Cookies on the Internet: what they are, types, uses, law, and how to manage them

Informatec Digital » Internet » Cookies on the Internet: what they are, types, uses, law, and how to manage them

Cookies are the silent glue These allow the website to recognize you, remember your preferences, and keep you logged in without asking you every time you click. They're not new or mysterious: they're tiny files that, when used properly, make life easier; when managed poorly, they can affect your privacy. guide to digital privacy on the Internet.

If you've ever encountered the "Do you accept cookies?" And if you still have questions, here's the in-depth look. What they are, how they work, what types exist, which ones are essential, what regulations in Spain and the EU require, and how to control them in your browser without losing control of your online experience.

What are cookies and how do they work?

A cookie is a small text file That a site requests to save in your browser when you visit it. It may store identifiers and technical data that allow your device to be recognized in subsequent sessions, display relevant content, or remember that you've already logged in.

The site server creates a unique identifier linked to your browser. On future visits, your browser returns that identifier, and the site “knows” what status to retrieve: your language, your shopping cart, the current session, or your page settings. The server doesn't “see” the person, but rather the browser that presented the cookie.

Important: Many serious websites do not collect personal data. Unless you provide them voluntarily. Some cookies are used for anonymous statistical purposes (for example, remembering your browser type), and others, combined with advertising services, can profile your activity if you give your consent.

A brief history: from “magic cookies” to HTTP cookies

The term “cookie” comes from systems jargonThe so-called "magic cookies" were packets of information that passed back and forth unchanged, used in corporate environments for identification on internal networks.

In 1994, Lou Montulli adapted the idea to the web creating the HTTP cookie to alleviate server loads on an online store. Since then, the web ecosystem has used them for sessions, personalization, analytics, and advertising, among other purposes.

The same technology that brings comfort It can open the door to behavioral profiling if consent is given to third parties for advertising or analysis; that's why transparency and user control are key today. Guide to privacy-enhancing browsers.

Basic types of cookies

By duration, there are two large groupsSession and persistent cookies. Session cookies only exist while you're browsing; they disappear when you close the browser. Persistent cookies remain stored until their expiration date or until you delete them.

Session cookies support navigation in real time (e.g., maintaining the status of the shopping cart or ensuring the “Back” button works correctly). They are not permanently written to disk.

Persistent cookies store states in the medium termThey are used for authentication (to prevent you from logging in each time) and to track multiple accesses to remember preferences or analyze usage. Their expiration date should be consistent with their purpose.

By origin, there are first-party and third-party cookiesFirst-party cookies are created by the site you visit and are typically used for internal functions. Third-party cookies are provided by external providers (advertising, analytics), which have more privacy and consent implications.

There are special variants such as the “zombie” ones.These cookies, which can be reconstructed after deletion, are associated with advanced storage techniques (sometimes called supercookies) and are difficult to remove; they are not the norm and pose serious privacy risks if misused.

Categories by purpose: functionality, security, analytics, advertising, and personalization

Beyond their duration or origin, cookies are distinguished by purpose. Below are the most common categories and representative examples used by major online services.

Functionality (technical or necessary)

They are those that activate essential functions such as remembering your language, saving shopping cart contents, maintaining your session, or executing tasks you request. Without them, many services don't work.

• Preferences and session: Cookies such as "NID" or "_Secure-ENID" remember language or the number of results per page; the first expires 6 months after the last use, and the second 13 months after. On YouTube, "VISITOR_INFO1_LIVE" (6 months) and "__Secure-YEC" (13 months) serve similar purposes and help diagnose problems.
• Playback and settings: "PREF" on YouTube saves settings like autoplay and player size (expires after 8 months). "pm_sess" maintains the browser session for about 30 minutes.
• Product optimization: «CGIC» improves search autocomplete (6 months).
• Cookie choices: «SOCS» stores your cookie preference selection for 13 months.

Security

They are used to protect you from abuse: authenticate the user, prevent impersonation, stop fraud and spam, and monitor service interruptions.

• Authentication: "SID" and "HSID" contain encrypted and signed records of the account ID and last login, blocking attempts to steal forms; they last for two years.
• Anti-fraud and anti-spam: "pm_sess" (30 minutes) and "YSC" (session duration) verify that requests are actually coming from the user. "AEC" (6 months) and "__Secure-YEC" (13 months) help detect invalid or fraudulent interactions and fairly compensate creators.

Analytics or measurement

They allow us to understand how you interact with sites and applications, measure audience and statistics, and improve content and functionality.

• Google Analytics: The main cookie, "_ga," differentiates users and expires after 2 years. Each "_ga" is unique per property, so it doesn't track you across unrelated sites.
• Other analysis used in services: In Search, "NID" and "_Secure-ENID"; on YouTube, "VISITOR_INFO1_LIVE" and "__Secure-YEC"; in mobile apps, identifiers such as the Google Usage ID, for analytics purposes.

Advertising

They are used to show, limit frequency, and measure effectiveness. and personalize ads based on your settings (for example, at myadcenter.google.com or adssettings.google.com/partnerads).

• On Google services and third-party sites: "NID" is used to show ads to non-logged-in users (6 months). "IDE" and "id" are used for ads on non-Google sites; in the EEA, Switzerland, and the UK, they last 13 months, and 24 months elsewhere. If you turn off personalization, "id" remembers that preference.
• Users with session: “DSID” identifies the user on third-party sites to respect personalization settings (2 weeks).
• Advertising support on third-party sites: «_gads» allows you to display ads (13 months) and «_gac_» from Analytics helps measure campaigns (90 days).
• Conversion Measurement: "_gcl_" is primarily used to attribute actions after ad clicks (90 days); it is not used for ad personalization.

Personalization.

Display tailored content and features based on your interests and activity, based on the settings you choose in privacy tools or on your device.

• Recommendations and auto-completion: "VISITOR_INFO1_LIVE" can enable YouTube recommendations based on what you've watched or searched for; "NID" enables personalized autocomplete in Search. They typically expire six months after the last use.
• precise location: UULE may send an exact location from your browser for relevant results; this depends on your browser's location settings and can take up to 6 hours.

Even if you reject customization, non-personalized content may vary by context (general location, language, device type, or page you visit).

What is NOT a cookie and what happens if you disable them?

A cookie is not a virus, nor a Trojan, nor a worm, nor does it open pop-ups on its own. It stores technical data and preferences, not card numbers or photographs, unless a specific service explicitly and transparently implements this.

If you disable them completely, you'll notice side effects: you won't be able to log in or be logged out upon exiting, stores won't save your cart, you won't be able to customize your currency or language, there will be fewer usage statistics, and some social features will no longer be available.

The key is in balanceThe fewer cookies you enable, the more privacy you enjoy; the more you allow, the more personalization you enjoy. Today, you can refine your cookie categories (technical, preferences, analytics, advertising) in consent banners.

Legal framework in Spain and the European Union

In Spain, the LSSI-CE and the LOPDGDD They coexist with the European General Data Protection Regulation (GDPR). Furthermore, the ePrivacy Regulation is on the way, which will specify specific rules on communications and cookies.

The Spanish Data Protection Agency (AEPD) publishes a guide on the use of cookies with recommendations for publishers and third parties. Transparency and informed consent are key obligations.

Cookies exempt from consent

They are exempt if their purpose is strictly necessary. and their expiration is proportional. The former WG29 (now the European Data Protection Committee) considers the following exempt, among others:

• User input (for example, when filling out essential forms).
• User authentication or identification (session).
• Media player.
• Load balancing on the server.
• Interface customization (such as language or design).
• Social sharing plugins, when necessary for the requested service.

If an exempt cookie fulfills several purposes and some are not necessary, that part may require express consent.

Minimum information and layers

It must be reported clearly and in simple language., accessible in 1–2 clicks (e.g., “cookie policy”). The first layer will include: the responsible editor, purposes, whether they are proprietary or third-party, types of data, the mechanism for accepting/rejecting, and a link to the second layer with details.

The second layer will detail: definition and function of cookies, types and purposes, who uses them, how to accept/deny/revoke, whether there are international transfers, existence of automated profiles and retention periods by purpose.

Valid consent and to whom it is addressed

Consent must be free, specific and informed, collected expressly (via "Accept" buttons and granular settings) or through unequivocal action after reporting. Inactivity does not constitute acceptance.

It must be addressed to the user/consumer with a real option to refuse without impeding browsing, except for essential functions. If refusal limits a service, it must be communicated and an alternative offered whenever possible.

Ways to obtain consent

It can be collected During registration, when customizing the website, through management platforms (CMP), before using a specific service, with the layer system or, with limitations, via browser settings.

Responsibilities and duty to inform

Both the publisher and third parties are responsible involved. The publisher must provide clear information and operational links to third parties. Each party is responsible for its processing.

Best Practices: Indicate how to manage cookies on a per-browser basis, and reference third-party blocking/management tools (e.g., Cookiebot.com, Cookieserve.com, Webcookies.org) that assist with auditing and compliance.

How to enable, manage, and delete cookies in your browser

Managing cookies is easier than it seemsFrom your browser's privacy settings, you can allow, block, or delete cookies by site or generally. If you block them completely, some websites will lose functionality.

In chrome: Open Settings, Privacy & Security, Site Settings, Cookies & Site Data. There you can see "All cookies and site data," search by domain, and delete. You can also set blocking/allowing by site.

In Microsoft Edge/Internet Explorer: Go to Settings or Internet Options, enter Privacy and adjust the level or manage permissions by site.

In Firefox: Open Options/Preferences, Privacy & Security, History, and choose “Use custom settings for history” to allow or disallow cookies and manage exceptions.

In Safari (macOS and iOS): Preferences/Settings, Privacy, and adjust cookie and data blocking. On iOS, Settings > Safari > Privacy & Security to block or clear.

On Android (browser or Chrome): Menu > Settings > Privacy & security; enable/disable cookies and clear browsing data. On Windows Phone (Internet Explorer), More > Settings > Allow cookies.

Cookies, Personalization, and Advertising: What You Need to Know

Technical or necessary cookies cannot usually be deactivated. at the consent layer because they support basic web functions (data flow, security, purchase completion, content sharing).

The preferences ones save your language, region or dark mode. Disabling them means reconfiguring the website every time you return.

Analytics offer aggregate metrics about what's being used and where there are problems; useful for improving the website, but unnecessary if you prioritize privacy.

Advertising or marketing companies create profiles based on your browsing habits to show tailored ads. You can disable them in the site's cookie layer and review personalization in panels like myadcenter.google.com.

Advertising mobile identifiers (like Android) can be used for metering purposes; you can reset them or limit their use from your device.

Do I really need all the cookies?

There is no universal answerIf you value convenience (staying logged in, shopping cart intact, correct language), you'll need the techniques and probably some of the preferences. If you're looking for maximum privacy, limit ads and analytics and periodically review your deletion.

Practical tip: Accept only what is necessary when entering a website, adjust the rest in “Configure” and check your browser’s privacy panel from time to time.

Quick questions and common scenarios

Can I be tracked without consent? In the EU, consent is generally required for non-essential purposes (analytics, advertising). Exceptions: strictly necessary cookies. However, your browsing may be influenced by contextual factors (general location, language, device).

What happens if I delete all cookies? You'll need to log in again, reconfigure preferences, and select consent options again. You'll gain privacy, but you'll lose convenience.

Can I browse without cookies? Technically yes, but many websites won't work as you expect. You can choose to block third-party websites, allow only technical ones, and delete the rest frequently.

Privacy Tools and Best Practices

Audit your site's cookies if you are a publisher with services like Cookiebot.com, Cookieserve.com, or Webcookies.org to find out what your website installs and whether you comply with current legislation.

As a user, combine periodic cleaning of cookies by reviewing ad personalization and, if needed, consider using a VPN to separate your public IP from your browsing (note that this doesn't disable cookies, but adds a layer of network privacy).

Knowing cookies means gaining control about your online experience: identify when it's essential, decide when to share data to improve services, and act judiciously on each consent banner that appears.