When not to accept cookies on a website

Nearly any website you visit asks you to accept cookies, and most of us don’t even think about this choice — we just click "yes" to rid ourselves from the pain of the pop-up. But what are we really agreeing to? What is a cookie, anyway? 

These small text files were first used in browsers back in 1994 and soon became ubiquitous. The problem was that the web wasn’t designed to preserve a particular state, so when you went from one website to another, the site wouldn’t know what content you had already consumed without using cookies. By sending you a cookie, a website could recognize you if you returned and present you with a better browsing experience. For example, if you abandoned your shopping cart on an e-commerce site, a cookie could save you time and not have to re-select these items when you return a few days later. Cookies also helped website operators remember your individual settings, such as language preference, your login name, and other values.

Beware of bad cookies

Over the years, cookies came to be used for other purposes, such as to ensure that you are indeed the person you claim to be and to limit ads from showing pop-ups and other settings. There are now several different kinds of cookies, as explained in this post: cookies that can be used to track you, cookies that persist for a specific time period, and cookies that are generated not by the website directly, but from third parties, such as advertisers or marketing companies.

Back in the early days of the mid-1990s, I wrote: “Why get all worked up about cookies? Well, privacy advocates feel that cookies can tell too much information about you and don't want this information broadcast all over the net. The only problem is that there is lots more information outside of your cookie available to web servers, such as your IP address and email address.” Since those early days, we have better technologies that can track your browsing activity, such as canvas fingerprinting.  

In 2011, the EU decided that cookies were potentially a privacy problem and mandated that website owners obtain visitors’ permissions and place those annoying pop-up requests. The resulting law has been completely toothless: No European site owner has ever been fined for cookie violations.

Under what circumstances should you accept a cookie request?

“Over 95 percent of websites use cookies, mostly for boring things that never cross our minds, like ensuring a website responds quickly, or counting visitors,” says one security researcher quoted in this extensive history of cookies post. Certainly, if you want to see more targeted ads (either on banners or in pop-ups), you should continue to accept them.

Tips for protecting your privacy

If you are concerned about your privacy, here are a few ways to protect yourself and watch out for the bad kinds of cookies.

1. Don’t automatically accept every cookie. You could even try to deny all cookies and see if it has adverse consequences, such as wasting time to fill in your personal details on a shopping site.
   
   
2. Adopt a more cautious browsing lifestyle. Use private browsing mode whenever possible, and clear your cookies periodically. Substitute DuckDuckGo (which doesn’t track you) for search tasks rather than using Google or Bing. Make modifications to your browser settings to make yourself more private. This post gives into more detail.
   
   
3. Use a different browser that gives you more control over your privacy, such as Brave, or even Tor. In that linked post I mention the usability tradeoffs of using a different browser and you will have to expend some effort to tune it to your particular needs. (A personal note: I tolerated Brave for about two days before I went back to using Chrome. It just broke too many things to be useful.)
   
   
4. Install a browser extension or run additional security software. For example, there are tools such as Avast Secure Browser (which eliminates ads, blocks third-party cookies and stops phishing), Avast AntiTrack (which eliminates canvas fingerprinting and stops ad targeting) or Avast BreachGuard (which checks to see if your email identity has been part of any data breaches).
   
   
5. Only run your browser in a virtual machine. This is cumbersome at best, and almost unusable for ordinary humans. Still, it can be a good solution for some circumstances for the ultra-paranoid.
   
   
6. Use a VPN, even when you’re at home. Be aware that a VPN only protects your IP address and geolocation data from being transmitted to a website.
   
   
7. Finally, limit your web browsing on your mobile devices as much as possible. Your mobile is a treasure trove of all sorts of information about you, and even if you are using any of the more private browsers, you still can leak some of this information to third parties.