1.6k Views inPrivacy

What Info Do Cookies Collect? | An In-Depth Look

Cookies are a pervasive part of our online lives. Those little data files buried in our browsers may seem harmless, but they can actually collect a vast array of information about us as we browse.

As a cybersecurity expert with over a decade of experience, I want to provide an in-depth examination of what exactly cookies collect about you behind the scenes and how this data gets used. I‘ll also offer my tips on managing cookies for better privacy.

Let‘s dive in!

A Quick Refresher: What Are Cookies?

Before we look at what cookies collect, let‘s make sure we‘re all on the same page about what they are and how they work.

Cookies are small text files, ranging from just a few bytes to several kilobytes, that websites place on your computer or other internet-connected devices. They store bits of data related to your visit like login details, site preferences, shopping cart contents, and more.

The website inserts cookies by sending an HTTP header along with the HTML page content whenever you visit. Your browser then stores the cookies and sends them back to the site on subsequent visits. This allows the site to "remember" you.

There are a few different types of cookies:

  • Session cookies – Temporary cookies erased when you close your browser

  • Persistent cookies – Stored on your device between browsing sessions until they expire or are deleted

  • First-party cookies – Placed by the site you‘re directly visiting

  • Third-party cookies – Placed by external parties like ad networks

Cookies can serve legitimate purposes, like keeping you logged into a site or recalling your site preferences. But they also have concerning privacy implications in the data they collect.

The Alarming Amount of Personal Data Cookies Can Gather

You might be surprised at the extent of information cookies can gather about you, such as:

  • Unique user ID: Websites assign each visitor a random unique identifier stored in first-party cookies. This allows sites to differentiate users.

  • Browsing history: Cookies record every page you visit on a site along with timestamps, allowing detailed tracking of your interests.

  • Site preferences: Settings like themes, notifications, language, and region are embedded in persistent cookies.

  • Interests and hobbies: Third-party cookies watch which types of content you view across multiple sites to deduce your interests.

  • Clicked links: Cookies log when you click on ads or other links on a page. This shows your engagement.

  • Visit frequency: Cookies track each time you return to a site along with gaps between visits.

  • Time spent: The time spent on each page and on the site overall is measured via cookies.

  • Login details: Persistent cookies will store your username, password, and other credentials if you check "remember me" at login.

  • Geolocation and IP address: Your physical location can be determined via your IP address and shared with sites via cookies.

  • Phone and address: If you submit it, sites may store contact info like your phone number and address in cookies.

  • Shopping cart data: Cookies keep items you add to an online shopping cart persisted between visits.

  • Saved items: What you bookmark or save on a site gets embedded in persistent cookies.

  • Cross-site tracking data: Third-party cookies record your movements across different websites to target ads.

Based on a 2019 Princeton study, the average cookie file size is 3.1KB, enough to store thousands of bits of information about a user. With over 5 billion internet users worldwide, the amount of data amassed is staggering.

While much of this collection is done to improve the user experience, it highlights the privacy risks of unchecked cookie usage as well.

Not All Cookies Are Created Equal: Different Types Collect Different Data

Now that you know the scope of data cookies can gather, let‘s look at what kinds of information the different cookie types are designed to collect:

First-Party Session Cookies

These temporary cookies placed by the sites you directly visit mainly collect data needed to operate the site during that browsing session, like:

  • Session ID – Identifies your active visit

  • Shopping cart contents – Keeps items added to cart

  • Search terms – Remembers what you searched for

  • Page views – Tracks your visit path

They generally don‘t record too much personal or identifying data and are erased frequently.

First-Party Persistent Cookies

Persistent cookies from sites you visit directly tend to collect data to enhance convenience and personalization:

  • Usernames and passwords – Eliminates need to re-login every visit

  • Site preferences – Remembers settings between visits

  • Recently viewed items – Facilitates quick access

  • Saved items – Persists bookmarks and favorites

  • Notification preferences – Remembers if you opted in or out

  • Contact info – Pre-populates forms with your details

This data sticks around on your device for extended periods by design.

Third-Party Cookies

Cookies placed by external parties like analytics companies and ad networks are where more worrisome tracking occurs:

  • Browsing history – Builds a profile of sites visited

  • Ad interactions – Records every ad clicked or viewed

  • Page visit timestamps – Logs your online activity schedule

  • Geolocation – Identifies your physical location

  • Device fingerprints – Collects info like OS and browser version

Third-party cookies are thus able to reconstruct a detailed view of your presence across the internet.

Flash or Zombie Cookies

These extremely hard-to-delete cookie types allow ongoing tracking by respawning after deletion attempts:

  • LocalSharedObjects – Flash browser cache records browsing history

  • ETags – Allow sites to recall if a device has visited before

  • CNAMEs – Can reroute deleted cookies

  • Fingerprinting – Tracks combination of browser settings

With millions of sites relying on Flash cookies, avoiding them is near impossible.

Privacy Risks of Specific Cookie Types

Third-party and Flash cookies pose the greatest risks due to long-term tracking of activities across sites. Persistent first-party cookies also warrant caution as they stay active for extended periods.

Session cookies only capture a snapshot of a specific visit and get cleared out more frequently. While first-party session cookies enable sites you trust to operate smoothly, third-party ones should ideally be blocked.

Why Do Sites Request Cookie Consent?

The days of websites silently dropping cookies on your device are disappearing due to tightening regulations.

You‘ve probably seen plenty of cookie consent notices pop up asking you to click "Accept." These are mandated by data privacy laws like:

  • GDPR – The European Union‘s General Data Protection Regulation requires opt-in consent for any non-essential cookies.

  • CCPA – The California Consumer Privacy Act similarly requires consent to place certain cookies.

  • PECR – The UK‘s Privacy and Electronic Communications Regulations cover cookie usage.

The goal is ensuring you have control over and transparency into cookie data collection. Of course, most of us just click agree without scrutiny to start browsing.

Should You Accept Cookies or Not?

This brings up a key question – should you be accepting cookies or not?

There are reasonable cases both for and against cookie acceptance depending on your priorities:

Why Accepting Cookies Can Be Fine

  • You visit sites frequently that require login like email or banking. Cookies prevent constant reauthentication.

  • You enjoy personalized recommendations and relevant advertising courtesy of cookies storing your interests.

  • You want a consistent experience across sessions with cookies recalling your site preferences.

  • You don‘t mind some loss of privacy in exchange for more customized service.

Why Rejecting Cookies Makes Sense

  • You are concerned about third-party tracking across websites tied to your identity and IP address.

  • Your antivirus flags certain cookies as suspicious or with tracking scripts.

  • You are using a shared or public device and don‘t want your info stored.

  • You value privacy over convenience and personalization.

  • You only visit a site occasionally, so don‘t need preferences persisted.

What Happens If You Don‘t Accept Cookies?

If you fully block cookies, it can break certain functionality and you‘ll lose recommended content tailored to your interests. Expect effects like:

  • Needing to reauthenticate and re-enter site preferences frequently as nothing gets stored between visits.

  • Shopping carts not being persisted between sessions.

  • Loss of personalized recommendations and ads since your interests aren‘t being tracked.

  • Sites defaulting back to general location versus using your precise geo-coordinates.

  • Notification and newsletter opt-ins not being remembered.

Many sites are designed to degrade gracefully if non-essential cookies are blocked though. You‘ll just have a slightly more generic and occasionally inconvenient experience.

Cookie Security and Privacy Tips

Here are my top tips as a cybersecurity pro for keeping your data safe when sites request to drop cookies:

Adjust Browser Settings

  • Turn on "Do Not Track" to opt out of third-party tracking cookies.
  • Clear cookies and cache manually after each browsing session.
  • Use "Forget" mode or private browsing to auto-delete cookies.
  • Disable third-party cookies completely. This can impact functionality though.

Leverage Privacy Tools

  • Install ad and tracker blockers like uBlock Origin and Privacy Badger.
  • Use a VPN or Tor browser to mask your IP address from tracking.
  • Download anti-tracking extensions like Ghostery or AdBlock Plus.

Be Selective When Opting In

  • Reject unnecessary cookies from sites you rarely use or don‘t trust.
  • Check for "third-party" labels and opt out of those cookies.
  • Never accept cookies on public Wi-Fi networks.

Practice General Caution

  • Avoid submitting personal info or logging in on insecure "HTTP" sites.
  • Say no to sites requesting extreme amounts of cookie access.
  • Clear cookies after using a shared device.

Keep Software Up-to-Date

  • Make sure your browser, OS, and security software is current to protect against cookie-related exploits.
  • Don‘t use old, unsupported browsers that are vulnerable.

Following even a few of these tips can dramatically improve your privacy posture.

Cybersecurity Industry Perspectives on Cookie Risks

Let‘s look at what some leading cybersecurity firms and analysts say about the risks cookies introduce:

  • Symantec: "Cookies can be stolen by an attacker and used to gain access to your accounts. Compromised cookies are extremely dangerous."

  • McAfee: "Third-party tracking cookies present online privacy concerns due to the large amount of data they collect on users‘ browsing behaviors."

  • Forrester: "Persistent cookies that store credentials and track user actions long-term are most likely to be exploited for attacks."

  • Juniper Networks: “Flash cookies bypass normal cookie controls and privacy settings, allowing stealth tracking regardless of user deletion attempts.”

  • Norton: "Cookies can be used by cybercriminals for identity theft, targeted phishing campaigns, financial fraud, and other crimes."

  • AVG: “Users should be vigilant about cookie risks, make use of privacy settings, and leverage anti-tracking tools."

  • F-Secure: “Stolen cookies are extremely valuable to hackers. The payoff can be account access, financial data, password reuse against other sites, and more.”

These perspectives validate the need for caution around certain cookie types given their propensity for security issues and privacy infringement.

Long-Term Risks of Unchecked Cookie Tracking

Beyond immediate security concerns, persistent long-term tracking via cookies also exposes users to more subtle risks:

  • Profile augmentation – Online profiles built via cookies get augmented with offline data obtained from compromises, breaches, and purchases, enhancing tracking.

  • Behavioral analysis – Vast troves of user behavior data fuel sophisticated behavioral analysis and prediction algorithms.

  • Micro-targeted influence – Detailed profiles allow precision-guided manipulation via highly personalized advertising and content.

  • Discriminatory profiling – Tracking data may be analyzed to categorize users in ways that enable exclusion or mistreatment.

  • User fingerprinting – Combining tracked cookie data with device fingerprints and biometrics facilitates invasive identification.

While more abstract than malicious hacking, unchecked cookie tracking at population scale could still enable mass manipulation and discriminatory outcomes over time.

The Case for Responsible Cookie Usage

Given what we‘ve explored about cookies‘ privacy pitfalls, it may be tempting to swear them off entirely. But used responsibly, cookies can also provide meaningful utility:

  • Streamlining login and enhancing security on frequently-used sites like email and banking.

  • Saving time by recalling preferences rather than making manual selections each visit.

  • Enabling shopping carts and wish lists to persist reliably across sessions.

  • Allowing sites you frequent to provide more relevant content recommendations and ads based on your interests.

  • Facilitating better fraud monitoring and security enhancements by identifying returning legitimate users versus unknown actors.

Rather than an all-or-nothing stance, the key is cultivating mindful practices around cookies.

Best Practices for Balancing Privacy and User Experience

So how can we enjoy the upsides of cookies while limiting downsides? Here are my recommended best practices:

  • Block third-party tracking cookies via browser settings or privacy tools to prevent cross-site tracking.

  • Allow first-party cookies selectively for frequently-used secure sites you already share data with, like banking or social media.

  • Clear cookies regularly to delete those from one-off sites.

  • Disable Flash cookies since they bypass normal controls.

  • Use privacy-focused search engines like DuckDuckGo that don‘t store cookies.

  • Leverage private browsing modes on public computers to avoid persisting cookies.

  • Opt out of non-essential cookies whenever possible when sites request consent.

  • Monitor Cookie use via browser developer tools to identify those collecting excessive data.

Balancing functionality, security, and privacy requires staying vigilant around responsible cookie use. But a few simple habits go a long way.

Key Takeaways about Cookies

Let‘s recap the key facts around what cookies collect and associated privacy considerations:

  • Cookies can record extensive details like IDs, browsing history, interests, clicks, geo-coordinates, and login credentials.

  • Third-party tracking cookies follow you between websites to build detailed behavioral profiles.

  • Flash cookies are persistent and bypass normal controls, enabling unstoppable tracking.

  • Regulations require consent for non-essential cookies to increase transparency.

  • It‘s reasonable to accept cookies selectively for frequently used sites or reject those from untrusted sources.

  • Blocking cookies entirely causes minor functionality loss but limits tracking.

  • Responsible cookie use involves password protection, privacy tools, and selective opt-ins.

  • Balancing user experience and privacy means allowing some cookies while limiting tracking.

In Closing: Mindful Cookie Management

I hope this guide has enhanced your understanding of the personal data cookies collect and how this contributes to online tracking. While certainly not all cookies are cybervillains, we do need to approach them with open eyes.

As technologies like cookies continue proliferating, establishing thoughtful personal data practices is crucial. My advice is to leverage browser settings, extensions, and smart habits to tap into cookies‘ upside while limiting invasive tracking.

It‘s very much possible to balance privacy, security, and convenience by being an informed and selective cookie consumer! With some mindfulness, cookies can safely enhance your browsing experience rather than detract from it.

Luis Masters

Written by Luis Masters

Luis Masters is a highly skilled expert in cybersecurity and data security. He possesses extensive experience and profound knowledge of the latest trends and technologies in these rapidly evolving fields. Masters is particularly renowned for his ability to develop robust security strategies and innovative solutions to protect against sophisticated cyber threats.

His expertise extends to areas such as risk management, network security, and the implementation of effective data protection measures. As a sought-after speaker and author, Masters regularly contributes valuable insights into the evolving landscape of digital security. His work plays a crucial role in helping organizations navigate the complex world of online threats and data privacy.