What exactly are cookies?

Not only since the GDPR came into effect in May 2018 website operators have to question themselves, whether cookies are personal data or not. To answer this question the terms of cookies need to be defined first.

Definition of cookies?

A cookie is a small text file. Websites place these small text files in the browsing history of users, which is why we often talk about "setting cookies". Cookies are either sent to the user by the respective server (HTTP cookie) or generated when a website is visited (scripted cookie). By setting cookies, website visits are tagged and recognized, which allows them to customize their browsing habits. Cookies are generally used to optimize a page for the user - certain cookie types are also responsible for the flawless functioning of the website (e.g. shopping cart cookies).

Generally, there are three types of cookies:

  • Cookies required for the function of a website
  • Performance or functional cookies
  • Tracking or advertising cookies

The difference between first and third party cookies

First party cookies

First party cookies are those cookies that are set on the website on which a user is surfing. These cookies are not made accessible by browsers across domains, which means you will not be passed to third parties. First party cookies include, in particular, necessary cookies, performance cookies, functional cookies and advertising cookies.

Tracking cookies or third party cookies

Third party cookies or tracking cookies are a commonly used to mark the user of a website to later recognize him. These cookies are used to monitor the browsing behavior of a user over a longer period of time. They are therefore used to advertise targeted. These cookies are set by banners that are integrated on a website and not by the website itself. This happens even without explicit user registration on a website and across multiple web offers. In doing so, third party cookies are collecting useful information such as navigating the user through links, the dwell time on various web pages and page views, as well as the frequency of page views.

Functions of Cookies

The use of cookies enables a number of functions. The functions of cookies can be divided into three areas.

Firstly, website operators can use cookies to conduct user analyzes, which records visiting times or the frequency of page views. Usage streams can be used to eliminate bugs and manage bids. Examples of this are sales and comparison portals, streaming services, search engines, etc. These match the behavior of their users and thus determine the best possible result for precise hit rates.

To enable the free use of websites for visitors, website operators often advertise. Advertising agencies as a third party advertise based on the user information generated by the cookies. Cookies can therefore contribute to the financing of a website through advertising.

By storing user information while surfing on a website, users can be personalized, which means cookies process and store personal information. These can be an e-mail address, name, age, product suggestions, etc.

Risk of cookies

The biggest problem with cookies is the data theft. If cookies are not protected or badly protected, the stored personal data of a user is easy to abuse and threaten the danger of hacker attacks. Another problem is the creation of personal profiles through the use of cookies. In general, profiling should only be necessary on an anonymous basis. Cross-site merging of cookies, however, can create detailed user profiles. Profiling is understood to mean the automated processing of personal data in any form by the evaluation of personal aspects of a natural person. People can be clearly identified and recorded with their activities by profiling based on browser history, web searches, IP addresses, purchases, and personal account activity.

Cookies under the General Data Protection Regulation

he General Data Protection Regulation regulates and restricts the processing of personal data. The processing of personal data is only allowed if it is either anonymous or used for specific purposes. Since most cookies process personal data, these are therefore also covered by the GDPR. Learn more

In short:

  • If it is technically necessary for a cookie to be set, no consent is required (e.g. shopping cart cookie).
  • here are also the so-called functional and performance cookies. It depends on whether these cookies is a first party or a third party cookie. If functional and performance cookies are set as a third party cookie consent is required.
  • The third type of cookies are analysis/tracking or advertising cookies. User consent is required in any case.

Are cookies personal data?


Usercentrics GmbH does not offer legal advice. The content of this article is not legally binding. The article represents the opinion of Usercentrics.

Knowledge ›
Usercentrics Knowledge Hub: Here we share our knowledge and give you in-depth insights.
Press ›
Usercentrics in the press: Here you will find an overview of our press releases and a history of our articles.
Whitepaper ›
Concentrated knowledge: Our whitepapers give you strategic and operational insights.
Webinars ›
You missed one of our live webinars? We provide the records for you here.
Newsletter icon
Legal Update
Always up-to-date: With our legal update, we keep you up to date with the latest trends around data protection.
Whitepaper Cookie Consent Management for Enterprises in accordance with GDPR
New Whitepaper
Checklists and practical tips for the correct handling of cookies and user identifiers according to GDPR.