Skip to main content
SGSiteGraph
Privacy·7 min read·

Website Cookies: Types, Purposes, and Privacy Implications

A comprehensive overview of website cookies — essential cookies, analytics cookies, tracking cookies, and third-party cookies.

ST

SiteGraph Team

Legal & Compliance at AnantaHQ

Cookies are a fundamental part of how the modern web works. They enable everything from shopping carts and login sessions to personalized content and analytics. But they also raise important privacy considerations that website owners and users need to understand.

What Are Cookies?

Cookies are small text files stored on a user's device by their web browser when they visit a website. They contain data that the website can read on subsequent visits, allowing it to remember information about the user's session, preferences, or browsing behavior.

Think of a cookie as a memory token — it helps a website recognize a returning visitor and recall context from their previous visit.

Types of Cookies

Essential/Strictly Necessary Cookies

These cookies are required for a website to function properly. They enable core functionality like session management, security, and accessibility. Examples include shopping cart cookies, login session cookies, and load balancing cookies. These cookies do not require user consent under most privacy regulations.

Functionality/Preference Cookies

These cookies remember user preferences and choices, such as language selection, theme preferences (light/dark mode), font size, and region settings. They enhance the user experience but are not strictly necessary for core functionality.

Analytics Cookies

Analytics cookies collect information about how visitors use a website — which pages they visit, how long they stay, where they came from, and whether they encounter errors. This data is typically anonymized and aggregated, helping website owners understand and improve their site.

Examples: Google Analytics, Plausible, Fathom, Matomo.

Marketing/Tracking Cookies

These cookies track users across websites to build profiles for targeted advertising. They are set by advertising networks with the website operator's permission. These cookies have the most significant privacy implications and require explicit user consent under regulations like GDPR.

Third-Party Cookies

Third-party cookies are set by domains other than the one the user is visiting. They're commonly used for cross-site tracking, social media widgets, and embedded content. Major browsers are phasing out third-party cookies: Safari blocks them by default, Firefox has Enhanced Tracking Protection, and Chrome is deprecating them.

Cookie Security Attributes

Cookies can have security attributes that affect how they behave:

  • Secure: The cookie is only sent over HTTPS connections
  • HttpOnly: The cookie cannot be accessed by JavaScript (prevents XSS attacks)
  • SameSite: Controls when the cookie is sent in cross-site requests (can prevent CSRF attacks)

SiteGraph checks these attributes as part of our security analysis. Cookies without proper security attributes can expose websites to various attacks.

Privacy Regulations

Several privacy regulations govern the use of cookies:

  • GDPR (Europe): Requires explicit consent for non-essential cookies, clear disclosure of what cookies are used, and the ability to withdraw consent
  • ePrivacy Directive (Europe): Requires consent before storing non-essential cookies on a user's device
  • CCPA (California): Requires disclosure of data collection practices and the right to opt out of cookie-based tracking
  • LGPD (Brazil): Similar to GDPR in its requirements for consent and data protection

Cookie Consent Best Practices

  • Get explicit consent before setting any non-essential cookies
  • Provide clear, granular options (not just accept all/reject all)
  • Make it as easy to reject cookies as to accept them
  • Document all cookies used on your site in a clear cookie policy
  • Regularly audit the cookies your site sets

SiteGraph identifies and reports cookies set by analyzed websites, including their security attributes (Secure, HttpOnly, SameSite) — helping you understand the cookie landscape of any website.

ST

SiteGraph Team

Legal & Compliance at AnantaHQ

Frequently asked questions

Do I need a cookie consent banner on my website?

If your website serves visitors in the European Union or United Kingdom, and you use any non-essential cookies (analytics, marketing, etc.), you need a cookie consent banner under GDPR and the ePrivacy Directive. Some other jurisdictions like California also have cookie-related requirements.

What happens when third-party cookies are phased out?

Browsers are moving toward more privacy-preserving alternatives. Google is developing the Privacy Sandbox APIs as a replacement for third-party cookies. Website owners should prepare by: auditing their cookie usage, transitioning to first-party analytics, and exploring privacy-preserving alternatives for advertising and personalization.

Does SiteGraph analyze cookies?

Yes. SiteGraph identifies cookies set by analyzed websites and reports their security attributes (Secure flag, HttpOnly flag, SameSite policy). This helps you understand both the privacy and security implications of a website's cookie usage.