This guide was last updated in January 2019. It previously appeared on the AboutCookies.org site, which like Out-Law.com was run by Pinsent Masons.
We provide that here and many organisations link to our guidance rather than increase already-lengthy privacy policies. You can too, there is no charge for this and you don't need our specific permission. We used to provide this at AboutCookies.org, but now provide it here instead.
The cookie itself is a very small text file placed on an internet user's hard drive. It is generated by a web page server, which is basically the computer that operates a website. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the site. A cookie can be thought of as an internet user's identification card, which tell a website when the user has returned.
What does a cookie look like?
Below is the content of a typical cookie. This one is from the Hotmail service and has the filename firstname.lastname@example.org (.txt is the standard filename extension for text files):
HMP1 1 hotmail.msn.com/ 0 1715191808 32107852 1236821008 29449527 *
The codes will only make sense to Microsoft's MSN Hotmail servers.
History of cookies
Cookies for the internet were originally developed in 1995 by browser company Netscape. The word 'cookie' comes from 'magic cookie,' a term in programming languages for a piece of information shared between co-operating pieces of software. The choice of the word cookie appears to come from the American tradition of giving and sharing edible cookies.
What is the purpose of cookies?
Cookies make the interaction between users and websites faster and easier. Without cookies, it would be very difficult for a website to allow a visitor to fill up a shopping basket or to remember the user's preferences or registration details for a future visit.
Cookies enable websites to monitor their users' web surfing habits and profile them for marketing purposes, for example to find out which products or services they are interested in and send them targeted advertisements.
Different types of cookies
Session or transient cookies
Cookies that are stored in the computer's memory only during a user's browsing session and are automatically deleted from the user's computer when the browser is closed.
These cookies usually store a session ID that is not personally identifiable to users, allowing the user to move from page to page without having to log in repeatedly. They are widely used by commercial websites for example, to keep track of items that a consumer has added to a shopping basket.
Session cookies are never written on the hard drive and they do not collect any information from the user's computer. Session cookies expire at the end of the user's browser session and can also become no longer accessible after the session has been inactive for a specified length of time, usually 20 minutes.
Permanent, persistent, or stored cookies
Cookies that are stored on the user's computer and are not deleted when the browser is closed. Permanent cookies can retain user preferences for a particular website, allowing those preferences to be used in future browsing sessions.
Permanent cookies can be used to identify individual users, so they may be used by websites to analyse users' surfing behaviour within the website. These cookies can also be used to provide information about numbers of visitors, the average time spent on a particular page and generally the performance of the website. They are usually configured to keep track of users for a prolonged period of time, in some cases many years into the future.
Adobe Flash is not as common as it used to be, but websites that use Flash for video clips or animations will store small files on your computer that are known as Local Shared Objects (LSOs) or Flash cookies. They can be used for the same purposes as regular cookies.
Flash cookies can also back up the data that is stored in a regular cookie. When you delete cookies using your browser controls, your Flash cookies are not affected. So a website that served a cookie to you may recognise you on your next visit if it backed up its now-deleted cookie data to a Flash cookie.
You can control Flash cookies. Adobe's website offers tools to control Flash cookies on your computer.
Are cookies dangerous?
No. Cookies are small pieces of text. They are not computer programs, and they can't be executed as code. Also, they cannot be used to disseminate viruses, and modern versions of both Microsoft Internet Explorer and Netscape browsers allow users to set their own limitations to the number of cookies saved on their hard drives.
Can cookies threaten users' privacy?
Cookies are stored on the computer's hard drive. They cannot access the hard drive - so a cookie can't read other information saved on the hard drive, or get a user's e-mail address etc. They only contain and transfer to the server as much information as the users themselves have disclosed to a certain website.
A server cannot set a cookie for a domain that it is not a member of. In spite of this, users quite often find in their computer files cookies from websites that they have never visited. These cookies are usually set by companies that sell internet advertising on behalf of other websites. Therefore it may be possible that users' information is passed to third party websites without the users' knowledge or consent, such as information on surfing habits. This is the most common reason for people rejecting or fearing cookies.