chevron-down Created with Sketch Beta.

Litigation News

Fall 2022, Vol. 48, No. 1

Can You Have Your Cookies and Eat (or Delete) Them, Too?

John McNichols


  • Cookies, originally a small text file for short-term transaction tracking on websites, now have the capability to enable long-term tracking of users' browsing activity, raising concerns about privacy.
  • European law requires informed consent before storing non-essential cookies on users' devices, and similar legislation is being contemplated in the United States, such as the Do Not Track Act.
  • Some businesses have voluntarily discontinued the use of cookies, leading to the exploration of alternative tracking technologies like fingerprinting that rely on users' inherent digital characteristics.
Can You Have Your Cookies and Eat (or Delete) Them, Too?
MmeEmil via Getty Images

Jump to:

Until recently, a “cookie” was just a popular baked treat commonly consumed with milk. Since the dawn of the internet, however, the term has taken on a different meaning, namely that of a small text file that is automatically stored on a user’s web browser when viewing a particular website.

Although initially intended as a means to track transaction-specific information for short periods—such as the items in an online shopping cart—there is nothing inherent in the technology that limits a cookie to mere transitory use. Cookies can remain on a user’s computer for weeks or months and, in doing so, can enable the long-term tracking of the user’s internet browsing activity. This capability is of great commercial value to advertisers, but the fact that advertisers might be able to determine all the websites that one has visited in the previous month—or even the previous year—has drawn attention from certain regulators and lawmakers.

European law now requires that all websites targeting users in European Union (EU) countries must gain “informed consent” before storing “non-essential” cookies on a user’s device. Although there is presently no federal law in the United States analogous to the EU’s General Data Protection Regulation (GDPR), contemplated legislation—such as the pending Do Not Track Act of 2019—would similarly limit the abilities of businesses to track consumer behavior through the use of cookies. Regardless of the legislation, some private businesses have already discontinued using cookies on a voluntary basis, raising the question of whether additional legislation—let alone legislation at the federal level—is needed.

How Do Cookies Work?

In the early days of the internet, web designers were faced with the problem of needing to preserve transaction information from one internet screen to the next in order to save users the trouble of reentering the information with each new click. Cookies emerged as a solution to this problem, with designers preferring to store such “stateful” information on the user’s device rather than on the website’s server, thereby conserving data storage space for the website. The term “cookie” is an homage to the fortune cookie of restaurant fame, based on the similar concept of a small item discretely containing a private message.

Although the possibility of using user-embedded information as a means to assess user interests and behavior was immediately apparent, the fact that cookies were actually used to do so was largely unknown to the public for several years. That changed in the late 1990s when the Federal Trade Commission (FTC) noted the prevalence of cookies in public workshops held in 1996 and 1997 and in its report to Congress in June 1998.

As the FTC noted, not all cookies were intended to enhance the user’s experience of the website being visited. Some cookies, in fact, did not even belong to that website at all. Such cookies were not “first party,” but rather “third party,” in that they had been placed on the user’s browser by a domain other than the one of interest to the user. In most instances, the third party was a professional advertiser, and its cookies were intended to enable the advertiser to identify the user as the same person—or, at least, the same IP address—if he or she later visited a different website that also happened to contain the advertiser’s code. If repeated often enough, serial identifications would enable the advertiser to assess the user’s interests and enable the delivery of advertising tailored to the user’s interests.

What Laws Govern Cookies in the United States?

Since May 2018, the EU’s GDPR has imposed a continent-wide consent requirement for the placement of cookies on a user’s browser. Although the United States does not presently have a comprehensive data protection law analogous to the GDPR, most large U.S. businesses have adopted GDPR-compliant standards, given the possibility that European consumers will visit their websites. As a result, the GDPR’s consent standards have, in some sense, effectively come to apply in North America, and perhaps even worldwide.

The enactment of the GDPR in Europe has not, however, deterred U.S. officials from independent action. In 2019, Senator Josh Hawley introduced the Do Not Track Act, which would require the FTC to create a Do Not Track system analogous to the existing Do Not Call list for telemarketing activity. Although the Do Not Track Act is not a prohibition on the placement of cookies—and is overall far more limited in scope than the GDPR—the act would require website operators to notify internet visitors of their option to click on a link and thereby make themselves exempt from data collection for any purpose not strictly necessary for the provision of online services, a step akin to the GDPR’s consent requirement for cookie placement. And for the avoidance of doubt, the act identifies “targeted advertising” as an unnecessary purpose.

At the state level, meanwhile, California has gone much further, passing data protection legislation in the form of the Consumer Privacy Act of 2018 (CCPA). Like the Do Not Track Act, the CCPA allows internet users to declare themselves exempt from tracking technologies. But unlike the federal act—and much more closely aligned to the European GDPR—the CCPA also requires covered entities to disclose what data is collected (whether through cookies or other technology) as well as what is done with the data. And even more importantly, the CCPA is not merely forward-looking in terms of consumer data rights but actually allows consumers to demand that personal data already collected be deleted.

What Is Next for Cookies?

Separate and apart from the changing legal requirements, web browsers and online advertisers have voluntarily begun to phase out their use of cookies, particularly third-party cookies. They have done so partly because of consumer concerns—and, of course, to stay ahead of the law—but also in response to the diminishing effectiveness of cookies as increasing numbers of consumers adopt ad-blocking applications or simply clear their browsers. But the discontinuation of cookies does not mean the end of advertisers’ efforts to learn the shopping habits and preferences of potential customers. In addition to turning to obvious sources of consumer behavior information like loyalty programs, companies have begun testing new technologies, such as “fingerprinting.”

Like cookies, fingerprinting seeks to assign an identifier to persons browsing the internet in order to assess individual behavior. Instead of placing a file on users’ devices, however, fingerprinting seeks to assess the digital characteristics of the website visitor—e.g., IP address, operating system, browser type, and time zone—in order to determine his or her unique online signature. To be sure, the fingerprinting method is no less a form of tracking technology than cookie-based data collection, but because it relies on the inherent attributes of the web user rather than an externally placed “tag,” it is harder to detect or block. As the use of cookies declines and consumer awareness grows, we may see an increased focus on this new type of technology.