There is a small piece of software sitting in your browser right now that knows more about your recent habits than most of your closest friends. It knows which pair of trainers you looked at twice on a retailer’s website. It remembers you logged into your email this morning. It might even recall that you once spent eleven minutes on a page about vintage cameras before closing the tab in a moment of fiscal responsibility. That piece of software is a cookie, and its origin story is one of the more quietly remarkable chapters in the history of the web.
The history of browser cookies begins, as so many internet stories do, in the mid-1990s, in a world that was still working out what the web was even supposed to be. A young engineer named Lou Montulli was working at Netscape Communications in 1994, tasked with a very specific and rather unglamorous problem: shopping baskets. Online shops were struggling to keep track of what a user had placed in a cart as they moved between pages, because the web itself had no memory. Each page request was completely independent. The server had no way of knowing that the person asking for the checkout page was the same person who had spent the last ten minutes browsing. Every visit was, in effect, anonymous and amnesiac.
Lou Montulli and the Magic Cookie
Montulli’s solution was elegant. He borrowed an idea from Unix programming called a “magic cookie” — a small packet of data passed between programmes to maintain state. His browser implementation worked by having the server send a tiny text file to the user’s browser, which the browser would then store locally and send back with every subsequent request to that same server. Suddenly, the web had a memory. Netscape Navigator 0.9 shipped with cookie support in late 1994, and Montulli filed for a patent in 1995. The specification was later formalised in RFC 2109 in 1997, giving cookies a proper technical foundation.
The original use case was entirely practical. Montulli was solving a problem for an online shopping site called MCI, which wanted to build a virtual shopping system. Cookies were the mechanism that made it possible for a website to recognise a returning visitor, store preferences, and keep a basket intact. There was nothing sinister about it. The early cookie was essentially a sticky note that a website could leave on your browser.
How Cookies Quietly Became the Engine of Online Advertising
The transformation from useful technical tool to advertising infrastructure happened gradually, and without much public fanfare. In the early days of the commercial web, a new industry was forming around banner advertisements. Companies like DoubleClick (founded in 1996) realised that cookies could do far more than remember a shopping basket. If an advertising network could place its own cookie across multiple websites, it could track a user’s journey across the entire web, building a profile of their interests and behaviour without them ever signing up to anything or providing a name.
This was the birth of the third-party cookie, and it was a genuinely significant moment in the history of browser cookies. First-party cookies were set by the website you were visiting. Third-party cookies were set by external services embedded in that page, most often advertisers. A user visiting a news site, a recipe page, and a sports results page might be unaware that a single advertising network was silently logging all three visits, constructing a remarkably detailed portrait of their browsing life.
By the early 2000s, this tracking infrastructure had become enormous. DoubleClick was eventually acquired by Google in 2007 for approximately $3.1 billion, a purchase that underlined just how valuable all that behavioural data had become. The cookie, Montulli’s humble shopping basket fix, had become the financial bedrock of the entire advertising-supported internet.
When the Public Finally Noticed: Privacy Concerns and Early Regulation
It would be wrong to suggest that no one raised concerns during this period. Privacy advocates were writing about third-party cookie tracking as early as 1996. The Financial Times and the BBC both covered early debates about online privacy in the late 1990s. But for most users, the tracking was invisible, the language was technical, and the consequences felt abstract. The web was exciting and new. Worrying about cookies felt like worrying about the small print.
Awareness began to shift in the 2000s, partly driven by high-profile data scandals and partly by a growing understanding of how much personal information was accumulating in commercial databases. The European Union began moving towards regulatory action, and in 2011 the EU’s ePrivacy Directive came into force across member states, including the UK. It required websites to obtain consent before setting non-essential cookies. The implementation was patchy and often cynical, with many sites displaying meaningless notices rather than genuine consent mechanisms.
The real watershed moment came with the General Data Protection Regulation (GDPR), which took effect in May 2018. In the UK, GDPR was implemented through the Data Protection Act 2018, overseen by the Information Commissioner’s Office (ICO). Suddenly, the consent banner was not just a polite notice but a legal requirement. Websites had to provide genuine opt-out mechanisms for tracking cookies. The ICO published detailed guidance on what constituted valid consent, and enforcement action followed for organisations that ignored the rules. You can read the ICO’s current guidance on cookies at ico.org.uk.
The Death of the Third-Party Cookie (That Keeps Getting Postponed)
Since the early 2020s, the browser industry itself has been dismantling the third-party cookie ecosystem. Mozilla’s Firefox and Apple’s Safari had already moved to block third-party cookies by default. Google announced in 2020 that Chrome, which commands the largest share of browser usage in the UK, would phase out third-party cookie support. That deadline has shifted repeatedly as the advertising industry scrambled to find workable alternatives, but the direction of travel is clear. The third-party cookie, the invisible engine of behavioural advertising for nearly three decades, is being retired.
What replaces it is still being negotiated. Google’s Privacy Sandbox project proposes keeping user data inside the browser itself, with only aggregated signals shared with advertisers. Other proposals involve contextual advertising, which matches adverts to the content of a page rather than to the behaviour of the person reading it, a model that resembles the pre-cookie era of advertising in some respects.
What the History of Browser Cookies Actually Tells Us
What strikes me most about the history of browser cookies is how unintentional the consequences were. Montulli was not building a surveillance infrastructure. He was solving a shopping basket problem on a Tuesday afternoon in 1994. The cookie was a technically neat solution to a real and immediate engineering challenge. The advertising ecosystem that grew up around it was an emergent property of the commercial web, not a design goal.
That pattern recurs throughout the history of the internet. Technologies invented for modest, practical purposes become load-bearing pillars of an enormous industry, acquiring uses and implications that their creators never anticipated. Cookies are perhaps the purest example of that dynamic. Thirty years after Lou Montulli wrote his specification, the cookie consent banner is one of the most widely encountered pieces of text on the British internet, a direct descendant of a fix for a shopping basket problem, now regulated by parliamentary statute and enforced by a government body with the power to fine organisations millions of pounds.
Not bad for a sticky note.
Frequently Asked Questions
Who invented browser cookies and when?
Browser cookies were invented by Lou Montulli, an engineer at Netscape Communications, in 1994. He created them to solve the problem of web servers being unable to remember returning visitors, initially to support online shopping basket functionality.
What is the difference between first-party and third-party cookies?
A first-party cookie is set by the website you are actively visiting and is generally used for things like keeping you logged in or remembering your preferences. A third-party cookie is set by an external service embedded in that page, most often an advertising network, and can track your behaviour across multiple different websites.
Are cookies illegal in the UK?
Cookies themselves are not illegal in the UK, but the law regulates how they are used. Under the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR, websites must obtain informed consent from users before setting non-essential cookies such as advertising or analytics trackers. The ICO enforces these rules.
Why are third-party cookies being phased out?
Third-party cookies are being phased out primarily due to growing privacy concerns and regulatory pressure. Browsers including Safari and Firefox already block them by default, and Google has been working to remove them from Chrome. Their removal is intended to limit cross-site behavioural tracking without users’ meaningful knowledge.
What will replace third-party cookies for online advertising?
Several alternatives are being developed, including Google’s Privacy Sandbox, which processes user interest data inside the browser rather than sharing it with advertisers. Contextual advertising, which targets adverts based on page content rather than user behaviour, is also seeing renewed interest as the industry moves away from third-party tracking.