Despite the GDPR, Cookies Are Vital to Ecommerce

Cookies are in the spotlight with the E.U.’s new General Data Protection Regulation. It follows the E.U.’s “Cookie Directive,” which has been in effect for several years.

Cookies are important for online businesses. They are also common. In this post, I’ll explain the basics of cookies for ecommerce businesses.

What’s a Cookie?

Cookies are small files that a web server sends to a browser. Unlike other files — HTML, CSS, images — browsers will then send cookies back to the server with every subsequent request.

For example, Practical Ecommerce’s server sent cookies to your browser when you loaded this article. If you now click a link in the menu, your browser will send those cookies back to the server, at which point the server might send the same cookies or different ones back to your browser.

Cookies are important for online businesses. They are also common.

This back-and-forth process makes cookies act like a shared file that both the server and browser can use. In practice though, only the web server can edit the cookie files, typically. The browser just holds them and sends them back.

Purpose of Cookies

Describing the purpose cookies can quickly get complicated. So I’m going to simplify.

Web servers can track visits, but they cannot tell the difference between one person visiting a page 100 times or 100 people visiting a page once. That makes it nearly impossible to track a visitor’s activity, such as whether a visitor added an item to a cart or viewed a product.

Cookies can act as a memory aid for web servers. If a cookie captures data about the contents of a visitor’s cart and if the browser sends that cookie back to the server, the server will remember the contents for, say, the payment page.

Security of Cookies

There are several problems with that simple shopping cart explanation. First, since a cookie is a shared file, a webmaster must be careful about the data that’s in it.

If the cookie stores anything sensitive — such as product prices, cart identifiers, or even user account information — there’s a risk that a crook could edit the contents. Absent controls, someone could reduce the price of a product or masquerade as an administrator and break into your store’s backend.

This type of attack is a security risk for websites. That’s why many stores encrypt their cookies, to make it difficult to use the data and impossible to edit.

For example, instead of containing readable text that a visitor is number 679 and has two shirts in her cart, an encrypted cookie could contain something like bGtJUjhCOEpQVmNHWU5hbHlsZlNiNnNFcmpne — followed by many more randomly generated characters.

Some stores won’t save any data in the cookie except for a “session identifier,” which is a unique value for a current visitor. The better systems will encrypt the identifiers.

Many Cookies

I’ve heard from merchants who are preparing for GDPR. They are often shocked at how many cookies their store uses. One small store I reviewed used 34 cookies. And it had no third party analytics, tracking, or similar services!

Cookies are small. They can only hold roughly 4,096 bytes of data. A single unformatted character is roughly one byte. Assuming eight characters per word, 4,096 bytes are roughly 500 words. Thus a store must carefully manage the data it stores in cookies. One way to minimize their size (and quantity) is by keeping only an identifier in a cookie and then saving the additional data on the server.

Another option is to use multiple cookies where each cookie serves a different role. That could produce a few dozen cookies for a single domain. For example, one cookie could track a visitor’s cart. Another could detect if a visitor is logged in. Yet another could track recent pages viewed.

These two techniques — storing data on servers and using multiple cookies — can overcome the size limitation.

Cookies come from a single domain. A merchant could have cookies from, say, a web store at and an email newsletter at This provides the ability to use even more cookies.

The proper code could link cookies from multiple domains. So a merchant could track, say, visitors that came from the newsletter. That’s how Google Analytics and other web tracking or advertising system can track visitors. The browsers of visitors store cookies from those third-party platforms

Cookies Are Vital

Cookies are a core component of web technology. There are modern alternatives to cookies, such as JSON Web Tokens, but they aren’t as widespread or supported, chiefly because cookies do their job so well. Without cookies or some form of session identification, ecommerce as we know it would not exist.

Eric Davis
Eric Davis
Bio   •   RSS Feed