Cookies track you by storing a unique ID in your browser the first time you visit a site. Every time you return, the site reads that ID back. It then links your clicks, searches, and purchases to it, building a profile used to target ads.
First-party cookies do this on a single site. Third-party cookies do it across every site that embeds the same ad network. Below: the five-step mechanism, how the two cookie types differ, what data gets collected, who is watching, and what the law requires.
How Do Cookies Track You? (The Short Answer)
Cookies track you by storing a unique ID in your browser. Each time you return, the site re-reads that ID and links your clicks, searches, and purchases to it, building a profile used to target ads.
Two modes make this work. A first-party cookie is set by the site you are on. It tracks you only there, powering logins and shopping carts. A third-party cookie is set by an ad network or analytics tool embedded across many sites. It reads the same ID everywhere that network appears, which is how it follows you from site to site. If you are still fuzzy on what a cookie is, start there; here we focus on the tracking itself.
How Cookie Tracking Works: Step by Step
Cookie tracking runs through five steps, from the moment you first load a page to the ad you see later.
- A site assigns your browser a unique ID. On your first visit, the server sends a
Set-Cookieresponse header containing a random string, the cookie's actual payload. Per Wikipedia's HTTP cookie reference, cookies are set using the Set-Cookie header field, sent in an HTTP response from the web server. Your browser saves it as a small text file tied to that domain. - Your browser stores and returns the cookie. On every later request to that domain, your browser automatically attaches a
Cookierequest header carrying the same ID back to the server. This round trip, set once, returned every time, is what makes you recognizable without logging in again. - Your activity gets tied to that ID. The site's code logs the pages you view, the links you click, the items you add to a cart, and how long you stay, then attaches each action to your cookie ID rather than to your name.
- The data builds a profile of you. Accumulated actions become a behavioral profile: the categories of pages you visit, the products you view repeatedly, the times of day you browse.
- The profile is used to target ads. Advertising and analytics systems read that profile to decide which ad you see next, on the current site or, if a third-party cookie is involved, on a completely different one.
First-Party vs Third-Party Cookies: The Two Ways Cookies Track You
First-party and third-party cookies differ in who sets them and how far they can follow you. The distinction between first-party and third-party cookies decides whether a cookie tracks you on one site or across many.
| Attribute | First-party cookie | Third-party cookie |
|---|---|---|
| Set by | The site you are visiting | An external ad, analytics, or social script embedded on the page |
| Tracks you | Only on that one site | Across every site that embeds the same network |
| Typical purpose | Login sessions, cart contents, saved preferences | Cross-site profiling and ad targeting |
| Browser treatment (2026) | Allowed by default everywhere | Blocked by default in Safari and Firefox; allowed by default in Chrome |
First-Party Cookies (Single-Site Tracking)
A first-party cookie is set by the domain shown in your address bar. It remembers that you are logged in, keeps items in your cart between pages, and stores your language or display preferences. Because the site you are visiting is the only one that can read it, a first-party cookie cannot follow you to a different website. This is the functional, mostly benign category: without it, you would re-enter your password on every page load.
Third-Party Cookies (Cross-Site Tracking)
A third-party cookie is set by a domain other than the one you are visiting. Common examples: an ad network, an analytics tool, or a social media "Like" button embedded in the page. Cross-site tracking happens when that same external script appears on Site A and Site B. It reads the identical cookie ID on both sites. That single ID lets the network treat you as one continuous visitor across unrelated sites and build one profile from all of it. This is how one ad network follows you from a shoe store to a news site. Chrome reversed its planned phase-out of third-party cookies in July 2024. They remain active in the browser with the largest market share. Safari and Firefox still block them by default, and Privacy Sandbox restrictions keep expanding.
What Data Can Tracking Cookies Actually Collect?
Tracking cookies collect three categories of data: your browsing activity, your device and browser details, and your network location.
- Browsing activity: pages and sites visited, search terms typed, links clicked, items added to or abandoned in a cart, time spent per page
- Device and browser: device type, operating system, browser version, screen resolution
- Network and location: your IP address, which reveals your approximate city or region and your internet service provider
A cookie itself cannot read information beyond what the site's own code logs against it. It cannot read another site's cookies, capture the passwords you type, or run code on your device. The one exception is session-cookie hijacking, where an attacker steals an active login cookie to impersonate you. That is a narrow security risk, separate from ordinary tracking.
Cookie Tracking in Action: The "Ad That Follows You" Example
Here is the cross-site mechanism made concrete, using one shopper and one pair of shoes.
A shopper browses a pair of running shoes on an online store that runs a third-party ad network's tracking script. The network's cookie logs the product page against the shopper's unique ID the moment the page loads. Three days later, the same shopper reads an unrelated article on a news site that runs the same ad network. The network reads the identical cookie ID on the news site. It matches that ID to the shoe-browsing record from three days earlier and serves an ad for the exact shoes.
Nothing about the news site itself is connected to the shoe store. The single thread connecting them is the shared ad network's cookie ID, set once and read twice, on two sites with nothing else in common.
Who Is Actually Tracking You (and Why)?
Three types of actors track you through cookies, each with a different scope and a different reason for doing it.
| Actor | Tracking scope | Why they track | Examples |
|---|---|---|---|
| The website itself | Single-site (first-party) | Site functionality and its own analytics | The site's own login, cart, and page-view logs |
| Ad networks and analytics providers | Cross-site (third-party) | Ad targeting and campaign measurement | Google Ads, Google Analytics, Quantcast |
| Social media platforms | Cross-site via embedded widgets | Track you across the web through Like and Share buttons | Meta, X, TikTok |
| Data brokers and ad exchanges | Cross-source aggregation | Aggregate and resell audience profiles | Merged profiles bought from multiple networks |
The incentive behind all four is the same: data that predicts what you will click or buy is worth money. Google and Meta lead this, embedding their tracking code on a large share of the web's sites. Social buttons extend the reach further. Meta, X, and TikTok can log your visit to any page carrying their widget, even when you are not logged in. That reach lets one cookie ID generate ad revenue and measurement data across every site the network touches.
Cookies Are Not the Only Way Websites Track You
Cookies are one tracking method among several, and blocking cookies alone does not stop the others.
- Tracking pixels and web beacons: an invisible one-pixel image embedded in a page or email that pings a server the moment it loads, confirming you opened it
- Browser fingerprinting: JavaScript reads your device's screen resolution, fonts, time zone, and other settings to build a unique fingerprint that identifies you even with cookies blocked
- IP address tracking: your internet provider assigns a public IP address that reveals your approximate location and network, independent of any cookie
- Account login tracking: signing into a service ties your activity to your personal profile across any site where that service's widget or login button appears
Tracking pixels and web beacons are the same underlying technique described two ways. Browser fingerprinting is the method that matters most once cookies are gone, because it works whether or not a cookie exists.
Can Websites Still Track You After You Delete Cookies?
Yes, often. Deleting your cookies removes the specific text file, but it does not remove the other identifiers a site can use to recognize you.
- Browser fingerprinting: your device's hardware and software configuration re-identifies you the moment you load a new page, cookie or not
- IP address: your network location is visible on every request regardless of cookie state
- Account login: if you sign back in, the site reconnects your activity to your profile immediately
- Respawning cookies: supercookies and zombie cookies store a copy of your ID in a location outside the normal cookie folder, then recreate the deleted cookie from that backup the next time you visit
Fingerprinting is the hardest of these to shake. The Electronic Frontier Foundation's free Cover Your Tracks tool measures how identifiable your own browser is, testing your configuration against its database. Clearing cookies still removes one real tracking vector and is worth doing regularly, but it is not a complete escape from tracking on its own.
Should You Worry About Tracking Cookies?
Tracking cookies are not malware, and a cookie cannot steal your password or run code on your device. First-party cookies are mostly harmless functional tools that keep you logged in and your cart intact. The real concern is third-party profiling: a network quietly assembling a detailed picture of your browsing habits across the web. That picture can then be shared or sold. One narrow security caveat exists. On an unencrypted (HTTP) connection or open public Wi-Fi, an attacker on the same network can capture a login cookie. Pew Research Center found that 81% of Americans believe the risks of company data collection outweigh the benefits. This concern is widely shared, not a fringe worry.
The proportionate response is a set of specific actions, not blanket alarm or blanket dismissal.
- Block third-party cookies in your browser's privacy settings
- Reject non-essential cookies whenever a consent banner offers the choice
- Use a browser or extension that limits cross-site tracking by default
- Clear cookies periodically to reset the identifiers that have accumulated
What the Law Requires Before a Site Can Track You
In the EU and UK, a site needs your prior, informed, opt-in consent before it sets any non-essential tracking cookie. The UK's Information Commissioner's Office requires organizations to disclose their cookie use clearly. It also requires "an appropriate means of consenting to that cookie being set on your device" before any non-essential cookie loads. This is why cookie consent rules exist. Cookies genuinely necessary for the site to function, like a shopping cart, are exempt from that consent requirement.
In California, the CCPA takes an opt-out approach instead. The California Attorney General's office confirms residents can require a business to stop "selling or sharing" their personal information. "Sharing" is defined to cover cross-context behavioral advertising built from tracking a person's activity across multiple websites. Under the GDPR, the identifiers inside tracking cookies also mean cookies count as personal data.
A third rule targets children. In the United States, COPPA requires verifiable parental consent before a site directed at children under 13 can use cookies to track them. A site that drops tracking cookies before a visitor answers its consent banner violates the EU and UK rule. This holds even if the banner appears moments later. Functional cookies needed for the page to work are the narrow exception across all three regimes.
FAQs
Can you be tracked through cookies?
Yes. Third-party cookies specifically enable cross-site tracking, since the same ad network reads the identical cookie ID on every site where its script is embedded.
Do cookies track your IP address?
The cookie itself stores only a text ID. The server your browser talks to separately logs your IP address alongside that ID. The two travel together in the site's records, even though the cookie file itself does not contain your IP.
Can tracking cookies steal passwords?
No. A cookie is a stored text identifier; it cannot read your keystrokes or execute code. The narrow exception is session-cookie hijacking, where an attacker steals an active login cookie to impersonate you, a separate security risk from ordinary tracking.
How do I know if I have a tracking cookie?
Check your browser's cookie settings or developer tools. In Chrome, go to Settings, then Privacy and security, then Cookies, then See all site data to view every stored cookie by domain.
How do cookies track you on your phone?
The same browser-cookie mechanism applies inside a mobile browser. Apps add a separate layer: a device-level advertising identifier that lets ad networks track your in-app activity the way a third-party cookie tracks a browser.
Are tracking cookies dangerous?
Not to your device or its security. The risk is to your privacy: the profiling and cross-site correlation, not malware or data theft.
Are tracking cookies illegal?
No, but using non-essential ones without the required consent is. The EU and UK require prior opt-in consent; California requires that you be allowed to opt out of the sale or sharing tied to them.
How do I stop cookies from tracking me?
Reject non-essential cookies on consent banners, block third-party cookies in your browser's privacy settings, and clear cookies periodically.
If you run a website rather than just browse one, the responsibility flips. You are the one who has to get consent for these tracking cookies and block the non-essential ones until a visitor agrees. Consently scans and categorizes every tracking cookie on your site and blocks non-essential cookies and scripts before a visitor consents. It also generates the cookie policy that explains all of it to your visitors.

