Skip to main content
Back What Are Internet Cookies? (No, You Can’t Eat Them)

What Are Internet Cookies? (No, You Can’t Eat Them)

Most website cookies are just harmless digital coat-check tickets helping a site remember your cart—but a few of them are digital spies stalking you across the web.

Published 2026-07-02

7 min read
Read More Insights from Richah →

What Are Internet Cookies? (No, You Can’t Eat Them)

Let's start with a collective moment of disappointment: internet cookies do not contain chocolate chips, they do not go well with a cup of tea, and they will not satisfy your 3:00 PM sugar cravings.

Instead, they are the single most common source of daily frustration on the modern web. Every single time you open a website, a giant banner slides onto your screen, blocking the content you actually want to read, demanding that you "Accept Cookies."

Most of us don't even think about it. We just aggressively click "Accept All" or "I Agree" because we want the pop-up to vanish so we can get on with our lives.

But what are you actually agreeing to? Are you letting a website install spyware on your computer? Are they tracking your bank accounts? Or is it just a harmless digital housekeeping tool?

If you run a website for your business, understanding cookies is vital. It is the line between making your website work beautifully for your customers, and accidentally stepping over the line into invading their privacy.

Let’s strip away the technical mystery and look at what cookies actually are, how they work, and why the laws around them have recently changed in the UK.

The Coat-Check Analogy

To understand why websites need cookies, you have to understand a fundamental secret about the internet: websites have terrible amnesia.

Normally, when you click from one page of a website to another, the website instantly forgets who you are. It doesn't remember that you logged in ten seconds ago, and it doesn't remember what you just put in your shopping basket. To the website, every single click you make looks like it’s coming from a completely new, anonymous stranger.

To solve this memory loss, developers invented the "cookie."

To understand how it works, imagine walking into a busy London nightclub on a cold winter night. You walk up to the cloakroom, hand over your heavy coat, and the attendant hands you a tiny, numbered plastic ticket.

The ticket doesn't have your name, your address, or your life story on it. It just has a random number. But when you walk back to the cloakroom at 2:00 AM and hand that plastic ticket back to the attendant, they instantly know which coat belongs to you.

An internet cookie is exactly like that cloakroom ticket.

[ You visit a website ] --? [ Website hands your browser a "Cookie" (A tiny text file) ]
¦
?
[ You browse different pages ]
¦
?
[ Website reads the Cookie ] ?-- [ Browser automatically presents the Cookie with every click ]
¦
?
[ Result: Website remembers your login / shopping cart ]

When you land on a website, the site's server hands your web browser (like Chrome or Safari) a tiny, harmless text file—the "cookie." Your browser slips this file into its digital pocket.

As you browse around the site, your browser automatically flashes that cookie to the website with every single click. The website reads the random code in the file and goes: "Ah, yes! This is the person who put the blue shoes in their cart. I'll make sure those shoes are still there when they click checkout."

The Two Types of Cookies: The Helpful vs. The Creepy

Just like real-life crumbs, digital cookies can end up in two different places. In the tech industry, we categorise them based on who put them there and what they are doing.

1. First-Party Cookies (The Helpful Assistants)

These are cookies created and used directly by the website you are currently visiting. They are entirely harmless, incredibly useful, and essential for making the modern internet function.

They do things like:

  • Keeping you logged into your account so you don't have to type your password every time you click a link.

  • Remembering that you prefer "Dark Mode" or that you want the website displayed in English.

  • Keeping your shopping basket populated while you browse other items.
    Without first-party cookies, online shopping and web databases would be physically impossible to use.

2. Third-Party Cookies (The Digital Spies)

This is where cookies get a bit of a bad reputation. These are cookies placed on your computer by a company other than the website you are actually visiting—usually a massive advertising network or a social media giant.

Have you ever searched Google for a specific mattress, clicked on a blog post about sleep, and then spent the next three weeks being stalked by mattress advertisements on every single website you visit?

That is the work of third-party tracking cookies.

When you visited the mattress shop, an advertising network slipped a cookie into your browser. When you later visited a completely unrelated news website or social media platform, that same advertising network read the cookie in your browser's pocket, realised you were looking at mattresses, and instantly served you an ad for them.

The UK Rule Change: Killing the Annoying Pop-up Banners

Because third-party tracking cookies can feel incredibly invasive, governments around the world have spent years regulating them. This is why the internet became flooded with those annoying "Cookie Consent" pop-up banners.

But under the UK’s updated data laws—specifically the Data (Use and Access) Act (DUAA)—the rules have finally been given a massive dose of common sense.

The UK regulator (the ICO) realised that forcing people to click "Accept" just to read a local restaurant menu or a simple company blog was making the internet miserable.

Here is how the rules stand now:

  • No Banners for Low-Risk Cookies: Websites no longer need to force an annoying, screen-blocking consent banner on visitors for basic, low-risk functions. This includes standard first-party website analytics (to see how many people visit your homepage) and user preference settings (like language or appearance). You still have to explain these cookies in your Privacy Policy, but you don't have to ruin the user experience with a pop-up.

  • Banners Still Required for Tracking: If your business website uses advanced tracking pixels to run retargeting ads on Meta or Google, you must still display a clear consent banner. You cannot drop these tracking cookies onto a visitor's machine unless they actively click "Accept."

Cookie Type What It Does Do You Need a Consent Pop-up Banner?
Essential Keeps carts full, remembers logins. No. Completely exempt.
Basic Analytics Tracks how many people visit your homepage. No. Exempt under updated UK law (but users must be given an easy opt-out).
Targeted Advertising Tracks user behaviour to show ads later. Yes. Legally non-negotiable.

The Big "Catches" Business Owners Must Watch Out For

While the UK’s rules have relaxed, they also come with a set of incredibly sharp teeth. If you run a business website, you cannot afford to fall into these three major legal traps:

1. The €17.5 Million Stick (The New Fines)

Do not assume that slipping up on cookie compliance is just a minor slap on the wrist. Under the DUAA rules, the maximum fines for electronic marketing and cookie violations have officially skyrocketed from £500,000 to a terrifying £17.5 million or 4% of your global annual turnover (whichever is higher). The regulator is now treating cookie slip-ups with the exact same financial severity as a catastrophic data breach.

2. The "Sole Purpose" Trap

The exemption that allows you to ditch the pop-up banner for basic analytics only applies if that cookie is used strictly for that sole purpose.

Think of it like a valet driver. If they just park your car, that's fine. But if they secretly look at your GPS history and sell a list of your favourite shops to local billboard companies, they have stepped over the line. If your analytics tool silently shares visitor data with an advertising network (like Meta or Google Ads), it is no longer a "low-risk analytics" cookie. The exemption is instantly void, and you legally require a full consent banner.

3. The "Easy Opt-Out" Rule

Just because you don't need a giant, screen-blocking pop-up banner for basic analytics cookies doesn't mean you can completely hide them. The law states you must still provide a simple, free way for visitors to opt-out. Usually, this means leaving the analytics cookies turned "on" by default, but having a clear, obvious toggle link in your website's footer or inside your Privacy Policy that says: "Click here to turn off analytics tracking."

4. The European Border Control

If your UK business gets traffic from the European Union, the UK’s relaxed rules will not protect you. The EU’s data laws (GDPR and the ePrivacy Directive) still strictly require a full, active consent banner for analytics cookies.

If you sell products to customers in France or Germany, or if you run a global tourism site, you have two choices:

  • Keep using a strict consent banner for everyone.

  • Use a "smart banner" that automatically displays a pop-up only to visitors arriving from an EU IP address, whilst keeping the experience clean and banner-free for your UK visitors.

What Does This Mean for Your Business Website?

If you are building a website for your company, or if you are working with an agency to upgrade your current one, you should aim for a "minimalist" approach to cookies.

The fewer trackers you use, the faster your website will load, the cleaner your design will be, and the more your customers will trust you.

When we build web applications and websites, we prioritise privacy from the ground up. We structure databases so they rely on secure, first-party methods that don't require tracking your users across the web. If you don't need to track people, why do it?

By keeping your digital footprint clean, you can completely get rid of those ugly, intrusive pop-up banners, creating a lightning-fast browsing experience that respects your customers' privacy.

Taking Control of Your Own Crumbs

If you are browsing the web as a private individual and you are tired of being stalked by advertisements, you don't have to wait for websites to clean up their act. You can take matters into your own hands:

  • The Chrome Pivot: For years, Google threatened to completely phase out and ban third-party cookies in Chrome. Recently, they cancelled those plans. Instead, they switched to a "user choice" model. This means third-party cookies will live on inside your Chrome browser unless you manually go into your settings and turn them off yourself.

  • Clear Your Crumbs: Every few months, go into your browser history and click "Clear Cookies and Site Data." This is the digital equivalent of emptying your pockets and tossing out all those old cloakroom tickets. It will log you out of a few websites, but it instantly shakes off any advertisers who have been quietly following you around the web.
    At the end of the day, cookies aren't inherently evil. They are simply the digital glue that holds the modern web together. When used ethically and transparently, they make your business website feel seamless, personal, and professional—leaving the chocolate chip variety as the only ones your customers have to worry about.

Read More Security Insights

If you enjoyed this article and want to learn more then here are a couple of great reads on Security that we recommend.

Stop Using Your Dog’s Name: The Easy Way to Handle Passwords

Why Clicking "Remind Me Later" on Software Updates is a Bad Idea

See our Security in Action

We practice what we preach here at Richah. Take a look at how we’ve built robust privacy and security features directly into RiCreate, our custom content platform. When it comes to building websites and apps, keeping your data secure isn't an afterthought—it's the most important part of the entire build.

Security by Design at RiCreate