit statement after being given the knowledge about how you will use their personal information.

This consent can be rescinded at any time and you must provide an easy-to-understand method for your users to withdraw their consent.

Other reasons you may process the personal data of your users include the following:

To fulfill contractual obligations
Human resource management
Comply with statutory duties or obligations
Public interest
Individuals already disclosed their personal information

How PIPEDA Regulates Tracking Cookies

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the data privacy law of Canada, passed in 2001. PIPEDA applies to businesses in the private sector in Canada that collect, use, or share personal info when performing a commercial activity.

Under PIPEDA, you must obtain implicit or explicit meaningful consent to collect, use and share the personal data of your users.

PIPEDA defines personal information as “information about an identifiable individual,” and can include:

Name, age, ad identification numbers
Ethnic origin
Blood type
Financial and social status
Evaluations, opinions, and comments
Disciplinary actions
Employment records
Health information
Credit and loan records

How COPPA Regulates Tracking Cookies

While the United States does not have a federal data privacy law, it does have a law that protects the data and online privacy of children. The Children’s Online Privacy Protection Act (COPPA) is a regulation that establishes strict rules for you to abide by if the user is a child under the age of 13 years old.

The purpose of COPPA is to protect the personal data and security of children. No matter where you’re located, COPPA applies to your business if you collect the personal information of children in the United States who are under 13 years old.

The regulation prohibits you from collecting personal information about a child if you are a business directed to children or if you knew that you were collecting information from a child.

Collection of data refers to:

Requesting or encouraging the child to submit personal information
Enabling children to make personal information publicly available
Using cookies to track a child online

You must ensure that you provide notice about the information you collect and how you use it. You must also obtain parental consent before collecting and processing any data about a child.

Personal information includes:

Name
Home address
Online contact info
Screen name
Phone number
Social security number
Identifier, IP address, device serial number, customer number in a cookie
Photo, video, or audio of a child
Geolocation

What Will Replace Tracking Cookies?

A new initiative led by Google called the Privacy Sandbox seeks to replace tracking cookies. It aims to protect users’ personal information by phasing out tracking cookies and blocking covert tracking methods.

However, the initiative also recognizes the necessity of websites to utilize ads to keep their online content free and is in the process of developing alternatives.

The replacement for tracking cookies is still in development, but it will be a technology that is more protective of users’ privacy.

Google has postponed this phase-out of tracking cookies until 2023 to allow for more progress for alternative, privacy-friendly technologies to be further developed.

How to Detect If Your Website Uses Tracking Cookies

You will need to perform a comprehensive cookie audit to ensure compliance with data privacy laws and to improve your website. Performing a cookie audit has a few simple steps, such as:

Identify any cookies on your website
Analyze the purpose of the cookies
Inform you of the user information collected by the cookies

You can use our free cookie scanning tool to detect tracking cookies on your website. It will scan for tracking cookies and give you a list of your website’s cookies. Your cookies will then be classified into one of the following six categories:

Essential
Performance and functionality
Analytics and customization
Advertising
Social networking
Unclassified

With this, you will be able to control what cookies your website uses, and you will be able to block any cookies you do not want or need.

How to Block Tracking Cookies and Manage User Consent Using Termly

There are a lot of rules and regulations to be wary of when using tracking cookies to operate your website. The two main things you need to know how to do to ensure your website is compliant with data privacy are:

How to block tracking cookies
How to approach user consent

Termly’s Cookie Consent Manager will automatically block first-party and third-party cookies from your website and stay compliant with data privacy laws like the GDPR, the EU cookie law, and CCPA.

Our consent solution will also create and implement a customized cookie banner and a compliant cookie policy for your website so that you can use the cookies you need with your users’ consent.

Summary

Tracking cookies are everyday tools you will use to operate your website. They collect vital information about your user’s behavior, online activity, and demographics to improve marketing strategies and enhance the online experience.

The ability to track a user across the digital world confers power and responsibility on you as a website owner. But with the help of data security and compliance solutions like Termly, you can get the information you need while keeping users safe and maintaining compliance with data collection and storage regulations.

More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes... More about the author

Indiana Consumer Data Protection Act: First Look & Summary

Texas Data Privacy and Security Act: First Look & Summary

9 Data Privacy Issues to Avoid: Examples and Solutions

Cookie Text Simplified: What It Is and How To Use It on Websites

6 Reasons Why Data Privacy Is Important For Businesses

GDPR for Dummies

Tennessee Information Protection Act: First Look & Summary

GDPR in the US: Compliance Simplified for Businesses

What Is GDPR? Summary of the General Data Protection Regulation