Home Services Pricing Blog AboutContact Free Scan

10 May 2026 · Cookie Compliance

Tracking Cookies Explained: What Your Website Is Secretly Doing

Your website sets more cookies than you think. Here is what each one does and why it matters.

Most small business owners know their website uses cookies. What they do not realise is how many, what each one does, and that some of them track visitors without the website owner ever having explicitly agreed to it. If you have ever installed Google Analytics, added a Facebook Pixel, or embedded a YouTube video, your website is setting tracking cookies on every visitor's browser.

This guide explains what cookies actually are, the different types, which ones your website is probably setting right now, and what the law says about them.

What cookies actually are

A cookie is a tiny text file that a website stores in your visitor's browser. When someone visits your website, your server can tell their browser to save a small piece of data. The next time that person visits, or when they navigate to another page, the browser sends that data back.

Cookies have legitimate uses. They keep shopping baskets working across pages, remember login sessions, and store preferences like language or font size. But they are also used to track behaviour across websites, build advertising profiles, and measure the effectiveness of marketing campaigns.

The key thing to understand is that cookies are set automatically. Your visitor does not see a prompt for each one. The browser just stores them silently. That is why the law requires you to get consent before setting any that are not strictly necessary.

First-party vs third-party cookies

The distinction matters for both security and compliance:

First-party cookies are set by your website's domain. If your website is example.co.uk, a first-party cookie is set by example.co.uk. These include session cookies (keeping a user logged in), preference cookies (remembering someone's choices), and analytics cookies if you run Google Analytics directly on your domain.

Third-party cookies are set by a different domain than the one your visitor is on. If your website loads a Facebook Pixel script, Facebook sets cookies from facebook.com in your visitor's browser. Same with Google Ads, LinkedIn Insights, and most advertising trackers. These third-party cookies can follow your visitor across every website that uses the same tracking service, building a detailed profile of their browsing behaviour.

Third-party cookies are being phased out by most major browsers (Chrome, Safari, Firefox), but they are still widely used and still require consent under GDPR while they exist.

Analytics cookies

Analytics cookies track how visitors use your website: which pages they visit, how long they stay, where they came from, and what they click. The most common ones:

  • _ga (Google Analytics) - A persistent cookie that lasts two years. It assigns a unique anonymous ID to each visitor so Google can count unique users and track them across sessions.
  • _gid (Google Analytics) - Similar to _ga but expires after 24 hours. Used to distinguish between sessions within a single day.
  • _gat (Google Analytics) - A short-lived cookie (one minute) used to throttle request rates.
  • _hjid (Hotjar) - A persistent cookie lasting one year. Hotjar creates heatmaps and session recordings of how visitors interact with your website.
  • amp_* (Various analytics platforms) - Used by AMP (Accelerated Mobile Pages) analytics to track user engagement.

Analytics cookies are not strictly necessary for your website to function. They are useful, and most businesses want the data, but under GDPR they require consent before being set. This means Google Analytics should not load until your visitor has clicked "Accept" on your cookie banner.

Advertising cookies

Advertising cookies are the most intrusive category. They track visitors across multiple websites to serve targeted ads. Even if you do not run ads yourself, embedding social media buttons or using retargeting pixels sets these cookies:

  • _fbp (Facebook Pixel) - Lasts three months. Tracks visitor actions on your website so Facebook can show them ads later.
  • _fbc (Facebook Pixel) - Stores click IDs from Facebook ads so conversions can be attributed back to specific campaigns.
  • fr (Facebook) - A third-party cookie set by Facebook's advertising network, used for remarketing across the web.
  • _gcl_au (Google Ads) - Lasts three months. Tracks conversions from Google Ads campaigns.
  • IDE (Google DoubleClick) - Lasts one year. Used for targeted advertising across Google's ad network.
  • NID (Google) - Stores user preferences and tracks activity across Google services for ad personalisation.
  • li_sugr (LinkedIn Insight Tag) - Tracks visitors for LinkedIn ad targeting and campaign measurement.

Many small business websites load several of these simultaneously. A typical small business site with Google Analytics, a Facebook Pixel, and a Google Ads tag sets at least 8 to 12 cookies before the visitor has even scrolled past the header. All of them require prior consent.

Session vs persistent cookies

Another important distinction:

Session cookies exist only while the browser is open. When the visitor closes their browser, the cookie is deleted. These are commonly used for login sessions and shopping baskets. They are generally considered less intrusive because they do not persist between visits.

Persistent cookies have an expiration date. They remain in the visitor's browser for days, months, or even years. Most tracking cookies are persistent. Google's _ga cookie lasts two years. DoubleClick's IDE cookie lasts over a year. Facebook's _fbp cookie lasts three months. These long lifetimes are what allow trackers to build detailed profiles over time.

Under GDPR, both session and persistent cookies count as personal data if they can be used to identify or profile an individual. The lifetime of the cookie does not change the consent requirement.

The 20+ tracking scripts most websites unknowingly load

When we scan small business websites, we regularly find 15 to 30 third-party scripts loading on every page. Many of these are added through plugins, themes, or tag managers without the website owner realising the full extent:

  • Google Analytics or Google Tag Manager
  • Facebook Pixel and Facebook SDK
  • Google Ads conversion tracking
  • Google reCAPTCHA (sets cookies even on forms)
  • YouTube embeds (Google tracking cookies)
  • Google Maps embeds (Google tracking cookies)
  • Vimeo or Wistia video embeds
  • Hotjar, Crazy Egg, or Clarity for heatmaps
  • Mailchimp or Hubspot embedded forms
  • LinkedIn Insight Tag
  • Twitter/X pixel
  • TikTok pixel
  • WhatsApp chat widgets
  • Intercom, Zendesk, or other live chat tools
  • WordPress REST API and admin-ajax calls

Each of these can set its own cookies, and many also load additional scripts that set further cookies. A single Facebook Pixel loads an entire JavaScript library that can set five or more cookies — the ICO's cookie guidance covers this in detail that can set five or more cookies.

Why "we do not collect personal data" is usually wrong

Many small business owners believe their website does not collect personal data because they do not have user accounts or sell products online. This is almost always incorrect. If your website:

  • Has a contact form, you collect names, email addresses, and possibly IP addresses
  • Uses Google Analytics, you process IP addresses and cookie identifiers
  • Has a Facebook Pixel or Google Ads tag, you share visitor data with those platforms
  • Uses any third-party scripts, your visitors' browsers are loading resources from external servers that can track them
  • Has a server log, you store IP addresses of every visitor

Even a simple five-page website with a contact form and Google Analytics is processing personal data. The GDPR applies to you. The good news is that compliance for a simple website is straightforward. See our GDPR small business guide for what you actually need to do.

What consent really means

Under GDPR and the ePrivacy Directive (PECR in the UK), consent for non-essential cookies must be:

  • Informed: The visitor must know what cookies are being set and why before they decide
  • Specific: Consent for analytics does not cover advertising. Each category should be separate
  • Freely given: The visitor must have a genuine choice. You cannot deny access to your website if they reject cookies
  • Unambiguous: The visitor must take a clear action (clicking "Accept"). Pre-ticked boxes or assumed consent do not count
  • Revocable: The visitor must be able to withdraw consent as easily as they gave it

The ICO has been clear: a cookie banner with only an "Accept" button (no "Reject" option) does not meet this standard. A banner that disappears after a few seconds without explicit consent does not meet this standard. Consent must be a deliberate, informed choice.

The practical approach is to load your website without any non-essential cookies, show a consent banner with clear options, and only set analytics and advertising cookies after the visitor clicks "Accept". This is called a consent management platform (CMP) approach, and there are many tools that handle it for you.

To see exactly what cookies your website sets and whether they load before consent, run a free PulseShield scan. It checks cookie consent, security headers, SSL, and more in a single report.

Share this article

Find out what cookies your website sets

Before visitors even see your banner. Free scan.

Free Cookie Scan

Related Articles

Cookie Compliance
ICO Cookie Consent Fines: What UK Businesses Need to Know in 2026
GDPR Compliance
GDPR for Small Businesses: A No-Jargon Guide to Getting Compliant
Cookie Compliance
Cookie Consent Banner Mistakes That Could Get Your Business Fined