How Do Cookies Track You Online?
Cookies are small text files stored in your browser by websites you visit. While first created to maintain session state (keeping you logged in), cookies have evolved into a primary mechanism for tracking your behaviour across the web - Both on a single site and across thousands of unrelated sites via third-party cookies. Unlike browser fingerprinting, cookies can be deleted, but deleting them does not stop all tracking.
Types of Cookies
| Type | Lifetime | Set by | Privacy Risk | Examples |
|---|---|---|---|---|
| Session cookies | Deleted when browser closes | First-party (the site you visit) | Low | Shopping cart, login session |
| Persistent cookies | Days to years (set expiry) | First-party | Medium - Remembers preferences and tracks return visits | Language preference, "remember me" login |
| Third-party cookies | Persistent (days to years) | Ad networks, analytics platforms embedded in the page | High - Tracks you across all sites that embed the same tracker | Google Analytics, Facebook Pixel, DoubleClick ads |
| Supercookies / Evercookies | Persist even after deletion | Third-party scripts | Very high - Recreated from ETags, localStorage, IndexedDB | Used by ISPs; hard to remove without wiping browser storage |
How Third-Party Tracking Works
When you visit site A, the page may load a tracker pixel or script from an ad network's domain. That domain sets a cookie in your browser with a unique ID. When you visit site B - Which also embeds the same ad network - The tracker recognises your cookie ID and builds a profile of your cross-site behaviour. After visiting thousands of sites, the ad network has a detailed picture of your interests, demographics, and purchasing intent, all without you ever directly visiting the tracker's site.
How to Block Cookie Tracking
- Use a privacy-focused browser (Firefox, Brave) or enable "Enhanced Tracking Protection" in Firefox settings - This blocks third-party trackers by default.
- Brave blocks all third-party cookies, fingerprinting attempts, and ads by default with no configuration required.
- Install a content blocker extension (uBlock Origin, Privacy Badger) for browsers that do not block trackers natively.
- Enable "Prevent cross-site tracking" in Safari (enabled by default on modern versions).
- Regularly clear cookies and site data, or use containers (Firefox Multi-Account Containers) to isolate sites from each other.
- Note: deleting cookies does not prevent browser fingerprinting - Use the fingerprint tool to see what your browser exposes even without cookies.
Where to Find Cookie Controls in Each Browser
| Browser | Settings Path | Recommended Setting |
|---|---|---|
| Chrome | Settings → Privacy and security → Third-party cookies | Block third-party cookies (also blocks them in Incognito by default) |
| Firefox | Settings → Privacy & Security → Enhanced Tracking Protection | Strict - Includes Total Cookie Protection, which jars cookies per site |
| Safari (Mac) | Safari → Settings → Privacy | Keep "Prevent cross-site tracking" on (Intelligent Tracking Prevention) |
| Safari (iPhone) | Settings → Apps → Safari → Advanced | Confirm cross-site tracking prevention is enabled |
| Edge | Settings → Cookies and site permissions → Manage and delete cookies and site data | Block third-party cookies; Tracking prevention set to Strict |
| Brave | Settings → Shields | Defaults already block third-party cookies and fingerprinting |
Inspecting cookies yourself with DevTools
Press F12 (or Cmd+Option+I on Mac) on any page, open the Application tab in Chrome/Edge (Storage in Firefox), and expand Cookies. You will see every cookie's domain, expiry, and flags - The third-party tracker domains are immediately obvious on most news and shopping sites, often outnumbering the first-party entries.
Life After Third-Party Cookies
Tracking did not end as browsers clamped down on third-party cookies - It changed shape. Link decoration appends unique IDs to URLs you click; CNAME cloaking disguises tracker domains as first-party subdomains; server-side tagging moves the data collection out of the browser's sight entirely; supercookies rebuild deleted identifiers from ETags and browser storage; and fingerprinting identifies your browser by its configuration with no stored state at all. The honest takeaway: cookie controls are necessary but no longer sufficient, which is why pairing them with a fingerprint check and the broader strategy in how to be anonymous online matters for anyone serious about reducing tracking. Note also what cookies never touched: your IP address is visible to every site regardless of cookie settings - That layer needs a VPN.
What This Means for You
Cookies are not the enemy - Session and preference cookies are why the web remembers your cart and your login. The privacy problem is specifically cross-site tracking, and you can cut most of it in two minutes using the settings paths above: block third-party cookies (or use Firefox/Brave where isolation is the default), and let first-party cookies live so sites keep working. Clearing everything periodically is hygiene, not protection - Trackers re-identify returning browsers through fingerprints within seconds. Check what your browser leaks beyond cookies with the browser fingerprint tool, and remember that private browsing only discards cookies at the end of the session - It does not hide you while you browse.
Frequently Asked Questions
Should I accept or reject cookie consent banners?
Rejecting non-essential cookies is the lower-tracking choice and sites must still work without them. Essential cookies - Logins, carts, security - Do not require consent and keep functioning either way. Look for "Reject all" or "Necessary only"; the gain is less cross-site profiling on that site.
Does clearing cookies stop websites from tracking me?
Only briefly. Clearing cookies resets stored identifiers, but trackers re-identify you on the next visit through browser fingerprinting, your IP address, or the moment you log back in. Blocking third-party cookies continuously beats deleting all cookies occasionally.
Are cookies viruses or spyware?
No. Cookies are inert text records - They cannot execute code, read your files, or infect anything. The privacy concern is purely what their identifiers enable: linking your visits across sites into a behavioural profile. Risk-wise they are a tracking issue, never a malware issue.