Can a cookie install a virus?

No. A cookie is a passive text file. It does not contain executable code and cannot install malware or access your files. The risk associated with cookies relates to how the collected data is used (tracking, profiling), not the cookie file itself.

What is the difference between a first-party and third-party cookie?

A first-party cookie is set by the site you are visiting directly. A third-party cookie is set by a different domain (ad network, social media, tracking tool). The distinction is based on the domain that creates the cookie, not its content.

Do all cookies require consent?

No. Cookies strictly necessary for the site to function (authentication, security, shopping cart) are exempt from consent. All others (analytics, advertising, non-essential functional) require prior consent under the ePrivacy Directive and the GDPR.

How long does a cookie stay on my device?

It depends on the type. A session cookie is deleted when you close the browser. A persistent cookie has an expiration date set by the site, which can range from a few minutes to several years. You can delete all cookies manually in your browser settings.

Does Google Analytics use first-party or third-party cookies?

Google Analytics (via gtag.js) sets first-party cookies on your domain. However, the collected data is sent to Google's servers. The fact that the cookie is first-party does not exempt it from consent, because the processing purpose and the data transfer to a third party remain subject to GDPR obligations.

What are cookies? Types and how they work (2026)

TL;DR

A cookie is a small text file that a website stores on a visitor's browser to retain information between requests. There are several types: first-party (set by the site you visit) and third-party (set by a different domain), session (deleted when you close the browser) and persistent (kept for a defined period). Some are essential for the site to function, others serve analytics or targeted advertising. Understanding these distinctions is critical for configuring your consent banner correctly and complying with the GDPR.

What is a cookie (in simple terms)

A web cookie is a small text file sent by a web server and stored on the user's device (computer, phone, tablet) through their browser. When the user returns to the same site, the browser automatically sends the cookie back to the server, allowing the site to remember information: preferred language, shopping cart contents, login session, or tracking identifier.

The term was coined in 1994 by Lou Montulli, a developer at Netscape, by analogy with the Unix programming concept of a magic cookie. Since then, cookies have become the standard mechanism for maintaining state between a browser and a web server, since the HTTP protocol is inherently stateless.

A cookie typically contains a name, a value, an associated domain, a path, an expiration date, and security attributes (Secure, HttpOnly, SameSite). It does not contain executable code and cannot install malware by itself.

Types of cookies

First-party vs third-party

A first-party cookie is set by the domain of the site you are visiting directly. If you are on example.com, a cookie created by example.com is first-party. These cookies primarily serve site functionality: remembering preferences, maintaining login sessions, storing cart contents. They are only accessible by the site that created them.

A third-party cookie is set by a domain different from the site you are visiting. If you are on example.com but a script loaded from ad-network.com sets a cookie, that is a third-party cookie. These cookies are primarily used for cross-site advertising tracking, retargeting, and embedded services (social sharing buttons, YouTube videos, chat widgets). They are the most scrutinized by regulators and browsers.

Safari and Firefox already block third-party cookies by default. Google Chrome announced and then abandoned their complete removal, ultimately opting to let users make the choice.

Session vs persistent

A session cookie is temporary. It is created when you open a site and automatically deleted when you close your browser. It has no explicit expiration date. Session cookies typically serve to maintain your connection during navigation or keep cart contents for the duration of your visit.

A persistent cookie remains on your device after you close the browser, for a defined duration (from a few minutes to several years depending on configuration). It is used to remember language preferences, login status, or to build a browsing profile over time. Persistent cookies used for tracking or advertising require explicit consent under the GDPR and the ePrivacy Directive.

By purpose: essential, analytics, advertising, functional

Essential cookies are required for the site to function: authentication, security, shopping cart, consent preferences. They do not require prior consent. Analytics cookies help understand how visitors use the site: page views, visit duration, bounce rate. Unless a specific exemption applies, these cookies require consent. Advertising cookies track users across sites to build advertising profiles and display personalized ads. They always require explicit consent. Functional cookies personalize the experience (language, region, visual theme) without being strictly necessary for the site to function.

What this means for compliance

The ePrivacy Directive and the GDPR require prior consent for any non-essential cookie. This means your analytics, advertising, and most functional cookies can only be set after a clear affirmative action from the user through your cookie banner.

Classifying your cookies by type and purpose is the foundation of your CMP configuration. If you do not know which cookies are present on your site, start with a cookie scan to get a complete inventory. Each category should correspond to a choice in your banner.

If you use Google Analytics or Google Ads, consent signal transmission goes through Google Consent Mode v2, which adjusts Google tag behavior based on the user's choice.

Common misconceptions about cookies

Believing all cookies are dangerous. A cookie cannot execute code or install viruses. Essential cookies are required for most sites to function. The risk lies in how the collected data is used, not in the cookie itself.

Confusing first-party and third-party. A Google Analytics cookie set by the gtag.js script is technically first-party (written on your domain), but the data is sent to Google. First-party/third-party status alone does not determine the consent requirement.

Assuming session cookies never require consent. A session cookie used for advertising tracking requires consent even if it disappears when the browser closes. It is the purpose that matters, not the lifespan.

Ignoring cookies from embedded content. YouTube videos, Google Maps, social media widgets, and chat iframes all set third-party cookies. If your banner does not cover them, you have a gap in your compliance.

Checklist: managing cookies on your site

Scan all cookies present on your site.
Classify each cookie by type (first-party/third-party) and purpose (essential, analytics, advertising, functional).
Identify cookies exempt from consent (essential only).
Configure your CMP to block all non-essential cookies before consent.
Verify that embedded content (videos, maps, widgets) is covered.
Test with the network inspector that no non-essential cookie is set before interaction.
Document your cookie inventory and update it whenever a script is added.

Conclusion and next step

Understanding cookie types is the first step toward proper compliance. The first-party/third-party distinction determines who has access to the data. The session/persistent distinction determines how long it is retained. The purpose (essential, analytics, advertising) determines whether consent is required.

Run a free cookie scan to find out exactly which trackers are active on your site. Then read our GDPR cookie banner guide to take action.

Cookies explained: types, how they work, and what it means for compliance