10 min read
Tracking cookies are an important part of the digital experience used to track user behaviour with analytics servers, remember preferences, and run targeted ads. While these cookies can be useful for enhancing the user experience, they also raise privacy concerns due to profiling.
As users are becoming more privacy-conscious and regulations like GDPR and CCPA are evolving, organizations must adopt more transparent data collection practices and obtain valid consent.
So, in this article, we’ll cover what tracking cookies are, how they work, and how website owners should ensure cookie compliance with applicable privacy laws.
Ensure cookie law compliance on your Shopify website
Try TinyCookie freeWhat are tracking cookies?
Tracking cookies are text files with small pieces of data that websites deploy on a user’s browser. They help sites track user behavior, activities, and visited websites. Additionally, tracking cookies also remember user preferences, such as language settings or login sessions.
There are two types of tracking cookies – first-party and third-party cookies.
First-party tracking cookies are used by the website you’re visiting to track your behavior during the session. They help enhance the user experience by remembering your specific preferences. For example, they eliminate the need to re-login each session.
One of the most common examples is Google Analytics tracking cookies. For instance, the tool uses the __utma cookie to distinguish users or sessions and __utmz to check how the user found the website.
Third-party tracking cookies can be used for advertising or analytics purposes and can be added by the websites that you haven’t visited. They can also be called cross-site cookies because they track your activities and share data across websites.
Third-party tracking cookies track anything from the buttons you click and your location to your search history, and more.
Some of the most widely used cookie examples include major ad networks such as Facebook Pixels, Google Ads, Hotjar, Amazon, and more.
How do tracking cookies work?
Tracking cookies are primarily used for targeted advertising and marketing purposes. They track user behavior and activities to understand how they can make specific users buy a product or service.
For example, let’s say you’re looking for the new iPhone 16 on a website but you decide not to proceed with the purchase. As you continue browsing, you notice iPhone ads on other websites or social media. Here’s how it happened:
- The website you visited looking for an iPhone 16 uses an advertising tool that you cannot see. It places a tracking cookie on your browser.
- As you browse through websites, the advertising tool accesses the tracking cookie on your browser. It starts collecting information about your browsing activities and behavior. This means that it examines your interest in smartphone devices.
- The advertising tool starts showing you targeted ads for the iPhone. It may start showing ads for other smartphones you may be interested in as well.
Such cookies assign an identifier to each user so they can differentiate between users and track data more accurately. You can see a visualization of how first and third-party tracking cookies work below.
While tracking cookies are used for targeted advertising, they can also be used for improving the user’s experience on the website they’re visiting. For example, first-party tracking cookies can help sites remember language preferences, save login information, recommend relevant products on the website, remember shopping cart items, and more.
How are tracking cookies created?
First-party tracking cookies are created by the website the user is visiting. Meanwhile, third-party tracking cookies are created by external websites. It's done by asking for scripts from third-party services.
Let’s say you visit a website that uses a third-party analytics tool. Your website requests scripts so that the tool can be activated. The tool sends a JavaScript file back to the website you visited to store it on your browser.
What data do tracking cookies collect?
Since the main purpose of tracking cookies is to deliver users targeted ads, here’s what information they may collect:
- Websites you visit
- Pages you visit on a website and the time spent on them
- Link or button clicks, such as the product you’ve clicked on
- Purchases you made
- Browser type
- Google searches
- IP address
- Location
Not every tracking cookie collects the same kind of data. Gathered information depends on the type of cookies the user has consented to.
What are browser tracking cookies used for?
Websites use tracking cookies to improve the user experience or shopping journey. Here are a few examples of tracking cookie use cases:
- Analytics. Websites may use widely-known tracking cookies of analytics platforms. One of the most known examples is Google Analytics. It provides merchants with useful data on how to improve sales or engagement.
- Social media. Tracking cookies help create seamless social media sharing.
- Targeted advertising. Tracking cookies gather information about what you browse, creating a profile based on your interests. Based on this information, you then start seeing relevant ads on other websites.
- User experience. First-party tracking cookies track your browsing activities on the website you visited. It helps improve your shopping journey by showing you relevant product suggestions. These cookies are also the reason why you don't need to re-log into the website on each page.
Privacy regulations and tracking cookies
Many places around the world have privacy regulations in place to protect their citizens. Which privacy laws merchants need to follow depends on who visits the website. You can check some of the regulations around the globe and who they protect below.
| Regulation | Who is protected |
| GDPR | European Union citizens |
| CCPA | Californians |
| PIPEDA | Canadians |
| LGPD | Brazilians |
| APPI | Japanese citizens |
All of these privacy laws have similar compliance requirements when it comes to tracking cookies. Here are the main similarities and some differences:
- User consent. According to most privacy laws, you need to get active user consent for using cookies. Regulations like CCPA only require informing about cookie usage. In such cases, users give consent by default when they enter the site (except for minors).
- Consent withdrawal. Privacy regulations require websites to provide a consent withdrawal option. It has to be as simple to deny cookie usage as it was to consent.
- Consent storing. Website owners have to document and store user consent in a secure place. This allows users to exercise their right to know, access, rectify, delete, and other rights.
- Website access. Under GDPR, website owners cannot prohibit access to their website in case cookie usage isn’t consented to. CCPA, LGPD, APPI, and PIPEDA don’t explicitly state this requirement.
- Information on cookies. Privacy laws require sites to provide users with cookie usage information. This includes allowing users to manage used cookies and writing a cookie policy.
- Data protection. Tracking cookies collect personal data which has to be protected from data breaches and unauthorized access. Violations can result in large penalties. For instance, GDPR fines can go up to €20 million or 4% of the firm’s global annual revenue.
- User rights. When websites use tracking cookies, users have the right to access, rectify, or, in some cases, delete the personal data gathered.
How to know if a website uses tracking cookies
You can quickly check if a website uses cookies by leveraging the Inspect Element function on your browser. The process is similar to most browsers. Here’s how to do it on the most popular ones:
- Click Ctrl + Shift + I or right-click the page and press Inspect Element to open the developer console.
- Locate the Application tab and open it. If there’s no Application tab, locate the Storage section.
- Find the “Cookies” section and click the dropdown arrow to get a list of cookies used.
- Identify the tracking cookies.
To understand if you’re looking at a tracking cookie, check the domain first. Third-party cookies are the ones that use a different domain rather than the one you’re visiting.
Then, also check the expiry date of cookies – if it doesn’t expire the same day you close the session, it’s a tracking cookie.
Some examples of tracking cookies include ones that were set by advertising platforms. This can be Google Ads, Facebook pixels, LinkedIn tracking cookies, Hotjar, and more.
How to block tracking cookies?
Browsers like Firefox and Safari block third-party tracking cookies by default. However, you can still check if they’re blocked or block them again if you’ve enabled them in the past.
Here’s a detailed guide on how to block tracking cookies on the most popular browsers:
Chrome
To block tracking cookies on Chrome, go to Settings > Privacy and Security > Third-party cookies. Select “Block third-party cookies” and that’s it.
You may also scroll down and toggle on “Send a "Do Not Track" request with your browsing traffic” under the Advanced section. However, please remember that sites use their discretion, so they may not always satisfy your request. That’s why it’s important to not blindly accept cookies on every site.
Firefox
Firefox blocks tracking cookies by default. However, you also block all other cookies or cross-site tracking cookies in particular. Open Firefox and head to Settings > Privacy & Security. Under the “Enhanced Tracking Protection” section, check mark Cookies. Then, click the dropdown arrow. Select “Cross-site tracking cookies, and isolate other cross-site cookies.”
Safari
Safari blocks tracking cookies and all other cross-site cookies by default. If you wish to delete cookies in general, you can do that by clicking the Safari option and going to Settings. Head to Privacy > Manage Website Data > Remove all.
Edge
To block tracking cookies on Microsoft Edge, open the browser and head to Settings. Click Cookie and site permissions > Manage and delete cookies and site data. Turn on the Block third-party cookies option.
Are tracking cookies dangerous?
Tracking cookies are not inherently dangerous. In general, they don’t carry adware or any other type of malware that could harm the user’s device. However, they do cause a privacy concern since advertisers collect data about users and their browsing activities outside of the visited website.
If websites and advertising services use tracking cookies without malicious intent, they can enhance the user experience and shopping journey. For example, recommending products or services relevant to the user can help them find what they’re looking for more easily or even locate better deals.
Yet, irresponsible tracking cookie data collection can lead to unauthorized access when security measures are not applied. Additionally, with countless websites using tracking cookies and creating user profiles, privacy and data abuse concerns arise.
For such reasons, website owners must ensure privacy regulation compliance to use tracking cookies, starting from adopting a cookie consent banner. Shopify website owners can benefit from an easy-to-use banner called TinyCookie. It’s also crucial to write a cookie policy and adopt security measures for data protection.
Are tracking cookies going extinct?
While first-party tracking cookies used to enhance your user experience will stay, third-party tracking cookies have an unclear future.
Multiple web browser market giants are already blocking third-party cookies by default, including Apple’s Safari and Mozilla Firefox.
Only Google Chrome informed in 2024 that third-party cookies are here to stay, but users will receive a new experience called Privacy Sandbox. It aims to protect user privacy but still gives companies tools for creating a thriving business.
You can already find some of the cookie alternatives by going to Chrome’s Settings > Privacy and Security > Ad Privacy. You can find such privacy options as:
- Ad topics – creates topics based on your browsing history to show you personalized ads while keeping you private.
- Site-suggested ads – websites can determine your interests and show relevant ads on other websites.
- Ad measurement – you can allow/disallow websites to share your personal data with other websites to measure their ad performance.
You can learn more about this initiative in the Privacy Sandbox blog post.
Interested to learn more? Check out these articles:
Frequently asked questions
Tracking cookies are not illegal unless they’re used in a way that doesn’t comply with applicable data privacy laws. Most legislations require websites to disclose the use of tracking cookies and provide users with an option to opt out of tracking cookie usage.
Tracking cookies are not malware or spyware and they were not created to steal user passwords. That being said, if you accept cookies from unsecured websites, it could lead to Hackers intercepting data and stealing sensitive data.
The expiry date of tracking cookies varies on each website. The average lifetime of a cookie is around 30 days but some of them could even be set for years to come. If there’s no expiry date set, such cookies will be deleted once you close the browser.
