← Back to Blog

What Are Cookies and Why Do Privacy Laws Care About Them?

A plain-English explanation of website cookies, why they matter for privacy compliance, and what you need to do about them as a website owner.

2026-03-03

If you run a website, you've heard the word "cookies" in the context of privacy laws and consent banners. But what are they actually, why do regulators care about them, and what do you need to do?

What Is a Cookie?

A cookie is a small text file that a website stores in your visitor's browser. When the visitor returns, the browser sends the cookie back to the website, allowing it to "remember" things.

Cookies are not programs — they can't run code, install software, or access your files. They're just small pieces of data.

Types of Cookies

Essential Cookies

These are required for your website to function:

  • Session cookies — keep users logged in, maintain shopping cart contents
  • CSRF tokens — prevent form submission attacks
  • Load balancer cookies — route traffic to the correct server
  • Cookie consent cookies — remember the visitor's cookie preferences

Essential cookies are exempt from consent requirements under all privacy laws. You can always set them.

Analytics Cookies

These track how visitors use your website:

  • Google Analytics_ga, _gid cookies track page views and user behavior
  • Microsoft Clarity_clck, _clsk cookies record session data
  • Hotjar_hj* cookies track heatmaps and recordings
  • Shopify Analytics_shopify_s, _shopify_y cookies

Analytics cookies are non-essential. Most state privacy laws require you to allow visitors to opt out of these.

Advertising Cookies

These enable targeted advertising and cross-site tracking:

  • Facebook Pixel_fbp, _fbc cookies
  • Google Ads_gcl_au, _gcl_aw cookies
  • TikTok_ttp cookie
  • LinkedInli_sugr, bcookie cookies

Advertising cookies are the highest-risk category from a privacy compliance perspective. They're almost always considered "selling" or "sharing" data under CCPA, and most states require opt-out (or opt-in) consent.

Marketing Cookies

These support email marketing and personalization:

  • Klaviyo__kla_id cookie
  • Mailchimp — various tracking cookies
  • Intercomintercom-* cookies

These typically collect personal data and require disclosure and opt-out mechanisms.

Why Do Privacy Laws Care?

Privacy laws care about cookies because cookies are the mechanism through which most data collection happens on the web. When regulators talk about protecting personal data, cookies are often the first point of contact between your website and a visitor's personal information.

Specifically:

  • Cookies create unique identifiers — the _ga cookie, for example, gives each visitor a unique ID that tracks their behavior over time. Under CCPA, this is "personal information."
  • Cookies enable cross-site tracking — advertising cookies follow visitors from your site to other sites, building behavioral profiles. This is "sharing" data under CCPA.
  • Cookies collect data without awareness — most visitors don't know that 5-15 cookies are being set when they load your homepage. Privacy laws require transparency about this.

What You Need to Do

1. Know What Cookies Your Site Sets

Most website owners don't know. Your theme, plugins, apps, and embedded content all set cookies independently. Scan your site to get a complete list.

2. Categorize Your Cookies

Group them into essential, analytics, advertising, and marketing. This categorization goes into your privacy policy and cookie consent banner.

3. Disclose Them

Your privacy policy must list the cookies your site uses, what they do, who sets them (first-party vs third-party), and how long they last.

4. Get Consent or Provide Opt-Out

Depending on the state:

  • Opt-out states (most US states) — you can set cookies by default but must provide a clear opt-out mechanism
  • Opt-in states (some EU-influenced implementations) — you must get consent before setting non-essential cookies

A cookie consent banner handles both scenarios.

5. Honor GPC Signals

If a visitor's browser sends a Global Privacy Control signal, treat it as an opt-out of non-essential cookies. This is legally required in California, Colorado, Connecticut, Texas, and several other states.

The Bottom Line

Cookies aren't inherently bad — they make the web work. But they're also the primary vector for personal data collection, which makes them the focal point of privacy law compliance. Know what cookies your site sets, disclose them, and give visitors control.

ClearConsent detects every cookie on your site, categorizes them, and generates a privacy policy and cookie banner that covers them all.

Scan your site free — no signup required.

Ready to check your site's compliance?

ClearConsent scans your website against 21 privacy laws in under 60 seconds.

Scan Your Site Free