All Blog Posts

What are tracking cookies and how do they work?

Does your website use cookies? The answer is probably yes. Learn more about how to find and control the tracking cookies on your website using Cookiebot CMP to enable compliance with data privacy laws.

Updated December 28, 2023.

Cookies play a crucial role in both basic and complex operations on most websites today. The most widespread type of cookies on the internet are tracking cookies, used by websites everywhere (most likely yours too) to run analytics services, social media plugins, and marketing tools. They process personal data from website visitors for these services, which impacts user privacy.

But the internet economy is changing, driven in large part by a strong and growing consumer demand for transparent solutions that enable end-users to protect their data privacy online, as has become their right under most major data privacy laws in the world today.

We examine what tracking cookies are, the implications of their use under global data privacy laws, and how to obtain valid consent to use them on your website.

What are tracking cookies?

Tracking cookies are small text files that websites place on a user’s browser to collect data about their online activities.

These files contain data that allows websites to remember specific user preferences, maintain login sessions, and track user behavior across different sites. They store information such as geographic location, device specifications, and specific actions taken on the website.

The primary purpose of tracking cookies is to enable personalized experiences, targeted advertising, and for website analytics.

Tracking cookies can be categorized into two types: first-party and third-party cookies. First-party cookies are set by the website the user is currently visiting, while third-party cookies are created by external services or advertisers.

How do tracking cookies work?

Tracking cookies work by assigning a unique identifier to each user. This identifier is stored within the cookie and enables websites to recognize and differentiate individual users.

When a user visits a website, it may set both first-party cookies and third-party cookies on the user’s browser. First-party cookies store user-specific information such as login details, language settings, and preferences, which they remember on subsequent user visits to the same site. Third-party cookies gather broader data about the user’s activities across various websites.

Both types of cookies store and retrieve data, but they differ in their scope and application — first-party cookies focusing on improving user experience on the website visited, and third-party cookies being instrumental in broader online behavior tracking for advertising purposes.

What is cross-site tracking?

Cross-site tracking involves setting third-party tracking cookies to monitor a user’s online activities across different websites over time. The purpose is to create a detailed profile of the user’s interests, preferences and behavior. This information is often used to display personalized ads based on the user’s past online activity.

While cross-site tracking can enhance user experiences and enable more relevant content, it can also be a source of concern for users who value their privacy. Many web browsers offer options to restrict or block tracking cookies to mitigate these privacy concerns.

What data do tracking cookies store

What data do tracking cookies store?

Tracking cookies can collect, process and share all kinds of personal (and sometimes sensitive) data from users. This includes:

  • search and browser history
  • language preferences
  • IP address
  • on-site behavior like link or button clicks, pages visited, time spent on page
  • past purchases
  • Google searches
  • browser type
  • screen resolution
  • ads seen and interacted with

The exact data that tracking cookies on different sites collect depends on multiple factors, including the website’s privacy policy, type of cookies used, and what the user has consented to.

Examples of how browser tracking cookies are used

Tracking cookies are widely used by businesses for various purposes. Here are a few online tracking examples:

Ecommerce personalization

When a user visits an ecommerce website, tracking cookies can remember their browsing history and purchase preferences. This allows the website to recommend relevant products, offer personalized discounts, and streamline the purchasing process.

Ad targeting

Advertisers use tracking cookies to deliver targeted advertisements based on a user’s interests and browsing behavior. For example, if a user frequently visits travel websites, they may be shown ads for vacation packages or flight deals.

Analytics and optimization

Tracking cookies provide valuable data for website owners to identify trends and optimize their site’s performance. For example, a retail website might use tracking cookies to see which products are most frequently viewed and purchased. This data helps the business understand how users interact with their website, such as which pages are most popular or which products are often added to the cart but not purchased.

Social media integration

Many websites incorporate social media plugins that use tracking cookies to enable users to share content or log in using their social media accounts. These cookies allow websites to personalize the user’s website experience based on their social media preferences and activities.

Are tracking cookies dangerous?

Tracking cookies, on their own, are not inherently dangerous. However, concerns arise when they’re used without proper user consent or when the data collected is misused. Like any technology, the way they’re used determines whether they’re harmful or beneficial. When used responsibly, tracking cookies can greatly enhance the online experience, providing personalized content and recommendations based on a user’s browsing history.

One potential risk associated with tracking cookies is the unauthorized access or disclosure of sensitive personal information. Implementing data security measures is crucial to protect this data from unauthorized access.

Additionally, tracking cookies can contribute to a user’s online footprint. Over time, the accumulation of cookies from various websites can create a comprehensive profile of a user’s online activities. This raises concerns about user privacy and the potential for data abuse.

To mitigate these risks, businesses must ensure that their use of tracking cookies complies with data protection regulations and must obtain user consent for collecting and storing their data.

What do data privacy laws say about tracking cookies?

What do data privacy laws say about tracking cookies?

Using tracking cookies is now regulated in Europe, California, Brazil, South Africa, Canada, Australia and many other countries and regions around the world.

Some data regulations require that you obtain the explicit consent from end-users before activating cookies on your website [such as the European Union’s General Data Protection Regulation (GDPR) or Brazil’s LGPD], while others empower end-users with the right to opt-out of having their personal information collected via tracking cookies and then sold [such as the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)].

GDPR and tracking cookies

The GDPR, along with the ePrivacy Directive (often referred to as the “cookie law”), applies to any website that collects data from users located in the European Union (EU), regardless of where in the world the website itself is located.

It’s your responsibility as the website owner/operator to ensure that you have a clear handle on your website’s cookies and obtain explicit consent from users to collect their data.

The GDPR requires you to provide end-users with full transparency through a comprehensive cookie policy. The policy can be a separate document or a dedicated section in a privacy policy and must include details about technical specifications, duration, provider and purpose of each tracking cookie in use.

Under the GDPR, cookie consent must be explicit or opt-in consent to be valid. This means users must actively click on an “Accept” or “Allow” button to enable your website to set cookies. Users must be able to accept or reject data collection for all cookies in use and have the option to allow data collection for some purposes and reject it for others.

In addition, users must be able to withdraw or revoke their consent at any time as easily as they gave it.

CCPA and tracking cookies

The CCPA, enhanced by the CPRA, works on an opt-out consent framework, which means you do not need to obtain consent from data subjects for the use of cookies. Instead, users must have an option to opt-out of cookie usage. The rules are different for minors.

  • You must obtain opt-in cookie consent (‘affirmative authorization’) for selling the personal information of consumers under 16.
  • For consumers under 13, consent must come from the parent or guardian.

The CCPA requires websites to include a link with the specific wording “Do Not Share Or Sell My Personal Information” for California residents who want to opt-out of their data being sold or shared. This link is commonly located in the cookie banner, on the website’s footer, and in the privacy policy.

Websites must provide a notice at or before the point of data collection, outlining the categories of personal information they collect, and for what purposes. This can also be done through the cookie banner.

In addition, users must have transparent information regarding their rights under the CCPA, including their right to opt out and right to deletion of their personal data collected. This information must be easy for users to find, and is typically included in the website’s privacy policy.

How to detect if your website uses tracking cookies

How to detect if your website uses tracking cookies

Detecting whether your website uses tracking cookies is essential for understanding how user data is being collected and used. Most modern web browsers offer developer tools that allow you to inspect the cookies associated with a website. By opening the browser’s developer console and navigating to the “Application” or “Storage” tab, you can view the cookies stored by the website.

A simpler method would be to use a cookie checker that will scan your website for tracking cookies.

Cookie tracker with Cookiebot™

Cookiebot CMP by Usercentrics is an automatic cookie tracker that enables compliance with the world’s major data privacy laws on your website with just a few lines of JavaScript.

Built around the world’s most powerful cookie scanning technology that finds 63% more cookies and trackers than any competitor, our solution detects and controls all tracking cookies in use on your domain and offers your website’s end-users a choice of prior consent or opt-out through highly customizable cookie banners.

The geo-targeting feature of our CMP automatically locates where in the world your end-users are located and presents them with the right compliance solutions, whether it be opt-out banners for users in California or cookie consent banners for users in the EU.

Sign up to Cookiebot CMP today to achieve compliance with the EU’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD, South Africa’s POPIA, Canada’s PIPEDA and many other data privacy regulations.

Cookiebot CMP comes as a HubSpot App and Umbraco App, a standard tag in Google Tag Manager, a WordPress plugin, and integrates seamlessly with Google Consent Mode as well as with IAB TCF 2.2 and IAB CCPA.

You can use our solution for free if your website has under 50 subpages.

How to obtain valid consent for tracking cookies

1. Provide transparent information

You must clearly explain to users what data will be collected, how it will be used, and who it will be shared with. This information should be easily accessible in a cookie policy and written in simple, non-legal language.

2. Obtain explicit consent

Users must actively opt-in to the use of tracking cookies by clicking on an “Accept” or “Allow” button or link. Pre-checked boxes on the cookie banner or implied consent are not considered valid forms of consent. The cookie text on the cookie banner must be in simple language and make it clear to users what they’re consenting to.

3. Offer granular options

Users must be able to choose which types of tracking cookies they consent to. For example, users may allow tracking for analytics purposes but not for advertising purposes. This allows users to have more control over their data and privacy preferences.

4. Make consent management easy

A consent management platform (CMP) like Cookiebot CMP can enable you to achieve compliance with the GDPR’s cookie consent requirements. With Cookiebot CMP, users can easily allow or decline all cookies, give granular consent, manage their cookie preferences and withdraw consent at any time.

Tracking cookies removal guide

Tracking cookies removal guide

If you want to remove tracking cookies from your browser, your web browser will offer simple methods to do so from the settings.

Google Chrome

  1. Open Chrome and click on the three-dot menu in the top-right corner.
  2. Select “Settings” from the drop-down menu.
  3. Scroll down and click on “Privacy and security” in the left-hand sidebar.
  4. Click on “Clear browsing data”.
  5. In the popup window, select “Cookies and other site data”.
  6. Choose the time range for which you want to clear cookies, or select “All time” to remove all cookies.
  7. Click on “Clear data” to remove the selected cookies.

Mozilla Firefox

  1. Open Firefox and click on the three-line menu in the top-right corner.
  2. Select “Options” or “Preferences” from the drop-down menu.
  3. Click on “Privacy & Security” in the left-hand sidebar.
  4. Under the “Cookies and Site Data” section, click on “Manage Data”.
  5. In the popup window, you can search for specific websites or click on “Remove All” to delete all cookies.
  6. Click on “Save Changes” to remove the selected cookies.
What will replace tracking cookies?

What will replace tracking cookies?

The future of tracking cookies is uncertain.

According to Google, cookies will be phased out of Chrome by the end of 2024 in favor of its Privacy Sandbox, which will provide website owners with “privacy-preserving alternatives”.

While it’s true that third-party cookies look to meet their demise in the near future, most other types of website tracking methods (such as Local Storage, IndexedDB and Web SQL to name a few existing ones), will continue to be used throughout the internet — and they’ll all still require end-user consent or opt-out options under global data privacy laws.

While some tracking cookies will disappear, new ones will develop, and there’s a growing consumer demand for websites to be in data privacy compliance.

In a 2023 survey by Cisco, 81% of consumers say that data privacy is a buying factor for them, while 46% of consumer say they have switched brands because of the company’s data policies or data sharing practices. This underlines just how important it’s for websites and online businesses to pay close attention to how they handle their user’s personal data.

End-users are becoming increasingly aware of tracking cookies and the risks posed to their data privacy, while at the same time demanding better transparency and control over the personal data they generate online every day, while shopping and browsing.

Implementing cooking tracking software and a CMP can go a long way in helping your website achieve compliance and build user trust.

Scan your website for tracking cookies
Sign up for Cookiebot CMP for free today

Sign up


What are tracking cookies?

Tracking cookies are small text files that websites place on a user’s browser. They save and store user data when they visit websites, sometimes across multiple websites (known as ‘cross-website tracking cookies’). Cookies may contain different types of data about users (e.g. search and browser history or link clicks) that may be shared with third parties. Some cookies are necessary for the basic functions of websites, while others are third-party cookies collecting and sharing data about users for the purposes of targeted advertisement.

Are tracking cookies illegal?

Tracking cookies need end-user consent to operate legally in many parts of the world, such as the EU, Brazil, South Africa, Japan, and several other places. Under the EU’s GDPR, tracking cookies need the explicit consent from users to even be activated and start operating, i.e. no personal data from EU users is allowed to be collected and shared by tracking cookies before users have said a clear ‘yes’. Tracking cookies used in compliance with data privacy laws are not illegal.

Are tracking cookies legal?

Tracking cookies need end-user consent to operate legally in many parts of the world, such as the EU, Brazil, South Africa, Japan, and several other places. Under the EU’s GDPR, tracking cookies need the explicit consent from users to even be activated and start operating, i.e. no personal data from EU users is allowed to be collected and shared by tracking cookies before users have said a clear ‘yes’.

How do tracking cookies work?

Tracking cookies work by placing themselves on a user’s browser and often stay for durations up to years. Here, they collect information about users, which may be used to improve the user experience on the website (first-party cookies) or shared with third parties for advertising and marketing purposes (third-party cookies). Tracking cookies come in many different technologies, but they all need end-user consent to operate legally in many parts of the world.

What do cookies track?

Cookies can track any kind of data about users, such as search and browser history, what websites they previously visited, what they googled earlier, their IP addresses, their on-site behavior such as scrolling speed, where they clicked and where their mouse hovered. Cookies that process personal data from users most often need end-user consent to operate legally on your website.

What are third-party tracking cookies?

Third-party tracking cookies are placed on a user’s browser by a domain other than the one they’re currently visiting. These cookies are commonly used by advertisers and analytics services to track a user’s browsing activities across multiple websites. By collecting data on what sites a user visits and their online behavior, third-party cookies enable advertisers to create targeted advertising campaigns, aiming to present users with ads that are more relevant to their interests. However, due to privacy concerns, the use of third-party cookies is becoming increasingly restricted under new data privacy regulations.

What tracking cookies do I have on my website?

Most websites use tracking cookies, whether the website owner/operator is aware of them or not. Embedding YouTube videos, integrating social media plugins or running analytics services like Google Analytics or HubSpot will set tracking cookies on your domain that will collect and share personal data from the users visiting your website. It’s important that you know what cookies your website uses so as not to infringe on your end-users’ data privacy.

Do cookies track IP addresses?

Yes, some cookies track IP addresses from users when they visit a website. The use of such tracking cookies is regulated in most parts of the world, and under the EU’s GDPR, California’s CCPA/CPRA, Brazil’s LGPD and South Africa’s POPIA, IP addresses are considered personal data/information.

What is cookie tracking software?

Cookie tracking software is a tool to help your website detect and control all cookies and trackers in use. Cookie tracking software can help you become compliant with global data privacy laws that require you to know what cookies your website uses and to hand over control to the end-user for a meaningful choice of consent.

Is Google phasing out tracking cookies?

Yes, Google is phasing out third-party cookies in its Chrome browser. The process is set to begin in the first quarter of 2024. By the end of 2024, Google aims to completely stop the use of third-party cookies in Chrome, joining other major browsers in moving away from this tracking technology.

What will replace third-party cookies?

Google is replacing third-party cookies in its Chrome browser with its “privacy-preserving alternative” Google Sandbox. Other types of web tracking methods such as Local Storage, IndexedDB and Web SQL will continue to be used online.

How can I remove tracking cookies?

You can remove cookies from your browser settings panel. Navigate to Privacy and Security settings and look for “Clear browsing data” in Chrome or “Cookies and site data > Manage data” in Firefox and clear your cookies.

How can I find tracking cookies on my website?

Try using a cookie-monitoring software like Cookiebot CMP that automatically detects all cookies and trackers in use and holds back their activation until the user has given their choice of consent.

What is the Do Not Track feature?

The Do Not Track feature is a function in some web browsers that allows users to signal to websites and web applications that they do not want their online activities tracked. When enabled, the browser sends a Do Not Track request to websites, indicating the user’s preference not to be tracked for purposes like behavioral advertising. However, compliance with Do Not Track requests is voluntary for websites, and not all sites honor these signals. This means that activating Do Not Track does not guarantee that a user’s activities won’t be tracked.

What are sticky tracker cookies?

Sticky tracker cookies are a method used to keep track of a user’s online activity, especially when they’re buying something through an affiliate link. These cookies are essentially small files that get created and stored in the visitor’s web browser when they click on an affiliate link. This process enables affiliate networks to track and verify where sales originated from.

How do I make my website GDPR-compliant?

You must detect and control all cookies and trackers in use on your domain and enable end-users within the EU to have a clear and meaningful choice of ‘yes’ or ‘no’ to any non-necessary cookie in use of your website. The EU’s GDPR holds the website owner/operator responsible for processing personal data without end-user consent.

The most used solution for compliant use of cookies and online tracking

Used on

1.4 million



5.2 billion

monthly user consents





Learn more about cookie consent on your website

Learn more about the EU cookie law (ePrivacy Directive) and your website’s cookies

Learn more about GDPR software for your website’s compliance

Learn more about GDPR and cookies

Learn more about the Cookiebot CMP cookie checker

Advertisers on alert as cookie consent concerns rise, Digiday

“Are crumbles all that remains of the cookies?” A conversation on the future of ad tech, Future of Privacy Forum

The EU’s General Data Protection Regulation (GDPR)

Legitimate grounds for tracking in the GDPR

Princeton study on web transparency How Is Big Data Used In Practice? 10 Use Cases Everyone Must Read Definition of supercookie

Cambridge Analytics data privacy scandal

Wired on “the Great Privacy Awakening”

Rural King
Credit Exchange

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.