Privacy Policy(ies). Does the cookie “collect” browser data or “request” browser data?

Cookies neither collect nor request data. Cookies are just boxes you can store information in the client side that may be later retrieved when the client enters the site after setting the cookie.


HTTP is a stateless protocol. From the server pespective, every connection is a new one. Does not matter if you never ever connected to that server, or it's the 100th image you download from it in the last second. Your connection and every single other connection are just the same, faceless anonymous unknown connection. To put an identifier on each one, the cookie was created.

Think of a cookie as being a badge. If you talk to a server without a badge, it will send you one: I don't know you, so your badge is ID:ABC123.

Every time your browser talk back to the server, it sends the badge together: "I am ID:ABC123 and need logo.jpg"

If the server have anything to add, it will write a new badge and send to your browser: "You logged in, and are a valuable user. You are ID:ABC123,TYPE:1"

When you ask the next thing, the badge goes back: "I am ID:ABC123,TYPE:1 and need custom_logo2.bmp"

It's a passive variable. It does not collect anything, it is just arbitrary data the server uses to identify you. Log in to any service, delete the cookies, refresh the page and it will ask who are you. The cookie is what identifies your browser and session.

This is a simplistic example. Usually cookies are encrypted and don't really hold values, they usually only point to a record on the server side where the real values are stored. Otherwise anyone could put the TYPE:1 on their cookies and be a very special guest on the example service.

What is the privacy thing about the cookies? They can track you around. If I have a service hosting images, and you link a image from my server on your page, my server will receive a request from your client. The request will have a special field named Referer, and this tells me you are coming from, say, your-own-site.org, and I send him a cookie identifying him (ID:ABC999). Not only this, but I put on my database a record telling ABC999 acessed your-own-site.org. Later your client requests another image, but coming from slashdot.org, and the request gives me the ID ABC999. From my server I know the client accessed your site and slashdot, so I can start building a picture of what kind of sites he access, and what is his profile. Does not look like much, but if you think about Google, Facebook, and almost every Content Delivery Network, they track almost every single site you access. That's why almost every browser have a Block third party cookies option somewhere: this way the client will only store and send cookies for the domain he is accessing, not every CDN, image storage, telemetry or analytics site around the world.


The data being "collected" or "requested" is not the cookies, nor is it likely to be stored directly in the cookies.

The data your privacy policy needs to talk about is data you have requested explicitly, like name and e-mail address; and data you have collected because browsers send it by default, like referrers, IP addresses, and user-agent identifiers.

The role of cookies is to tie together this information across multiple requests - to know that the same user who told you their name was Bob is now accessing the home page; or that the same user who was connecting from China yesterday now appears to be connecting from Russia. But it is not the cookie that has taught you that their name is Bob, nor that their IP address is allocated to China.

Your privacy policy should first and foremost talk about the data you are collecting. If it must talk about cookies, it should talk about them as a technology used to "connect", "tie together", or "associate your browsing with" that data.