Understanding Web HTTP Cookies and Pixels in Digital Marketing
The world of digital marketing has an abundance of buzzwords, acronyms and technical terminology that can be confusing to both outsiders and insiders alike. One of the more confusing aspects of digital marketing (and the web in general) are cookies and pixels. These two terms are sometimes used interchangeably but they are not the same thing.
If you’ve been around digital advertising at all, you know that cookies and pixels are the foundation of tracking the relative success (and failure) of marketing campaigns. Without them, much of the data that digital marketing and web analytics professionals depend on wouldn’t be possible (or would be significantly more difficult to get).
It is not a stretch to say that much of the digital marketing ecosystem has been built on top of these two technologies. The vast fortunes of some of the internet’s largest companies, several of which have made the majority of their money on advertising, have cookies and pixels as the very foundation of their platforms.
Due to the rise in global data privacy laws around the world over the past several years, cookies in particular have been at the forefront of the discussion about digital privacy and data collection.
Over the past several years, you have by no doubt seen cookie preference banners show up on many websites when they first load. Perhaps you find these cookie banners annoying and don’t understand why you are being asked about cookies. Or perhaps you do understand why you are being asked and you actually like being able to control your data. Or maybe you just find the whole matter too confusing to bother with.
On all three points, I can definitely empathize with you. Cookie banners can definitely be kind of annoying and are often quite confusing. Most people would rather not deal with them at all. However, they are increasingly becoming a legal requirement for websites in many parts of the world. Most importantly, when they are set up correctly, cookie banners allow you to manage how you share your personal data with the websites you visit.
Based on my observations in talking to quite a few people, I have found that there is a general lack of information and understanding among people about what cookies and pixels really are and what they do. Because of that, I decided to write this post to better explain cookies and pixels—what they are, what they do and why they’re at the center of the online privacy debate.
Hypertext Transfer Protocol (HTTP) and HTTPS
In order to understand what web cookies are and what they do, it’s first necessary to understand what Hypertext Transfer Protocol (HTTP) is.
As a user of the world wide web, you have most certainly seen the http:// or https:// that precedes a website domain name:
Hypertext Transfer Protocol (HTTP) is the default protocol that is used for the majority of all traffic on the World Wide Web. To get slightly technical for a moment, HTTP is known as an application layer protocol and runs on what is known as TCP Port 80 on computer systems.
Every computer that communicates across a network uses ports for different application protocols for different protocols. Think of ports as a row of mailboxes all for different people in the same apartment building. All the people live in the same building but they each receive mail in a different mailbox.
There are many different ports for all different kinds of protocols. But for our purposes, we just need to know that HTTP traffic runs on port 80. Hypertext Transfer Protocol Secure (HTTPS), which is a more secure version of HTTP and uses encryption, runs on port 443.
In today’s web, it has become standard practice for websites to use HTTPS. Several years ago, Google began penalizing sites that only use HTTP in its search results which forced many websites into switching to HTTPS. Today, many browsers will block websites only using http when a user tries to visit the site and throw up a warning that the site is not secure and could leak personal data about the user.
The HTTP Request-Response Cycle
Both http and https enable a client (a web browser) to communicate with a web server (where a website is located). When you enter a URL in your browser’s address bar or click on a link, the browser sends an HTTP or HTTPS request over port 80 or port 443 to the web server where the URL’s domain name is hosted requesting the root file for that particular domain name (usually called index.html). HTML stands for Hypertext Markup Language which is the language that most web pages are written in.
The server then responds in kind by sending the requested file back to your browser (the client). Every time you click a link or request a new file on that server, a new HTTP request-response cycle is initiated:
HTTP & HTTPS Are Stateless Protocols
HTTP and HTTPS are what is known as stateless protocols. Each request and response from a client (browser) to the server isn’t remembered by either side. Each interaction is independent of the preceding one. So there is no “state” maintained from one request to another.
The statelessness of http and https can be overridden in a few different ways so that each interaction is stateful. One of those ways is by using cookies.
Web HTTP Cookies
A web cookie is a small text file that is stored on a user’s computer. Cookies are actually part of the HTTP protocol. Cookies help a website “remember” you by sending information stored on your machine with every request made to the server.
Cookies are sent by a web server by having the server send a Set-Cookie
HTTP header as a response to a request.
A very common use of cookies is for user authentication on a website when a user signs in to a restricted part of the site. The process goes like this:
- When a user signs in, the server sends a
Set-Cookie
header as a response which sets a cookie with a unique session identifier. - For every additional request from the user (client) to the server, the browser sends the cookie across the network using a
Cookie
HTTP header.
Aside from this basic functionality, cookies have quite a lot of other complexities and subtleties to them. Because this is not really a technical article, we won’t be diving too deeply into them.
However, there are a few key things to know about cookies.
Types of Web Cookies
In general, there are four types of cookies:
Session cookies: These are cookies that only last for the duration of the time a user is on a particular website. Session cookies have no expiration date assigned to them. When the user closes the browser, the cookie expires.
Persistent cookies: Persistent cookies are set to expire on a specific date or after a specified amount of time. As long as the cookie is not expired or cleared from the user’s browser cache, the cookie’s data is sent over the web every time the user visits the site that set it. For example, when a user is logged in to a website, navigates away from that website and then comes back, a persistent cookie will remember them and not require them to log in to view restricted areas of a website.
Persistent cookies also include tracking cookies and are used heavily in digital advertising.
First-party cookies: These are cookies that are set by the domain that is being visited (i.e. the one seen in the browser’s address bar). For instance, if you visit a website and log in to it, the website will usually set a cookie in your browser so that it knows you are logged in.
Third-party cookies: These are cookies that are set when you visit a particular website but the cookies are set from another domain. Third-party cookies most often fall into the realm of advertising and tracking cookies.
Third-party cookies can track a user’s activity on the site where the cookie is originally set. In this example, the ad cookie is initially set on Website A from the ad network’s server with a unique user identifier:
And then when the user moves to a completely different site, the cookie that was set on Website A with the user identifier can recognize the user on Website B:
In this way, a user can be shown ads based on websites they have previously been on (known as retargeting) or ads that are based on the content and topics of websites they may have visited in the past.
Many people have their browsers set to not disallow third-party cookies or install browser extensions to block them.
You can view the cookies present in your browser by opening up your browser’s developer tools in Google Chrome (other browsers are similar) and clicking on the Application tab (cookie values omitted):
You will notice that most cookies have very cryptic names that don’t really specify much about where they’re from or what their purpose is. If you really want to understand which cookie is from what vendor, you will have to do some research in your favorite search engine. Many third-party vendors such as Google, Facebook and LinkedIn have very detailed descriptions of the cookies that they drop on their websites. Many other vendors do not though and you may have to do a lot of detective work.
Web Tracking Pixels
In the digital marketing world, many people interchange the words “cookies” and “pixels” as essentially meaning the same thing. They are actually different technologies.
While a cookie is a small text file, a tracking pixel is a 1x1 pixel image that is invisible to the human eye. Pixels are placed on user machines via small snippets of JavaScript code called tags that execute when a website loads in a browser. Tracking pixels are sometimes referred to as web beacons.
Once the pixel is on the machine, it sends a response header back to the server located at the URL specified in the JavaScript code. The URL will often contain an account ID in it but sometimes it may just be a generic ad server for a particular advertising network.
The information that is sent back to the server typically includes data such as:
- Time and Date
- Browser vendor and version
- Operating system
- Language settings
- The device type (mobile, desktop/laptop)
- Movement on a website during the user’s session (page name)
- IP Address (which provides location and ISP information)
While cookies have a variety of use cases, pixels are most often used to collect user data and track user activity on websites for digital advertising or in emails to track open rates and other statistics.
The process for viewing pixels that are firing on a web page is similar to cookies. However, instead of clicking on the Application tab, you need to click on the Network tab. This will show you all the network requests that are being made on this website where various services are being called across the network. If you sort by “Type” and see the type gif, you will see the pixels that are present on the page (pixel names omitted):
You can click one of them and see the information it’s sending in its headers. This is an abbreviated example of the Facebook pixel request and response headers (_fbp) which is for Facebook Ads:
Cookie Classification & Digital Privacy Laws
As you’ve probably gathered from our preceding discussion, all cookies are not created equally. Cookies have several different use cases.
In terms of digital privacy laws, most of the laws make a clear distinction between cookies that are necessary in order to use a website and cookies that are used for other purposes such as advertising and analytics.
These are some common categories that cookies fall in to with regard to the law:
Strictly Necessary cookies are necessary to actually use a website such as determining whether a user is signed in or signed out of a website. The key distinction for this category is whether or not a site can function normally without these cookies present although some security cookies also do fall into this category since not having them could bring harm to the user.
Performance cookies are used for web analytics or collecting data about the performance of a website. Any cookies involved in measurement or optimization of a website are considered performance cookies.
Functional cookies are used for things like language settings and site preferences. The site will still basically function without them so they’re not considered strictly necessary, but they provide additional functionality that make the site easier to use.
Advertising and Marketing cookies are used for tracking the performance of advertising and marketing campaigns. In terms of the total universe of cookies, there are more cookies in this category than in all of the other categories. Because advertising cookies have the ability to track users across the web and target them with advertising, this category is also the most heavily scrutinized with regard to compliance with digital privacy laws.
Cookies, Pixels & Digital Privacy Law
Although this is more of a technical post, any discussion of cookies and pixels cannot be complete without at least briefly discussing global data privacy laws. Privacy legislation is a large and complex subject and cookies are but one small piece of it, albeit a very important piece of it.
The European Union
There are currently several data privacy laws in existence around the world that address the use of cookies. The General Data Protection Regulation (GDPR), which covers countries of the European Union and was passed in 2018, is currently strictest and most comprehensive law on digital privacy. It is the standard by which most other data privacy laws are based on.
The GDPR itself is a large document and deals with a range of data privacy issues of which cookies are only a small part. An earlier EU privacy law from 2002 called the ePrivacy Directive covers the use of cookies in more detail.
The overall theme of the GDPR is to provide individuals (known as data subjects) with more control over how their personal data is collected, stored and used. The GDPR also outlines the responsibilities for entities that collect, store and use personal data (known as data controllers).
In order to be compliant with the GDPR in terms of cookies, a website must only load strictly necessary cookies when the user first visits the site. For any other categories of cookies (functional, performance or advertising), the user must give explicit consent before these types of cookies can be set on a user. The fines for GDPR violations can be quite large.
China
The Chinese Personal Information Protection (PIPL) law went into effect on November 1, 2021 and covers mainland China and its citizens. Like the GDPR, a website must obtain the consent of the individual in order to set any cookies that are not strictly necessary.
Japan
In Japan, the Act on the Protection of Personal Information (APPI) law was originally passed in 2003 but has been amended a number of times since then. In 2021, a new set of requirements was enacted and the changes took effect in April of 2022. Under the April 2022 changes, user’s must now give consent for all cookies that are not strictly necessary.
The United States
As of this writing, the United States currently does not have a national data privacy law. At the state level, as of mid-2022 just five U.S. states have passed any kind of data privacy laws—California, Colorado, Connecticut, Virginia and Utah.
In 2018, the state of California passed the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) in 2020. The basic elements of the CCPA give consumers in California the right to know the personal information a business collects about them and the right to delete that information as well as to opt-out of the sale of their personal information.
As of this writing, none of the U.S. state laws prohibit the setting of all cookie categories when a user visits a website. However, users must able to opt-out of the collection of personal data if they choose.
Conclusion
In this post, we’ve covered what covered what cookies and pixels are, how they function, the different classifications of them and a little bit about how they are currently addressed by data privacy laws around the world.
Due to their ability to maintain state between http requests, cookies and pixels have played an important role in the evolution of the web. Cookies and pixels have enabled everything from web application sign-in authentication, to enabling website owners to understand what’s happening on their sites with analytics, to tracking advertising campaigns across the largest digital advertising platforms.
With the continual evolution of global data privacy laws, cookies and pixels have been and will continue to be at the forefront of the global debate on data privacy with regard to data collection on the web.
People’s personal opinions about cookies and pixels range from “I am happy to see personalized ads that are targeted to me” to “I don’t really care whether I’m tracked or not” to “These evil corporations are taking my personal data and making money off it to violate my privacy”.
No matter where your personal opinion falls on this spectrum, it’s at least helpful to have an understanding of how these technologies work and what the current legal legislation is surrounding them so you can make your own informed opinion. I hope that that this article has helped improve your understanding.