WTF Is A Cookie, Anyway? Do You Really Know, Or Just Think You Do?

[Editor’s note: This column has been corrected to fix errors that weren’t caught in the initial editing process. Thanks to those who pointed them out.] This month’s column was inspired by a very brave CMO who bluntly asked, during a recent conversation, “WTF is a cookie, anyway?” This particular gent is smart — he controls […]

Chat with MarTechBot

cookies[Editor’s note: This column has been corrected to fix errors that weren’t caught in the initial editing process. Thanks to those who pointed them out.]

This month’s column was inspired by a very brave CMO who bluntly asked, during a recent conversation, “WTF is a cookie, anyway?” This particular gent is smart — he controls a marketing budget of over $30m a year, a reasonable enough portion of which is digital.


His question stems from the many ways our industry talks about cookies (often incorrectly) and the peripheral terms than have become synonymous — RTB, big data, programmatic, pixel… He thought he used to know the answer to his own question, but found that he actually didn’t. And interestingly, the answers his team gave from around the room were inconsistent with each other….

We discuss big topics in this column but have not dealt with the basic cookie — until now.

What Is A Cookie?

A cookie is actually a small text file that sits on your computer in a folder dedicated to cookies. That cookie file contains information about you, which could be a simple ID number, or many other points of data. A cookie can only be understood by the company that put it there because they are encrypted, making them private.

A cookie can be used for remembering who you are when you login to a website, for analytics and for advertising, amongst other things.

A cookie is also specific to a browser, so if you have a Google cookie on your computer from logging in through Firefox, it will not log you in when you use Chrome because every browser manages its own cookies.

A cookie can be deleted by the user, most likely using the functionality within the browser itself, but some people do this manually, or install 3rd party software (such as anti-virus) to do it for them regularly.

You can actually open up these files and look inside them yourself, but because they are encrypted, you will only see random characters.

1st Party Or 3rd Party?

A first party cookie is one that comes from the same site you are currently visiting. For example, if you are on the Bank of America website and you log in, you will receive a cookie from That is a 1st party cookie because it comes from the domain you are browsing.

Now let’s say the bank also wants to understand the number of their visitors to their site. They might install a package such as Google Analytics. Though the cookie isn’t from the site, it’s still a first-party cookie because it’s being set by the site itself, not by Google.

But what if there are ads running on the site that are served by an ad server like DoubleClick, or via an ad exchange? When either of those parties set a cookie on your computer — to track an impression or a click on an ad — that’s considered a third party cookie, because it’s not coming from the same domain that’s displayed in the URL window of your browser.

Server-Side Or Client-Side?

This may sound techy, but in reality it refers to where the data is kept about the individual. In a server-side situation (also called “sessions“), everything we know about the individual is kept back on our servers and can be accessed any time we want. All that’s stored on the user’s machine is a session-id, which can be connected to the additional data on the advertiser’s servers.

When something is client-side, it means all the data points are stored in the cookie itself, on the person’s machine, and so they can only be looked at when we actually see that person again.

Most companies in this space, including Chango, now use server-side cookies (aka sessions) because they allow us to add or edit that data, even when we are not interacting with that person.

A Cookie Or A Pixel?

This is one of my pet peeves! The two terms have become interchangeable, yet actually mean very different things. The expressions “can we put a cookie on your site” or “we will just drop a pixel when they convert” are both wrong!

A pixel is the code that goes on the page — a tiny (usually 1×1) image file that requires a call back to a server to render (although it’s too small to be seen by people).

A cookie is the small file that the server then places (or drops) on the individual’s device, or reads back if one already exists, after the call is made back to the server.

You install a pixel on your site, not a cookie, and that pixel drops a cookie, not a pixel.

Flash Cookies

A few years back, there was a company that became annoyed with people deleting their cookies; after all, if the cookie got deleted, they lost their data. So they created what’s called a Flash cookie (technically a local shared object) to cheat the system.

A Flash cookie is also a small file like a real cookie, but because it was Flash it was stored in another folder that the browser controls. When someone deletes their cookies through the browser, the Flash cookie stays in place, keeping the tracking and data in place. Sneaky!

If you get excited about these things, there is also something referred to as re-spawning Flash cookies, which is when a Flash file sits on the device and puts a real cookie in the real cookie folder, but every time it gets deleted, it recreates it! I have seen companies get into a lot of trouble doing this, and rightfully so.

How Does A Pixel Get Added To A Site?

The process is actually very easy – the code (1 line for an image pixel, a few lines for JavaScript) is copied and pasted into the page code – that’s it. You may find that the process in your company is much longer, and a rightful process of testing usually causes that, but it can also be caused by sheer stubbornness!

Some sites require a lot of cookies to be added, and as such they use a tag management company, of which there are several to choose from. The advantage of this is that the IT folks need only to do the implementation once; and then, the ability to add or delete cookies can be the responsibility of the marketing team using a simpler interface.

If the cookie is being used for advertising, it is not uncommon to see the advertiser using DoubleClick For Advertisers (DFA or Dart for Advertisers), in which case the pixel is not added to the site directly, but is instead placed inside a tag container. The “tag container” was created to make it easy to add a lot of tags to a web site. Examples include DoubleClick’s Floodlight tag or the Atlas Universal Action Tag.

Why Don’t Site Owners Want Cookies?

A debatable problem. Historically, the people responsible for a site worried about page load times, and pixels often impacted that. With better bandwidth, better engineering and something called a CDN (content delivery network) to speed up pixel delivery, this is rarely a problem.

In addition, marketers and publishers are becoming aware that some unscrupulous companies use pixels to “steal” an audience, or to gather data about an audience. Data is a valuable commodity, and they are right to protect it.

As an example, if I was a publisher and allowed another company to pixel my site, that company now has a cookie on all my visitors and can target those individuals themselves without the need to pay me. Suddenly, as a publisher, my advertisers don’t need to use me as often, and I lose revenue.

Fingerprinting Sounds Scary

As an alternative to cookies, some technology companies use “fingerprinting.” In cases where a cookie cannot be dropped, fingerprinting offers a good alternative to finding your audience again.

In simple terms, fingerprinting for digital tracking works on the same principal as fingerprinting in real-life – if you look at enough small technical details, you can build a picture for one device (which is a proxy for a person) that is unique against another.

In the online world, this means looking at data such as the individual’s browser type, OS, resolution, color palette, location, fonts installed, etc., and then matching against that profile the next time that individual is spotted. This data is already being shared when a device connects, because it’s needed to help web pages display properly. The more data analyzed, the more accurate the technique. With potential legislation to come, and browsers like Safari blocking cookies, fingerprinting may become more common.

The Funny Thing About Opting Out

And lastly, for now, what about opting out? If an individual chooses to not be tracked, they don’t have to be. There are plenty of tools that can be installed that help do this easily, and there are also initiatives that promote this, such as AboutAds. Ironically, many opt-out processes are reliant on the individual having an opt-out cookie placed in their browser… so if they delete their cookies, they effectively opt back in! There are now plugins and movements to correct this.

If you have something you want to know about cookies that wasn’t covered here, reach out with your questions and I will try and answer them for you!

Opinions expressed in this article are those of the guest author and not necessarily MarTech. Staff authors are listed here.

About the author

Dax Hamman
Dax Hamman is the Chief Strategy Officer at Chango, the solution to programmatic marketing and "big data", and is based in San Francisco and London. You can follow him on Twitter @DaxHamman.

Fuel for your marketing strategy.