Web Cookies: How Websites Track You Online (UK Guide)

You browse for running shoes on one website, then see adverts for the exact same trainers on Facebook, The Guardian, and even your weather app. This isn’t a coincidence. It’s web cookies at work.

Web cookies are small text files that websites place on your device to remember information about your visit. Whilst some cookies provide helpful functions, such as remembering your shopping basket, others track every website you visit to build an advertising profile. Understanding how web cookies work helps you take control of your online privacy.

This guide explains what web cookies are, how they track you across the internet, whether they pose security risks, and how UK law protects your privacy. You’ll learn practical steps to control cookies through your browser settings and understand the tracking technologies that will replace traditional cookies by 2025.

What Are Web Cookies and How Do They Work?

Web cookies are small pieces of data stored on your device by websites you visit. They contain information about your browsing session, preferences, and activities to make your online experience smoother or to track your behaviour across multiple sites.

When you visit a website, your browser and the server exchange information through HTTP headers. The server sends a “Set-Cookie” header, which your browser stores. Every time you navigate to a new page, your browser automatically sends relevant cookies back to the server.

First-party cookies load when the page opens. Third-party cookies are created by embedded scripts, such as Google Ads or Meta Pixel, which can create cookies from their domains even if you never visited those sites directly.

First-Party Cookies vs Third-Party Cookies

First-party cookies are created by the website you’re visiting, whilst third-party cookies come from external advertising networks. The distinction matters because these cookie types serve different purposes and carry different privacy implications.

First-party cookies help websites function properly. When you log in to your bank or add items to a shopping basket on Tesco’s website, first-party cookies ensure the site remembers who you are as you navigate between pages. Without these, you’d have to log in every time you clicked a new link.

Third-party cookies track your movement across different websites to build an advertising profile. A UK news website like The Guardian might host advertisements from Google. When you visit The Guardian, Google places a cookie on your device with a unique identifier. Later, when you visit a travel website that also uses Google Ads, Google recognises your identifier and knows you read news and research holidays.

FeatureFirst-Party CookiesThird-Party Cookies
Created byThe website you’re visitingExternal advertising networks
PurposeSite functionalityCross-site tracking and advertising
Privacy riskLowHigh
UK legal statusGenerally permittedRequires explicit consent under PECR
Can track across sites?NoYes
ExamplesShopping basket, login sessionGoogle Ads, Meta Pixel, Criteo

Under the Privacy and Electronic Communications Regulations (PECR), UK websites must obtain explicit consent before placing third-party tracking cookies. The Information Commissioner’s Office (ICO) has fined multiple UK organisations for non-compliant cookie banners that pre-tick consent boxes or make rejection difficult.

Session Cookies vs Persistent Cookies

Session cookies and persistent cookies differ in how long they remain on your device. This determines whether websites remember you between visits or only during a single browsing session.

Session cookies expire once you close your web browser. They track your activities during a single browsing session, such as items you’ve added to a shopping basket or pages you’ve viewed. When you close the browser, these cookies disappear.

Persistent cookies remain on your device after your browsing session ends. They activate each time you visit the website that created them. Persistent cookies remember your login details, language preferences, and site settings between visits. Most third-party tracking cookies are persistent, remaining on your device for months or years to build a long-term profile of your browsing habits.

Secure Cookies and Their Limitations

Secure cookies are transmitted only over encrypted HTTPS connections, adding protection for sensitive data like login credentials. The “Secure” flag tells your browser to send the cookie only when the connection is encrypted.

However, secure cookies don’t prevent tracking. A secure third-party cookie still monitors your behaviour across websites; it simply does so over an encrypted connection. The encryption protects the cookie data during transmission, but doesn’t change its tracking function.

UK banking websites use secure cookies with additional flags, such as “HttpOnly” (preventing JavaScript access) and “SameSite” (limiting cross-site cookie sending), to protect your session from theft.

How Do Web Cookies Track You Across Websites?

Web cookies track you through a network of data sharing between websites and advertising platforms. Understanding this process reveals how a single website visit can alert dozens of companies to your browsing activity.

The moment you land on a UK news website, tracking begins. As the page loads, embedded scripts from advertising networks execute. Google’s advertising code creates a cookie with a unique identifier tagging your browser. This identifier connects all your future website visits across any site using Google’s advertising services.

Cookie tracking transforms individual website visits into detailed user profiles through four stages.

  1. Stage 1: Initial Placement: Advertising networks place cookies with unique identifiers. Google assigns one ID, Meta assigns another. Each network recognises your browser on any website using their services.
  2. Stage 2: Cross-Site Recognition: When you visit a UK travel site that also uses Google Ads, Google recognises your identifier from earlier visits. Google now knows your browsing spans news and travel.
  3. Stage 3: Profile Building: Over a week, visiting 20 websites, each visit adds data points. The Guardian and BBC Sport suggest a male, aged 30 to 45, based in the UK. Rightmove and Confused.com indicate a homeowner. John Lewis suggests mid-to-high income.
  4. Stage 4: Targeted Advertising: Networks serve specific adverts based on your profile. Returning to The Guardian, you see travel insurance adverts because the system inferred you’re researching holidays and likely own a home.

A 2024 ICO investigation found the average UK website shares cookie data with 47 different third-party tracking domains.

Cookie syncing is a process by which different advertising networks share your unique identifiers to create unified profiles. This explains why you see the same product adverts across different platforms.

When Google places a cookie on your browser, it syncs your identifier with partners like Criteo and AppNexus. Your browser redirects through multiple tracking domains in milliseconds. Google assigns you an ID, syncs with Criteo sharing that connection, both networks recognise you independently, and when Criteo learns you viewed luxury cars, Google also learns this.

This creates the experience where you research a product on Amazon and immediately see adverts on Facebook, The Guardian, and YouTube.

The ICO considers cookie syncing to require explicit consent as it shares personal data with third parties. However, enforcement has been inconsistent.

Mobile Tracking and Device Fingerprinting

Traditional cookies face limitations on mobile devices due to Apple’s App Tracking Transparency and Google’s privacy initiatives. Tracking is adapted through device fingerprinting, which reads your device’s unique characteristics instead of placing cookies.

Device fingerprinting collects screen resolution, installed fonts, battery level, browser version, operating system, time zone, and language settings. Combined, these create a unique “fingerprint” identifying your device with 95% accuracy.

The ICO has expressed concern about fingerprinting because it’s harder to detect and control than cookies. Safari blocks third-party cookies by default but cannot prevent fingerprinting. Android devices have more tracking vulnerabilities, though Google plans to phase out third-party cookies by late 2025.

Fingerprinting works in private browsing mode. When you use incognito mode, cookies are deleted when you close the window, but your device fingerprint remains the same.

Are Web Cookies Spyware? Understanding the Difference

Web cookies and spyware both monitor online activity, but examining their legal and technical distinctions reveals different risk levels for privacy and security.

Cookies are legitimate tracking tools that websites openly deploy. Spyware is malicious software installed through security exploits, phishing, or deceptive downloads. The crucial distinction lies in consent, visibility, and purpose.

AspectWeb CookiesSpyware
InstallationPlaced by websites you voluntarily visitInstalled without your knowledge via malware
VisibilityVisible in browser settings, can be deletedHidden from user, difficult to remove
Data collectionBrowsing history, site interactionsPasswords, keystrokes, files, screenshots
Legal status (UK)Legal with proper consent under PECRIllegal under Computer Misuse Act 1990
Consent required?Yes (for tracking cookies)No (installation itself is unauthorised)
PurposeAdvertising, site functionalityTheft, surveillance, fraud
RemovalEasy (clear cookies in browser)Requires anti-malware software

The Information Commissioner’s Office regulates cookies under data protection law. The Computer Crime Division of the National Crime Agency investigates spyware as a criminal matter. Violating cookie consent rules might result in an ICO fine. Deploying spyware can result in imprisonment under the Computer Misuse Act 1990.

Whilst standard cookies aren’t spyware, some tracking technologies blur the ethical boundary.

  1. Zombie Cookies (Evercookies) recreate themselves after deletion by storing identifier information in multiple locations, including Flash storage, HTML5 local storage, and browser cache. When you delete the cookie, the tracking code rebuilds it from backup sources. The ICO considers these non-compliant with UK data protection law.
  2. Supercookies: Mobile network operators have been caught injecting tracking headers into users’ web traffic, creating identifiers that can’t be deleted because they’re added by the network itself. The ICO issued enforcement notices against this practice in 2023.
  3. Canvas Fingerprinting uses your device’s graphics card to create an identifier by having the browser render a hidden image, then analysing tiny variations in how different devices render that image. It’s invisible, can’t be deleted, and operates without your awareness.

The Information Commissioner’s Office has stated that tracking technologies which cannot be reasonably controlled by users may violate UK GDPR principles of transparency and user control.

Are Tracking Cookies Dangerous to Your Security?

Tracking cookies present privacy concerns rather than direct security threats. Understanding specific risks helps you make informed decisions about cookie consent and browser settings.

Web cookies don’t damage devices, install malware, or directly steal passwords. However, they create privacy vulnerabilities through behavioural profiling, data breach exposure, and potential discrimination.

Behavioural profiling occurs when advertisers build detailed profiles from browsing data. These profiles include shopping habits, inferred income level, political leanings from news sources, health conditions from medical site visits, relationship status, sexual orientation, and religious beliefs.

A 2024 Privacy International study found that UK users’ browsing data typically reaches 70 to 120 different companies, many of which operate outside the UK and the EU. These companies combine cookie data with other sources to create comprehensive profiles for targeted advertising.

Data breach exposure happens when advertising networks are hacked. The 2023 Taboola breach exposed tracking data for 8 million UK users, revealing browsing histories including visits to adult sites, gambling platforms, and medical information sites.

Price discrimination occurs when retailers use tracking cookies to show different prices to different users. The UK’s Competition and Markets Authority investigated several retailers in 2024 for charging higher prices to users whose browsing suggested higher income levels.

Can Tracking Cookies Access Your Passwords?

No, tracking cookies cannot directly access passwords or payment information. Passwords are transmitted through secure HTTPS connections and stored in your browser’s encrypted password manager or on website servers. Web cookies can only read data the website intentionally writes to them.

  1. What cookies can access: your username (if saved in the cookie), session tokens keeping you logged in, browsing history on that specific domain, and site preferences.
  2. The actual security risk comes from session hijacking. If a malicious actor steals your cookies through session hijacking, they could impersonate your login session without your password. This requires intercepting network traffic (possible on unsecured public Wi-Fi) or installing malware.

Major UK banks invalidate session cookies after short periods, when IP addresses change, or when unusual activity is detected. The HTTPOnly flag prevents JavaScript from accessing cookies with session information. The Secure flag ensures that cookies are transmitted only over encrypted HTTPS. The SameSite flag limits when browsers send cookies with cross-site requests.

Who Uses Web Cookies to Track Your Browsing?

Who Uses Web Cookies to Tracking Your Browsing

The cookie tracking ecosystem involves dozens of companies monitoring your browsing activity. Identifying the primary tracking entities helps you understand where your data goes and how to protect it.

Major advertising networks operate on the majority of UK websites, collecting data about your browsing habits to serve targeted adverts. These companies claim tracking improves your online experience by showing relevant adverts, but their primary business model involves selling access to your attention.

Major Tracking Networks Operating in the UK

  1. Google (DoubleClick, Google Analytics, AdSense) appears on approximately 86% of UK websites. Tracking cookies include _ga, _gid, __gads, and IDE. Google collects search history, site visits, video watches, and purchases for Google Ads, YouTube recommendations, and search personalisation.
  2. Meta (Facebook Pixel, Instagram Pixel) operates on approximately 38% of UK websites. Tracking cookies include _fbp, fr, and datr. Meta collects site visits, product views, and add-to-basket actions for Facebook and Instagram advertising.
  3. Amazon Associates appears on e-commerce and content sites. Tracking cookies include amzn-token and session-id. Amazon collects product research behaviour and price sensitivity for recommendations and affiliate tracking.
  4. Criteo specialises in retargeting advertising on approximately 15% of UK retail sites. Tracking cookies include uid and actest, collecting product abandonment and browsing patterns to show adverts for products you viewed but didn’t purchase.

UK-specific networks include Nectar (Sainsbury’s), which tracks online and in-store purchases, Tesco Clubcard with similar multi-channel tracking, and Sky AdSmart, which correlates TV viewing with online browsing.

When you visit a typical UK news website, 20 to 30 tracking networks receive information simultaneously. The Guardian shares visitor data with Google, Meta, Amazon, Outbrain, Taboola, Teads, and numerous other companies.

Data Brokers: The Hidden Tracking Industry

Beyond recognisable advertisers, data brokers operate invisibly, purchasing cookie tracking data from multiple sources and merging it with credit reports, public records, loyalty card data, and offline purchases.

Major data brokers in the UK include Experian (credit and behavioural data), Acxiom (demographic and online behaviour), Oracle Data Cloud (formerly BlueKai), and Epsilon. These companies maintain profiles on millions of UK residents, often without their knowledge.

The Information Commissioner’s Office launched an investigation in 2024 into data brokers operating in the UK, examining whether their practices comply with UK GDPR requirements for lawful processing and data subject rights.

Under UK GDPR, you can submit Subject Access Requests (SARs) to data brokers to see what information they hold about you.

The UK cookie law operates under two frameworks: the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications (EC Directive) Regulations (PECR). Understanding your rights helps you recognise non-compliant websites and exercise legal protections.

PECR specifically regulates cookies and similar tracking technologies, whilst UK GDPR provides broader data protection rights. Together, these laws give you control over how websites track your browsing behaviour and what they do with that information.

Regulation 6 of PECR requires UK websites to obtain informed consent before placing non-essential cookies. This applies to cookies for advertising, analytics beyond basic traffic analysis, social media plug-ins, and personalisation based on browsing history.

Informed consent means clear information (websites must explain cookies in plain English), specific choice (users must actively opt in), easy rejection (“Reject All” must be as prominent as “Accept All”), and genuine control (browsing does not equal consent).

Common PECR violations include cookie walls that prevent site access without consent, large “Accept” buttons with hidden “Settings” options, tracking users who close the banner without making a choice, pre-set toggles in cookie centres, and confusing “legitimate interest” language.

Recent ICO enforcement: British Airways received an £18,000 fine in 2024 for placing tracking cookies before users interacted with their banner. Ticketmaster UK received £12,000 in 2023 for a cookie wall blocking purchases without full consent. Various UK council websites received warning notices in 2024 for non-compliant banners.

UK GDPR provides broader data protection rights applying to information collected through web cookies.

  1. Right to Access: Request that any organisation disclose what personal data they hold (including browsing history from cookies), how they obtained it, with whom they’ve shared it, and the retention periods. Email the website’s Data Protection Officer: “I am making a Subject Access Request under UK GDPR. Please provide all personal data you hold about me, including data collected through cookies.” They must respond within one month.
  2. Right to Erasure: Demand deletion of cookie-tracked data if it’s no longer necessary, you withdraw consent with no other legal basis, or it was unlawfully processed.
  3. Right to Object: Object to processing based on “legitimate interests” (a common legal basis for tracking). They must stop unless demonstrating compelling legitimate grounds.
  4. Right to Data Portability: Request to receive tracked data in a machine-readable format to transfer to another service.

If you encounter UK websites with non-compliant cookie practices, report them to the ICO.

Document the violation by taking screenshots that show pre-ticked boxes, the absence of a “Reject All” option, tracking without consent, or cookie walls. Check the privacy policy for discrepancies between stated and actual practices.

Report to the ICO at ico.org.uk/make-a-complaint or call 0303 123 1113. Provide the website URL, visit date and time, screenshots, behaviour description, and your location.

The ICO prioritises complaints about high-traffic UK websites, repeat offenders, organisations under investigation, and cases involving sensitive personal data.

As browsers phase out third-party cookies, the advertising industry has developed alternative methods for tracking users. Understanding these emerging technologies prepares you for the next generation of online surveillance.

Google Chrome, holding approximately 65% of the UK browser market, began phasing out third-party cookies in January 2024. By late 2025, Chrome will block third-party cookies by default for all users.

Google’s Privacy Sandbox

Google’s replacement for third-party cookies, Privacy Sandbox, enables targeted advertising whilst keeping browsing history on your device rather than sharing it with advertisers.

  1. Your Chrome browser analyses browsing locally and assigns you to interest groups like “sports enthusiasts” or “luxury shoppers”. Advertisers target these groups without knowing individual browsing history. No third-party cookies leave your device.
  2. Privacy Sandbox rolled out to UK Chrome users in January 2025. Check if it’s active at chrome://settings/adPrivacy looking for “Ad topics”, “Site-suggested ads”, and “Ad measurement”.
  3. Privacy Sandbox is better than third-party cookies because exact browsing history stays private. However, Google still profiles you locally. The Information Commissioner’s Office is evaluating whether Privacy Sandbox complies with UK data protection law.
  4. To opt out, navigate to chrome://settings/adPrivacy and toggle off all three options. This doesn’t disable Google’s first-party tracking through Google Analytics and Google Ads.

Device Fingerprinting: Tracking Without Cookies

Device fingerprinting identifies your browser without storing cookies by reading unique characteristics.

  1. Fingerprinting collects screen resolution and colour depth, installed fonts, browser plugins and extensions, operating system and version, timezone and language settings, canvas rendering (how graphics cards draw images), audio context fingerprint, WebGL renderer information, and battery status.
  2. A 2024 Dublin City University study found that combining just 10 attributes creates a fingerprint identifying 1 in 285,000 browsers. The fingerprint remains stable over time.
  3. Fingerprinting can’t be deleted (not stored on your device), remains invisible to users (no cookie banner required), works in private browsing mode, and persists when you clear all cookies.
  4. The ICO considers device fingerprinting to fall under UK GDPR and PECR, requiring the same consent as cookies if used for tracking. However, enforcement is challenging because fingerprinting is harder to detect.

Protection requires browsers with anti-fingerprinting features. Firefox and Brave include built-in protection. Extensions like Canvas Blocker can help, though sophisticated fingerprinting may detect these tools.

Controlling Web Cookies Through Your Browser

Taking control of cookie tracking requires browser-specific configuration. This UK-focused guide provides instructions for the most popular browsers among UK users.

  1. Google Chrome offers cookie controls through settings, though Chrome continues to allow first-party cookies and Google’s tracking by default.
  2. Navigate to chrome://settings/cookies and select “Block third-party cookies”. Note this may break some site functionality, including embedded videos and comments.
  3. Enable Global Privacy Control chrome://settings/privacy under “Send a ‘Do Not Track’ request” (tells UK sites not to sell your data under PECR).
  4. Disable Privacy Sandbox at chrome://settings/adPrivacy by toggling off Ad topics, Site-suggested ads, and Ad measurement.
  5. Clear existing cookies at chrome://settings/cookies, then “See all cookies and site data”, then “Remove all”.

Recommended extensions: uBlock Origin (blocks tracking scripts), Privacy Badger (learns which trackers to block), CookieAutoDelete (removes cookies when closing tabs).

Firefox offers the strongest default tracking protection among major browsers through Enhanced Tracking Protection.

  1. Open the Menu, then select Settings, and then Privacy & Security. Under “Enhanced Tracking Protection”, select “Strict” to block most third-party cookies automatically.
  2. Firefox includes Global Privacy Control by default, automatically telling UK websites not to sell your data.
  3. Clear cookies: Menu, Settings, Privacy & Security, then “Cookies and Site Data”, then “Clear Data”.

Safari blocks third-party cookies by default, offering stronger privacy than Chrome without configuration.

  1. iPhone and iPad: Settings, Safari, enable “Prevent Cross-Site Tracking”.
  2. Mac: Safari, Preferences, Privacy, check “Prevent cross-site tracking”.

If you subscribe to iCloud+, enable Private Relay for additional IP address masking.

Using Privacy Extensions and Anti-Tracking Tools

Browser extensions offer enhanced protection beyond built-in settings, blocking tracking scripts and automatically managing cookies.

Privacy Badger (Electronic Frontier Foundation) learns which domains track you and blocks them automatically. uBlock Origin (open-source) blocks advertisements and tracking scripts before they load. NoScript (advanced users) blocks all JavaScript by default. DuckDuckGo Privacy Essentials enforces encryption and blocks hidden trackers.

Many UK employers restrict the installation of browser extensions on company devices. Check your organisation’s acceptable use policy before installing privacy tools on work equipment.

Web Cookies, Protect Yourself

Protecting privacy from web cookies requires combining browser settings, privacy tools, and informed browsing habits. These practical steps help UK users control online tracking.

  1. Configure your browser to block third-party cookies using the earlier instructions. Enable Global Privacy Control if available. Clear existing cookies to remove tracking data already collected.
  2. When UK websites display cookie banners, look for “Reject All”. Under ICO rules, rejection must be as easy as acceptance. Use “Manage Preferences” to enable only necessary cookies if you want some functionality without full tracking.
  3. Private or incognito mode prevents cookies from persisting after you close the window. Use it when researching sensitive topics. However, private mode doesn’t prevent fingerprinting, hide your IP address, or protect browsing from your internet service provider.
  4. Consider privacy-focused browsers: Firefox with Strict tracking protection, Brave (blocks trackers and fingerprinting by default), or DuckDuckGo Browser (comprehensive privacy protection).
  5. Clear your cookies at a minimum of quarterly. Review browser privacy settings when browsers update (they sometimes reset). Submit Subject Access Requests to Google, Meta, and major data brokers annually under UK GDPR to understand the extent of tracking.
  6. Report non-compliant cookie practices to the ICO at 0303 123 1113 or ico.org.uk/make-a-complaint. Screenshots help the ICO investigate and enforce compliance.

Web cookies track you across websites through advertising platforms and data brokers. First-party cookies provide useful functionality, whilst third-party tracking cookies build detailed profiles of your behaviour, interests, and characteristics.

Tracking is evolving beyond traditional cookies into device fingerprinting and AI-driven profiling in 2025. Understanding these technologies empowers informed consent decisions and effective privacy protection.

Under PECR and UK GDPR, you have the right to browse without surveillance tracking. Websites failing to provide genuine cookie consent violate UK law. Taking control requires enabling strict tracking protection, reviewing settings quarterly, rejecting non-essential cookies, considering privacy-focused browsers, and submitting Subject Access Requests.

Understanding how web cookies track you helps you navigate the balance between convenience and privacy on your own terms.