Cookies are often referred to as text files. Even current data protection declarations propagate this myth. The truth is something else, as can be proven. Read on with the Cookie Conundrum: Separating Fact from Fiction.
Almost every privacy policy that refers to cookies describes cookies as text files. There you can read: “A cookie is a text file”. This statement could also be found in a privacy policy of a company I know. It was drawn up by a lawyer. How could he know any better, when even webmasters frequently have gaps in their knowledge here?.
What is a cookie?
In the past, cookies were typically or possibly always a text file. Each browser decides for itself how cookies are actually stored. In the past, many or possibly all browsers saved cookies as text files. However, this was pure coincidence, because there are numerous technical options for storing very small pieces of information, such as those for cookies. However, the theoretical size of a cookie is not the smallest.
Modern browsers store cookies differently now. For example, the Firefox browser for Windows uses a database. As database, Firefox chooses SQLite. SQLite is a file-based database.
How are cookies stored?
Sqlite stores, like any other classical SQL database, multiple data sets in a table. Several tables, on the other hand, form a database. A database is stored as a single file by Sqlite. But here too applies: A cookie is not a text file and also no file! The database is a file (mostly not a text file!), which again contains numerous cookies, but not in total, but only some information about them. Again, other information about cookies, which control the visibility, are stored in another database.
There is a whole range of such databases for Firefox. Here is an excerpt:
The database where cookies are stored has a file name cookies.sqlite. This is not a text file, but a binary file. Even if it were a text file: There is no cookie stored there, and all information about a cookie is also not stored! Often, multiple cookies are stored together in multiple files. In this case, a cookie (often) is distributed over several files.
The storage location can be opened in Firefox by entering about:support into the browser's address bar, pressing Enter and clicking on the “Open Folder” button (to the right of the label Profile folder)
Rather, the essential information on cookies is stored in the aforementioned database. These include:
- Name
- Value
- Domain
- Path
- Service life
- Flags such as HTTP yes/no, Secure yes/no, SameSite yes/no
Additional metadata are stored in other databases.
The cookie database contains entries such as the following:
As you can easily see, cookies are not text files.
Rather:
A cookie is a data set*.
A proper definition for cookies. Ideally, the purpose of the data set is added or executed on its own.
A quick spot check showed that every one of the (few) privacy policies I looked at was wrong about what cookies are. Remarkably, even providers of consent tools do not know what cookies really are. As I have shown, consent tools are unsuitable for creating privacy-compliant websites.
If you still want to claim that cookies are text files, please explain the following view from the alleged Firefox cookie text file:
The view appeared when opening the main file of the Firefox cookie database with the powerful editor Notepad++
Numerous characters, that cannot be displayed, can be recognized that are contained in one of the cookie database files. A text file is according to Wikipedia (and according to my healthy human understanding) a file that contains “representable characters”. The only exception is mentioned on Wikipedia as well: "These may be subdivided by control characters such as line and page breaks." The above view shows numerous characters that fall into none of these categories.
If one were to still call such files text files, every file would be a text file, which makes little sense. A file is also a form of storage that is determined by the browser. Nobody knows all the storage forms of all browsers. However, it is universally correct that a cookie is a data set or data storage or state storage, regardless of how each browser handles cookies. This results from the RFC 6265.
A cookie is not necessarily located in a file, but is often stored together with other cookies in several files (often not text files!).
Fact.
Cookies don't save files anyway, but data. A file has a name, is stored in a user-accessible file system in a directory and can be searched for via this file system as well as usually written to and read from. The data in cookies do not meet these criteria. See also the Wikipedia article on files. Cookies are rather somehow managed (how, that's up to the browser). I could even write my own browser which manages the cookies so that nobody except my browser sees the cookies that the browser manages.
It may help you to make a decision if you consider that the privacy policies of the following websites classify cookies as text files (as at: 18.01.2021):
- UserCentrics: "A web browser cookie is a small text file that is sent from a website to your computer or mobile device, where it is stored by your web browser." eRecht24 also recommends UserCentrics and explains cookies as text files in its privacy policy.
- Cookiebot: "Cookies are small text files used by websites to make the user experience more efficient"
- Consent manager: "When it comes to cookies, these are small text files that get stored on your hard drive linked to the browser you're using, and through which the party setting the cookie (in this case us) receives certain information. Cookies can't execute programs or transfer viruses onto your computer." Even the Händlerbund, who recommends the consent manager, describes cookies as text files.
- CCM19: "Cookies are small text files that are stored on your computer and saved by your browser"
- OneTrust: "A cookie is a small piece of data (text file) that your browser stores on your device at the instruction of a website you visit to 'remember' information about you, such as your language preferences or login information"
Those who think that the providers of consent tools not mentioned here are better, can look at my practice test for solutions on consent. The result of the test: All tested consent tools generate nonsense on websites.
Even the Facebook website incorrectly states that cookies are small pieces of text.
Storage form (text file?): unimportant. Purpose: manage certain information → important!
Information on cookies. Only the purpose (+ storage duration and recipient) is important.
A kind reader suggested that cookies should be described in privacy notices. I proposed above that a cookie should be referred to as a data set or information morsel. However, a bite is rather small than large. The term is therefore not entirely accurate.
However, the following proposal seems easier to understand:
A cookie is a piece of information that is stored on your end device (computer, smartphone, etc.)
Are cookies small? No, they are not. A cookie can hold a data volume of up to 4096 bytes (4 kilobytes) according to RFC 6265. Local Storage is a web storage that can hold even larger data volumes. According to Wikipedia, the size is probably dependent on the browser and can be several megabytes in size. Therefore, cookies are certainly not small. By the way, even 4 KB of personally identifiable information with classic cookies contains orders of magnitude more data than any other date that comes to mind for identifying people. The name of a person has only a few bytes. Even an address often has less than 100 bytes.
A motor vehicle engine is a pile of matter.
Correct, but useless definition. The same applies when cookies are referred to as data.
Are cookies also stored on the web server of a website or an integrated service? Not really. Only the values of the cookies are sent to the web server. Whether and how the server saves these values is up to it. According to the RFC6265 specification, there are no cookies on the web server per se. It is and remains wrong to refer to cookies as text files. Cookies are not text files, no matter how you look at it. It doesn't get any better with repeated false claims. Even if someone can program, knows about data protection and thinks that cookies are text files: cookies are still not text files. Why should knowledge of programming and data protection play a role in this issue? What counts are facts and evidence, not views or opinions.
Good luck amending your own privacy policy.
PS: Until some time ago, I also fell for the statements of some alleged data protection experts and copied the wrong cookie definition. For some time now, I have preferred to look for the truth myself and write it down as best I can on the Dr. GDPR blog. You should say goodbye to the assumption that something is right just because many people say it is. The opposite is often the case.
I am not concerned here with the simple definition of cookies. Rather, I want to show that many people are poaching in specialist areas such as technology and digital data protection in which they have no expertise.
Key messages
Cookies are not text files. They are stored in databases by modern browsers.
Cookies are not small.
Don't blindly trust information about data protection, especially if it comes from people without technical expertise.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
