Are All Cookies Bad – a Guide for Visitors and Website Owners?

No this isn’t about chocolate chip or oatmeal raisin.  We all know the answer to that is a resounding NO.  But what about all of the cookies that are on our web browsers? 

Most people fall into one of two categories – 1) they don’t even notice them and breeze through security and privacy notices without giving them a second thought, or 2) they actively do everything they can to avoid cookies – like a person on a strict diet avoids Girl Scouts.

What are cookies

At their most basic level, cookies are essentially little data files dropped in a special repository in your browser or operating system filesystem. Theses data files contain information used by the server’s of the websites you visit to manage your experience on those sites

Some are about convenience for you as an internet user.  These would include things like session cookies that keep you logged in on sites.  I mean, could you imagine having to log back into your favorite sites each time you navigated to a new page?  That would probably be pretty annoying.  If you have ever inadvertently set your security too high on your browser, or had an update reset the default level, maybe you have experienced this.

Others store data about you: ranging from innocuous data like a session ID numbers, shopping cart IDs that don’t have any personal reference, to much more personal data such as encrypted login data, and surfing behavior.

What is in a cookie

Website’s read the data on the cookie and use that data to manage your experience on the website.  But just what is that data?  That usually falls into one or all of the following

1. Usually a randomly generated, unique identifier that identifies your browser (not just your computer, if you use multiple browsers, each browser likely has its own ID). This makes it possible for the website to recognize a returning visitor.
2. The domain name of the cookie source – though a single site visit may drop cookies from a number of other sites if they pull resources from multiple sites.
3. User settings / preferences – if you set preferences about a site, such as language, this information is stored in a cookie so you don’t have to set it again on a return visit.
4. Time-stamps – when the cookie was dropped and updated – often used for statistical purposes
5. Webform data and search data
6. Page visit history
7. Meta data such as the expiration date of the cookie, security protocols, etc.

While cookies are saved on the visitors machine, the server has the option of obtaining its own copy of this data from their own cookies (first-party cookies).  Third-Party cookies are cookies left, not by the hosting server, but by other 3^rd parties (hence the name).  Often these are cookies that used for stats and behavioral target of ads other aspects of ad management.  They get planted on other sites, their use tracked across multiple sites.

Recently laws have been put in place in Europe and other countries that begin to regulate what information is collected and how a user must be informed of the information being collected as well as regulations for explicit vs. implicit acceptance.  Some countries, and now states, such as California have also started to wade into regulations on what data is stored and the rights of individuals to have this data removed/forgotten by websites.

So – back to the original question – Are All Cookies Bad?

Cookies are very much a double edged sword.  I think most people would agree that single session cookies that keep you logged in over the duration of a session and hold on to data, are good for the user experience. But where does that leave persistent cookies that hold on to login/session data across multiple visits.  This can be nice/easy – especially for sites you visit frequently.  But do they pose a security risk – absolutely – if somebody gets access to your device – the would now have access, as you, to any of those sites and accounts and the data stored there.  So this becomes a question of risk aversion – just how much risk are you comfortable with?

Third-Party cookies are another matter entirely.  They collect a lot of data and you might not even always know who is collecting it or how it is being used.  There are some odd mix of 1^st and 3^rd party cookies such as services that can obtain your location and drop that on a cookie that allows the website to display things such as the closest retail store to you.  But, at the same time, knowing location data, can be very personal information. So once again, individual levels of risk aversion comes into play.

The long and short of it is that cookies aren’t inherently good OR  bad.  Some help create an easier and more streamlined user experience for visitors.  It’s really a question of what the visitor is comfortable with.

A Website Visitor Perspective on Cookies

As a developer of websites, that user experience is very important to both us and our clients. The advise we would give to the public is to always figure out what you are comfortable with the internet knowing about you.  If you don’t care that the internet can see that you visited a specific page then allow those cookies.  If you want your online presence locked down like you feel like you should be in witness protection, then use the security tools, special browsers, and security settings that allow you to create a very protected browsing experience. Just know the user experience may not be as seamless or as easy as you would otherwise see.

A Website Owner Perspective on Cookies

When discussing this topic with website owners and businesses, the general advise we give is that the user experience matters, but it is important to know your audience.  Some audience’s value security, or even the perception of security over an easy user experience.  It may be great to have all sorts of bells and whistles, but if the cost of those bells and whistles is a perception of more risk and your audience is risk adverse, then adding the feature could actually result in a less engaged audience.  It may be neat to be able to offer zip code based geolocation for nearby stores.  But if the visitors are unwilling to grant access to their device’s location data, it’s meaningless. 

Know the audience’s tolerance for risk and know what aspects of the user experience are really mission critical.  Finding the balance point for these is important.