Tracking Cookie

What is a cookie?

An HTTP cookie is a small piece of text data that is stored on a personal computer or a mobile device by the web browser. This small piece of data is there to help the browser remember information about the user.

The easiest way to understand what a cookie does is by thinking about online shopping. For instance, a user can add various items to their shopping cart, then close the tab or hop to another online store to compare prices or to look at other products. When or if they go back to the page that they were on, the shopping cart items should still be there. How does the cart remember all those items? The cookies help the browser maintain that information. Thus, in a sense, cookies are essential for online marketing, and they are integral parts of any website. Some web pages cannot even function properly without cookies.

There are several types of cookies. Authentication cookies allow websites to authenticate users. For instance, if a user logs in to some website and their browser saves an authentication cookie, then the next time the user opens the website, they will be already logged in (unless they have other security settings turned on).

Then there are session cookies that function like certain browser bookmarks. The example with the online shopping cart is a staple use of a session cookie. The important thing about session cookies is that they get deleted once a browsing session ends. In other words, the moment user closes their browser, the session cookies disappear.

And finally, we have tracking (or preference) cookies. Tracking cookies are used to collect and store information on a user’s web browsing habits and history. They can be used as a marketing tool by commercial websites to optimize user’s experience and offer them goods and services that users might be more inclined to choose.

What does a tracking cookie do?

As mentioned, tracking cookies collects information on browsing history. Tracking cookies can be used by several websites, especially when they are third-party tracking cookies. They can track IP addresses, browsing activity, purchases and preferences (in the case of online stores), user’s geographic location, and so on. All of that is usually done in order to achieve the following:

• Personalize a website experience for an individual user.
• Remember passwords, addresses, and invoice details for future shopping.
• Suggest similar content for the next session.
• Optimize a page for the owner in terms of targeted marketing.
• Custom optimization for pay-per-click third-party advertisements (if applicable).

Therefore, in a sense, tracking cookies are there to provide a seamless custom experience and to optimize a website for its owner. It is safe to assume that almost any website has its own tracking cookies, and it is also common to employ third-party tracking cookies.

The difference between third-party and first-party tracking cookies is that they “look” at different websites for references. A first-party tracking cookie will look for references only within its main domain and its subdomains. A third-party tracking cookie will look for references across multiple domains, wherever it is used. So, for example, if the same third-party cookie is used across multiple domains, anyone who reads this cookie could find out what the user has searched for on a third-party (affiliated) website even if this said user has never visited their main site directly.

First-Party vs. Third-Party Cookies – Source: searchengineland.com

There are countless tracking cookies in the wild, and it would be counterproductive to list them all in this description, but some of the examples include as follow:

• TrackingCookie.Adform
• TrackingCookie.Adtech
• TrackingCookie.Advertising
• TrackingCookie.Clickbank
• TrackingCookie.Doubleclick
• TrackingCookie.Emediate
• TrackingCookie.Mediaplex
• TrackingCookie.Specificclick
• TrackingCookie.Statcounter
• TrackingCookie.Tradedoubler
• TrackingCookie.Webtrends
• TrackingCookie.Yieldmanager

Why are tracking cookies a security risk?

Tracking cookies by themselves are dangerous or malicious. As mentioned, they are an integral part of many websites out there. They can also optimize web pages for seamless user experience, but third-party tracking cookies may present certain security risks depending on how they are used.

The main security concern associated with tracking cookies is privacy. If shared information about a user’s browsing habits is shared among several parties, users could eventually be exposed to potentially harmful websites and unreliable content. It is especially relevant when users accidentally install browser hijackers, adware, and potentially unwanted programs. These types of potentially risky software go hand in hand with third-party tracking cookies.

Due to such risks, it is common to ask for informed user’s consent via “cookie banners” before cookies are launched on a website. In the European Union, the General Data Protection Regulation (GDPR), which was enacted in 2018, requires consent for cookies, and users must be informed about anything that could collect their information and web browsing history.

In the United States, there is no all-encompassing federal regulation that would require consent for cookies. Nevertheless, there are strong privacy laws in California, where the California Consumer Privacy Act (CCPA), signed into law in 2018, provides California residents with the right to know what data is collected about them, among other things. The state statute, however, does not require explicit consent for cookies.

Therefore, it is often up to users to educate themselves about tracking cookies. Luckily, it is rather easy to delete cookies and the data they have collected from individual browsers. The “delete cookies” option can be found in the settings menu across different browsers. Also, if users do not wish to regularly delete cookies manually, they can rely on an anti-malware tool that can clear cookies for them automatically.