A supercookie is a persistent tracking identifier that works like a cookie. It lives outside normal browser cookie storage, in a network header, a browser cache, or device data. That location makes it far harder to see, block, or delete than a regular cookie.
Below: the supercookie taxonomy, how each type tracks you, the Verizon case that got one banned, and the defenses that actually work against them.
What Is a Supercookie?
A supercookie is not technically an HTTP cookie. It is any persistent mechanism used to track you the way a cookie would, stored somewhere your browser's cookie controls cannot reach.
The Electronic Frontier Foundation's Bennett Cyphers defines it as anything that is not a traditional cookie but works as one. Mozilla puts it more bluntly, calling supercookies not cookies, but similar, and worse.
Both framings point to the same trait: a supercookie hijacks a storage mechanism the browser never built for tracking. It then uses that mechanism to identify you across visits, the same way a cookie would.
The term also has a narrower, older technical meaning. A cookie scoped to an entire top-level domain or public suffix, such as .com or .co.uk, is technically called a supercookie. Modern browsers block it outright, since it would let one site set a cookie for every other site under that suffix.
That usage is distinct from the tracking-technology sense this article covers, the meaning behind nearly every current search for the term.
Regular cookie storage is the baseline a supercookie evades. A standard HTTP cookie sits in a folder your browser manages, visible in developer tools and deletable in one click. A supercookie hides in a place your browser was never designed to expose or clear.
How Are Supercookies Different from Regular Cookies?
A regular cookie sits in your browser's cookie storage, where you can see and delete it. A supercookie hides in a network header, a browser cache, or device data, so normal cookie controls usually cannot find or remove it.
| Attribute | Regular (HTTP) cookie | Supercookie |
|---|---|---|
| Where it is stored | Browser's cookie folder | Network header, browser cache, or device data |
| Who can view or delete it | The user, via browser settings | Nearly impossible to locate or delete manually |
| Survives cookie-clearing | No | Yes |
| Survives incognito / private mode | No | Yes |
| Blocked by ad blockers | Usually | Often bypasses them |
| Typical size | About 4KB | Up to 100KB for a Flash Local Shared Object |
A persistent cookie is not the same thing as a supercookie, even though both outlast a single browsing session. A persistent cookie is a standard cookie with a long expiry date, stored in the normal cookie folder. You can still view and delete it at any time. A supercookie persists by hiding outside that folder entirely, which removes your ability to control it.
Types of Supercookies (Where They Hide)
Supercookie is an umbrella term for several distinct techniques. They share one trait: each stores a tracking identifier somewhere your browser's cookie controls cannot reach.
Four main families dominate the taxonomy.
- ISP-injected supercookies, appended to your network traffic by your internet provider
- Cache and HSTS supercookies, hidden in the caches your browser keeps for speed
- Flash cookies (Local Shared Objects), stored by Adobe Flash Player instead of the browser
- Favicon supercookies, encoded in the small icon cache your browser keeps per site
ISP-Injected Supercookies (Unique Identifier Headers)
An internet service provider injects a Unique Identifier Header, or UIDH, into your unencrypted HTTP traffic after it leaves your device. That header follows every browser, app, and device connected through that same internet line.
You cannot delete this type from your machine because it never lives there. The ISP appends it at the network level, outside your device entirely, so clearing your browser offers no defense. Verizon and AT&T are the two carriers publicly documented using this technique in the United States.
Cache and HSTS Supercookies
This family hides a tracking identifier inside caches your browser keeps for performance, not for cookies. The vectors include the image cache, the HTTP cache, the favicon cache, DNS and font caches, and HSTS flags or ETags.
Mozilla documented the mechanism directly: a site encodes an identifier in a cached image. A different site then reads that same cached image back to retrieve the identifier.
Researchers call this technique "cache fingerprinting" because it abuses a browser's cache behavior rather than the cookie system. Firefox 85 closed this gap in 2021 by partitioning network connections and caches per site. A cache written on one site can no longer be read back on another.
Flash Cookies (Local Shared Objects)
A Local Shared Object, commonly called a Flash cookie, is data that Adobe Flash Player stores on your computer instead of your browser. Flash Player, not the browser, managed this storage. An LSO survived a full browser cookie-clear and persisted across Chrome, Firefox, and Safari on the same machine.
An LSO could hold up to 100KB, compared with roughly 4KB for a standard HTTP cookie. Researchers documented Flash cookies sharing the same identifier values as a site's regular HTTP cookies, effectively respawning a deleted ID. Removing one required Adobe's separate Settings Manager, since browser cookie controls never touched .sol files.
Adobe discontinued Flash Player in December 2020, so websites are not creating new Flash cookies. Old Local Shared Objects can still linger on machines that never had Flash fully uninstalled, but this vector is effectively closed for any current site.
Favicon Supercookies
A 2021 research project demonstrated that a site can encode a unique identifier in your browser's favicon cache. This is the small per-site icon store most privacy tools never inspect. Standard cookie-clearing, ad blockers, and even private browsing rarely touch it, so this technique escapes most conventional defenses.
This method sits on the border between a supercookie and browser fingerprinting. Both identify you without a traditional cookie, though fingerprinting typically reads device and browser characteristics rather than writing a stored identifier.
How Do Supercookies Track You?
Supercookies enable cross-site and cross-device tracking by surviving the actions that defeat ordinary cookies. The identifier lives in a network header or an uncleared cache. A tracker can re-link your sessions even after you delete cookies, switch browsers, or open a private window.
This matches the practitioner definition of the term: any persistent storage mechanism repurposed to act as a cookie. What makes a supercookie stick where a cookie fails:
- It is stored outside the location your browser's "clear cookies" function targets
- An ISP-level identifier attaches to the connection itself, not to any single browser or app
- A cache-based identifier can be read back by any site that knows where to look, not just the site that set it
- None of these locations reset when you open an incognito or private window
Supercookies, Zombie Cookies, and Evercookies: What's the Difference?
A supercookie is the umbrella term for any cookie-like tracker stored outside normal cookie storage. A zombie cookie, also called an evercookie, is a specific kind of supercookie. It automatically recreates itself after you delete it, by stashing backup copies in several of those hiding places at once.
In short: every zombie cookie is a supercookie, but not every supercookie respawns on its own. For the full respawn mechanism, the backup-vector list, and how to actually remove a zombie cookies infection, see the dedicated guide.
The Verizon Supercookie Case: When ISPs Got Caught
In 2016, Verizon paid the FCC a $1.35 million settlement for injecting UIDH supercookies into customers' traffic to power targeted ads, without telling them. The case remains the clearest proof that supercookie tracking carries real regulatory risk, not just a privacy inconvenience.
Verizon deployed the UIDH supercookie starting in December 2012 but did not disclose it to customers until October 2014, nearly two years later. The FCC's March 2016 settlement required Verizon to get opt-in consent before sharing the data with third parties.
It also had to let customers opt out internally. This remains the first major U.S. enforcement action against ISP-level supercookie tracking, and it set the template regulators still cite.
Why Are Supercookies a Privacy Risk?
Supercookies are a privacy risk because they track you invisibly and persistently. You usually cannot see them, ordinary browser controls do not remove them, and clearing cookies or using incognito does not stop them.
That combination produces three specific harms:
- Silent cross-site and cross-device profiling: a tracker links your activity across unrelated sites and devices with no visible indicator that it is happening
- No meaningful consent: most privacy tools never surface a supercookie's existence, so you cannot decline something you never see
- Account-level persistence: an ISP-injected identifier ties to your internet account, not a single browser, so it follows every device connected through that line
Clearing cookies or opening a private window will not fix any of the three. Both actions target the cookie folder specifically, and a supercookie by definition does not live there.
How to Detect and Stop Supercookies
Clearing cookies will not remove a supercookie, since it lives outside cookie storage. Real defenses target each hiding place directly:
- Use a VPN or enforce HTTPS so your ISP cannot read or inject a UIDH into your unencrypted traffic.
- Use a modern browser with cache partitioning, such as Firefox 85 or later, which isolates caches per site and neutralizes cache and HSTS supercookies.
- Opt out of your ISP's advertising or identifier program where the carrier offers one.
- Clear legacy Flash Local Shared Objects through Adobe's Settings Manager, since browser cookie controls never reach
.solfiles.
Each defense covers one hiding place, not all of them. A VPN stops network-level injection but does nothing for an on-device cache supercookie. Cache partitioning stops cache abuse but does not touch an ISP header added before the traffic reaches your browser. Layering more than one defense is what actually closes the gap.
Are Supercookies Legal? What Website Owners Need to Know
Supercookies are not banned outright, but using them to track people without consent runs into privacy law. The FCC penalized Verizon directly. Under GDPR and the ePrivacy Directive, any non-essential tracking on a website needs informed consent, regardless of the storage mechanism used.
For a website owner, the responsibility runs the other direction. You are accountable for every tracker and script your own site loads, whether you added it directly or a third-party tag did.
Deploying a hidden, hard-to-delete tracker that bypasses a visitor's choice is exactly what regulators penalized Verizon for, and it is the opposite of cookie compliance.
The practical fix is knowing precisely what your site loads and blocking every non-essential tracker until the visitor gives cookie consent.
How Consently Helps You Catch Hidden Trackers on Your Site
Consently scans your site for the cookies, trackers, and scripts it actually loads. It then blocks the non-essential ones until visitors consent, so you are not unknowingly running a hidden or hard-to-delete tracker of your own.
A compliant consent management platform only sets cookies a visitor has agreed to, and it never deploys supercookie-style trackers that survive deletion. The first step toward that is knowing exactly what your own site is loading in the first place.
Consently's Automatic Full-Site Scan crawls your site and detects every cookie, tracker, script, and iframe running on it. The brand frames its own job simply: it finds every cookie, so you do not have to.
Cookie Auto-Blocking, Script Blocking, and Iframe Blocking then stop non-essential cookies, scripts, and iframes from firing until a visitor consents. Every consent decision is logged for audit.
Block trackers before consent with a scan you can run today. Start free with no credit card required.
FAQs
What is a supercookie in simple terms?
A supercookie is a tracking identifier that survives normal cookie deletion. It hides in a network header, a browser cache, or device data instead of your browser's cookie storage.
What is the difference between a cookie and a supercookie?
A cookie sits in your browser's cookie storage and you can view or delete it. A supercookie hides in a network header or a cache, and normal cookie controls usually cannot reach it.
Are supercookies legal?
Supercookies are not banned outright, but tracking people without consent breaches GDPR and ePrivacy. The FCC has already fined Verizon $1.35 million for undisclosed supercookie tracking.
Can you delete a supercookie?
Not with your browser's cookie settings. Effective defenses are a VPN or HTTPS, a browser that partitions caches by site, an ISP opt-out, and Adobe's Settings Manager for old Flash cookies.
Does clearing my cookies or using incognito stop supercookies?
No. Supercookies live outside cookie storage, so clearing cookies or opening a private window does not remove or block them.
Do flash cookies still exist?
Practically no. Adobe discontinued Flash Player in December 2020, so new Flash cookies are not being created. Old Local Shared Objects can still linger on legacy machines.
Is a supercookie the same as a zombie cookie?
Not exactly. A zombie cookie is a supercookie that recreates itself after deletion. Every zombie cookie is a supercookie, but not every supercookie respawns.
Does a VPN stop supercookies?
A VPN encrypts your traffic, which stops network-injected ISP supercookies (UIDHs). It does not remove on-device cache supercookies or old Flash cookies.

