Poisoned cookies: What every business needs to know

Web cookies — those tiny bits of code that quietly track your online activity — are again in the privacy spotlight.

Since Google’s 2020 announcement to phase out third-party cookies in Chrome, the industry has been moving toward more privacy-conscious data practices. Safari and Firefox web browsers had already blocked third-party cookies by that time, and Google’s initial plan seemed to mark a turning point.

But in a surprising twist, Google has recently scrapped its plans to phase out third-party cookies. In an April blog post, the tech giant confirmed it would continue supporting third-party cookies, instead offering users more control through Chrome’s privacy and security settings.

This change comes as privacy laws around the world are getting stricter. For businesses, that means being more careful — and more transparent — about how cookies are used.

What are cookies and why do they matter?

Every time you visit a website, chances are you are interacting with web cookies that quietly shape your online experience.

Eike Paulat, director of product at consent management platform Usercentrics, says cookies are small data files websites place on a user’s device. 

“They come in two types: first-party cookies, set by the website a user is visiting, and third-party cookies set by external services, often for advertising or tracking across sites.”

While first-party cookies are typically used for essential functions like remembering a user’s login status or preferences, “third-party cookies have powered much of the digital advertising ecosystem for over a decade,” Paulat says.

Despite increased regulation, many marketers still rely heavily on third-party data. In a 2024 Statista global survey, 32 per cent of in-house marketers and 31 per cent of agency marketers said they were completely reliant on third-party cookies.

In finance and accounting, cookies are often used for practical features — remembering login credentials, saving currency preferences or maintaining customised dashboard settings. However, not all uses are so benign. 

Some companies — or the third-party providers they work with — abuse cookies to track users without permission, create detailed personal profiles without consent or sell that data to advertisers.

Melissa Fai, technology and intellectual property partner at commercial law firm Gilbert + Tobin, says that in most cases, cookies do not collect personal information that would make an individual reasonably identifiable.

“However, there has been recent concern from the Privacy Commissioner that the level of information that is collected from cookies through various different channels, when aggregated, creates a profile of a consumer that is so individualised and personalised, in some cases, that it is akin to an individual’s online identity.”

The global shift toward privacy

In 2018, the European Union introduced the General Data Protection Regulation (GDPR), setting strict rules for data privacy. Since then, other countries including the US, Canada, Brazil and the UK have rolled out similar laws.

Fai says there is no cookie-specific law in Australia, “however, the use of cookies and the collection of personal information (if any) via cookies is regulated by the Privacy Act 1988 (Cth). Personal information under the Privacy Act includes information about an identified individual or an individual who is reasonably identifiable”.

To comply, most websites now display cookie banners that allow users to choose their preferences, whether that is accepting only essential cookies or opting in to full tracking.

With increasing regulatory pressure such as the GDPR and growing public demand for privacy, many businesses will need to re-evaluate their marketing plans. 

“This shift means losing easy access to detailed user data and having to rethink long-standing digital strategies,” Paulat says.

Best practices for businesses to comply with cookie laws and regulations

Here are five strategies to help businesses stay cookie compliant. 

1. Mind the border: Fai says that Australian businesses who are using cookies to target and profile individuals in other countries “should be mindful that such use may mean that the laws of those countries may apply to them. For instance, for those individuals residing in the European Economic Area, the GDPR could apply as it has extra-territorial reach”.
2. Privacy-first approach: Paulat says that the role of cookies in digital marketing is diminishing under regulatory pressure and changing browser policies. “This shift is accelerating the rise of privacy-led marketing, where transparency and user consent are not just compliance measures, but strategic differentiators. By investing in first-party data strategies and respecting user preferences, companies can not only meet regulatory expectations but also stand out in a crowded digital landscape.”
3. Disclose cookie use: “Compliance requires not using or disclosing cookie information for any purpose other than the primary purpose for which it was collected,” Fai says. “Unless the secondary use would be directly related to the primary purpose and clearly within the reasonable expectations of the consumer.”
4. Be transparent: Fai says that businesses should be clear about how the information gathered is used and for what purposes. “If you treat information collected from cookies as personal information, particularly [when it is] collected from a range of sources and aggregated to create a bespoke profile of a user, then this will ensure compliance with the Privacy Act.”
5. Let the user choose: “Given the increasing scrutiny over the use of cookies by regulators today, in terms of a cookie policy, best practice — and indeed growing market practice — would be to allow consumers the ability to opt-out of all non-essential cookie collection and use,” Fai notes.