What a cookie actually is
A cookie is a small piece of text a website asks your browser to hold onto, then asks for back every time you return. That's genuinely the whole mechanism. There's no code running inside it, no file being executed, nothing capable of infecting your computer on its own — it's closer to a claim ticket than a program. A few everyday examples of what that ticket gets used for:
- Shopping carts — a store sets a cookie holding your cart contents so the items are still there if you close the tab and come back an hour later.
- Logged-in sessions — a cookie holds the token proving you already signed in, so you're not re-entering a password on every page.
- Dismissed popups — a news site sets one to remember you already closed the newsletter banner, so it doesn't nag you again.
The reason this simple idea became controversial isn't the cookie itself. It's what people built on top of it once they realized a cookie could also carry an identifier — a random string unique to you — and that the same identifier could be read back not just by the site that set it, but by other companies whose code happens to be embedded on that site too. That single detail is what turned a simple storage mechanism into the backbone of the targeted advertising industry.
First-party vs third-party cookies
A first-party cookie is set by the site you're actually visiting, for that site's own purposes: keeping you logged in, remembering your language setting, holding your cart together between pages. These are the cookies doing the boring, useful job cookies were originally invented for, and blocking them tends to break the site you're on rather than protect you from anything.
A third-party cookie is set by a domain that isn't the one in your address bar — usually an ad network or analytics provider whose script is loaded on the page. Visit ten different news sites that all run ads from the same ad network, and that network's cookie gets read back on every single one, letting it piece together a single profile of your visits across sites that have nothing to do with each other. This is the mechanism behind the ad that follows you around the internet after you look at one product once — the same cross-site pattern broken down in our targeted advertising guide. It was never a first-party cookie problem; it was always specifically the third-party kind.
- First-party — set by the site you're on, for that site's own function. Generally safe to allow.
- Third-party — set by an embedded ad or tracking script, readable across unrelated sites. The one worth blocking.
Session cookies vs persistent cookies
Separately from who sets a cookie, there's the question of how long it sticks around.
- Session cookie — has no expiration date written into it and gets deleted automatically when you close the browser. It's what keeps you logged into your email for the length of one visit, then makes you log in again next time if the site is being strict about it.
- Persistent cookie — has an actual expiration date baked in, sometimes a day out, sometimes two years out, and survives closing the browser entirely. "Remember me" checkboxes exist specifically to set a persistent cookie instead of a session one.
Clearing your cookies removes both kinds, but it doesn't touch every tracking method that survives a cookie wipe — some trackers use a browser fingerprint or a supercookie instead, specifically because neither gets removed the same way.
The settings that decide what a cookie can actually do
Every cookie carries a handful of flags a developer sets when creating it, and these flags matter more for your privacy than most explanations give them credit for.
Secure— the cookie will only ever be sent over an encrypted HTTPS connection, never plain HTTP. Without it, a cookie could theoretically be intercepted on an unencrypted network.HttpOnly— the cookie is invisible to JavaScript running on the page, which closes off a common way malicious scripts try to steal login cookies directly.SameSite— controls whether a cookie gets sent when you're navigating from a different site entirely. Set toStrictorLax, it's the single setting most responsible for third-party cookies losing their cross-site tracking power over the past few years, since browsers now default new cookies toLaxunless a site explicitly opts out.
None of this is exotic engineering. It's specified plainly in RFC 6265, the standard that defines how cookies are supposed to work, and every cookie you've ever had set on you was governed by it whether the site's developers thought about it or not.
Where third-party cookies actually stand in 2026
If the last thing you read about this topic was from a couple of years ago, it's probably wrong now, and it's worth correcting because it changes what "just block third-party cookies" actually means in practice today.
Safari and Firefox settled this years ago: both have blocked third-party cookies by default since around 2019–2020, through Apple's Intelligent Tracking Prevention and Mozilla's Enhanced Tracking Protection respectively. Chrome is the one that mattered most, since it's the browser most people use, and Google spent years promising to do the same thing — the plan was announced back in 2020, with a target date that kept slipping from 2022 to 2023 to 2024.
In July 2024, Google walked away from the plan entirely. Instead of removing third-party cookies from Chrome by default, the company introduced a user choice prompt that lets people opt out on their own, while Chrome keeps running its Privacy Sandbox advertising APIs alongside the cookies that remain. Third-party cookies are still blocked by default inside Chrome's Incognito mode, but in a normal Chrome window in 2026, they're allowed unless you've turned them off yourself.
The honest way to describe the current landscape is: roughly half the web's browser traffic (Safari and Firefox users) has been effectively cookieless for cross-site tracking for a few years now, and Chrome users are wherever they happen to have left their own settings. Advertisers responded to the Safari and Firefox side of that by leaning harder into first-party data collection and browser fingerprinting — techniques that don't rely on cookies at all, which is exactly why blocking third-party cookies alone was never going to be a complete fix for cross-site tracking even if Chrome had gone through with it. You can see what this looks like from the tracker's side with our browser fingerprint test or the more specific canvas fingerprint test.
What cookies can't do
Worth clearing up because the fear around cookies has drifted well past what they're actually capable of. A cookie is inert text, scoped by your browser to only be sent back to the domain that set it:
- Can't read files stored on your computer.
- Can't see what other tabs or programs you have open.
- Can't infect your device the way a virus does — there's no executable code inside a cookie at all.
Deleting your cookies doesn't require antivirus software; it's a setting in your browser, and doing it just logs you out of things and clears saved preferences, nothing more dramatic than that.
Why every site asks about cookies now
The cookie consent banners you click through dozens of times a day exist because of European law, primarily the ePrivacy Directive and the GDPR, which require sites to get permission before setting non-essential cookies — anything beyond what's strictly needed to make the site function. That's why "reject all" is legally required to be as easy to click as "accept all" in the EU, even though plenty of sites still design the buttons to make rejection annoying on purpose. Clicking accept genuinely does change what gets set on your device; clicking reject genuinely does stop the non-essential ones, at least on sites actually complying with the law. It's one of the few places where a checkbox click has a real, verifiable technical effect rather than being pure theater.
Managing your own cookies
Every major browser lets you view, delete, and block cookies from its settings, usually filed under Privacy and Security. Clearing them occasionally is reasonable hygiene and mostly just means re-logging into sites you visit often.
- Block third-party cookies — one of the higher-value, lower-cost privacy changes you can make, since it targets cross-site ad tracking directly without breaking the first-party functionality (carts, logins, preferences) that most sites depend on to work at all.
- Block first-party cookies too — possible, but tends to make ordinary browsing noticeably more annoying, since you'll be re-logging into everything, every time.
- Use a private/incognito window — clears cookies automatically when you close it, though it's not the airtight privacy tool it's often assumed to be; see our incognito mode guide for what it actually hides.
Frequently asked questions
Are cookies dangerous?
A cookie by itself isn't malware and can't harm your device. The privacy concern isn't the cookie's capability, it's what it enables: third-party cookies specifically allow advertisers to build a profile of your browsing across unrelated sites, which is a data collection concern rather than a security one.
Does Chrome block third-party cookies now?
Not by default, as of 2026. Google abandoned its plan to phase them out in July 2024 and replaced it with a setting users can toggle themselves. Chrome's Incognito mode does block third-party cookies by default, but a normal Chrome window doesn't unless you've changed that setting.
If I block all cookies, am I untraceable?
No. Blocking cookies stops the tracking methods that depend on them, but browser fingerprinting identifies a device using characteristics that have nothing to do with cookies at all, and advertisers increasingly rely on it specifically because cookie blocking has become common.
What's the difference between clicking "accept" and "reject" on a cookie banner?
On a site actually complying with EU cookie law, accepting sets non-essential cookies (usually analytics and advertising ones), while rejecting prevents them from being set at all. Cookies required for the site to function, like keeping you logged in, aren't covered by the consent requirement either way.
Sources
- RFC 6265 — HTTP State Management Mechanism (the cookie specification)
- CookieYes — Google's July 2024 reversal on third-party cookie deprecation
- Apple Support — Intelligent Tracking Prevention in Safari
- Mozilla Support — Enhanced Tracking Protection in Firefox
Written by PrivacyTestLab
This guide draws on the cookie specification (RFC 6265) and each browser vendor's current published tracking-protection defaults, checked directly rather than repeated from older explainers that predate Chrome's 2024 policy change.