HTTP cookies were invented in 1994 to solve a straightforward technical problem: web servers couldn’t remember anything about you between page loads. Every request was independent, which made building something as simple as a shopping cart nearly impossible. Lou Montulli at Netscape invented cookies to fix this, and in doing so, created the foundation for the web tracking industry.

The Original Problem

HTTP, the protocol that powers the web, is “stateless”—each request from your browser to a server happens independently, with no memory of previous requests. This design made sense for serving static documents, which is what the early web primarily did.

But when businesses wanted to sell things online, they needed shopping carts. You’d add items to your cart, browse to another page, and when you came back, the cart should remember what you added. The server needed to maintain state across multiple page requests from the same user.

Montulli’s solution was elegant. When you first visit a site, the server sends a small piece of data—a “cookie”—that your browser stores. On subsequent requests, your browser automatically sends that cookie back to the server. The server uses the cookie to recognise you and retrieve your shopping cart, preferences, or session data.

This worked brilliantly. Netscape Navigator 0.9 beta shipped with cookies in 1994, and by 1995, they were implemented in other browsers. E-commerce became viable. The problem was solved.

When Tracking Started

The issue emerged quickly. If cookies let websites remember users, they could track user behaviour across page visits. How long you stayed on each page, which products you viewed, when you returned—all trackable with cookies.

Third-party cookies made it worse. These are cookies set by domains other than the site you’re visiting—typically advertising networks. If multiple websites all use the same advertising network, that network can use third-party cookies to track you across all those sites, building a comprehensive profile of your browsing behaviour.

DoubleClick (later acquired by Google) pioneered this at scale in the late 1990s. Their ad-serving technology dropped cookies on millions of users, tracking them across thousands of websites. The data powered targeted advertising, and the advertising industry realised it had found a goldmine.

The Privacy Backlash

Privacy advocates raised concerns from the beginning. The Electronic Frontier Foundation warned about tracking in the mid-1990s. By 2000, mainstream media was covering “web cookies” as a privacy threat. The FTC investigated cookie practices.

But nothing much changed. Browsers added options to block cookies, but blocking them broke too many websites. Privacy policies became legally required in many jurisdictions, but most people didn’t read them. Cookie-based tracking became the web’s business model.

The European Union’s ePrivacy Directive in 2002 (and later the GDPR in 2018) attempted to regulate cookies, requiring user consent. This produced the “cookie banners” that now clutter every European website—annoying compliance theatre that doesn’t meaningfully protect privacy because most users just click “Accept All” to make the banner disappear.

The Technical Arms Race

Browser vendors eventually started blocking third-party cookies by default. Safari implemented Intelligent Tracking Prevention in 2017. Firefox added Enhanced Tracking Protection in 2019. Chrome announced plans to phase out third-party cookies by 2024 (then delayed repeatedly).

The advertising industry adapted. They invented “fingerprinting”—identifying users based on unique combinations of browser settings, fonts, screen resolution, and other characteristics. No cookies needed. Privacy advocates called this even more invasive than cookies because users couldn’t control it.

Then came server-side tracking, where tracking happens on the server rather than in the browser. First-party cookies set by websites themselves, rather than advertisers. CNAME cloaking to make third-party cookies look like first-party cookies. The arms race continues.

What Cookies Tell Us About the Web

Cookies represent the tension between functionality and privacy that defines the modern web. The same technology that makes online shopping, banking, and personalised services possible also enables surveillance advertising and behavioural tracking.

There’s no simple solution. Blocking all cookies breaks legitimate functionality. Allowing all cookies enables invasive tracking. Users don’t have the technical knowledge to make informed decisions, and “asking for consent” via cookie banners is mostly meaningless.

The web’s business model—free content funded by advertising—depends on tracking. Removing tracking means rethinking how the web gets paid for. That’s a much bigger conversation than cookie policy.

Where We’re Headed

Google’s proposed “Privacy Sandbox” would replace third-party cookies with new browser APIs that theoretically provide advertising functionality without individual tracking. Critics argue it just moves tracking from cookies to browser-level mechanisms controlled by Google.

Meanwhile, regulatory pressure increases. California’s privacy laws, EU regulations, and potential federal US privacy legislation all aim to restrict tracking. But enforcement is weak, penalties are low, and companies keep finding workarounds.

The irony is that cookies were invented to improve user experience—remembering your shopping cart, keeping you logged in, storing preferences. They’re still doing those useful things. But they’re also doing extensive surveillance that most users didn’t consent to in any meaningful sense.

Lou Montulli probably didn’t imagine his elegant solution to the shopping cart problem would become the foundation of a multi-billion dollar surveillance industry. But that’s the web—every technology gets repurposed, and unintended consequences are more significant than original intent. Cookies are just the most visible example of that pattern.