Lou Montulli invented cookies in June 1994 to solve the shopping cart problem. Within 2 years, advertisers had hijacked his privacy-respecting invention for cross-site surveillance. That’s his regret. Not the cookie itself. Not what your WooCommerce store uses it for. The exploit.

Montulli was 23 years old at Netscape when he created HTTP cookies. His design was deliberate: a cookie could only be read by the website that set it. No cross-site tracking. No following users around the internet. Just a simple way for a website to remember you visited—like recognizing a returning customer.

Today, store owners feel guilty using cookies. Headlines scream “cookies are evil” without distinguishing the original design from its corruption. But Montulli himself has been clear: “First-party cookies do not have any privacy concerns that I know of,” he stated in a LiveIntent interview.

The Shopping Cart That Started It All#

Before cookies, the web had no memory. Every page load was a stranger meeting. You’d add something to a cart, click to another page, and the cart forgot you existed. E-commerce was nearly impossible.

Montulli’s solution borrowed from an old computing concept called “magic cookies”—data packets that systems pass back and forth without modification. He adapted this for browsers: let a website store a small piece of information on the user’s computer that only that website could read back.

You may be interested in: WordPress Store Cookies Work Like a Sales Assistant

“We designed cookies to exchange information only between users and the website they visited,” Montulli told Quartz. “The founders of Netscape and many of the other denizens of the internet in that age were really privacy-focused.”

The adoption was immediate. According to NPR’s Planet Money, within 5 months of Netscape’s launch, 90% of internet users had switched to the browser with cookies built in. The shopping cart problem was solved.

The 1996 Hack That Changed Everything#

Montulli designed cookies so only the originating website could read them. yourstore.com sets a cookie, only yourstore.com can read it. Simple. Private.

But advertisers found a loophole. When your site loads an ad from adnetwork.com, that ad can set its own cookie. When another site loads an ad from the same network, adnetwork.com can read its cookie there too. Suddenly, one company could track users across thousands of websites.

By 1996—just 2 years after cookies were invented—this third-party tracking exploit was in full swing, according to Montulli’s interviews with Quartz.

“That’s the one gotcha we had,” Montulli admitted. Third-party cookies weren’t in his original vision. They were a hack—one that would define how the public perceives cookies for the next three decades.

What Montulli Actually Says About First-Party Cookies#

Here’s the distinction that matters. Montulli doesn’t condemn all cookies. He distinguishes sharply between what he built and what advertisers exploited:

“Cookies were designed to prevent tracking, because only the originating website can set and receive that cookie,” he explained. The problem isn’t the mechanism. It’s the third-party abuse of it.

In his public statements, Montulli has been consistent: “First-party cookies do not have any privacy concerns that I know of. I would agree with those who say third-party cookies can be a breach of privacy.”

You may be interested in: First-Party vs Third-Party Cookies: Why One Survives

This isn’t spin. It’s the inventor of the technology explaining the difference between his design and its corruption. When your WooCommerce store uses a session cookie to remember cart items, you’re using cookies exactly as Montulli intended. When your GA4 sets a first-party cookie to recognize returning visitors, that’s the original use case.

Your WooCommerce Store Uses Cookies Correctly#

The shopping cart problem that cookies were invented to solve? That’s still the core use case for WordPress e-commerce:

• woocommerce_cart_hash: Remembers your cart contents across pages
• woocommerce_items_in_cart: Tracks whether items exist in cart
• wp_woocommerce_session: Maintains your shopping session

These are first-party cookies. Set by your domain. Read by your domain. No cross-site tracking. No surveillance. Just a website remembering you’re a customer—exactly what Montulli built cookies for in 1994.

When a privacy advocate criticizes “cookies,” they’re criticizing the ad network exploit, not your shopping cart. The redemption arc is real: first-party cookies for first-party purposes are coming back into favor as third-party cookies die.

The Ethical High Ground Is Where You’re Standing#

Store owners sometimes feel like they’re doing something wrong by using cookies at all. The headlines don’t help. But consider the source: the person who invented cookies says first-party use is fine.

Server-side tracking takes this further. Transmute Engine™ runs as a first-party Node.js server on your subdomain (like data.yourstore.com). Events flow through your infrastructure first. The inPIPE WordPress plugin captures data and sends it via API to your Transmute Engine server, which routes to GA4, Facebook CAPI, and BigQuery—all from your domain, all first-party.

That’s not surveillance. That’s a store knowing its customers. Montulli would approve.

Key Takeaways#

• Lou Montulli invented cookies in 1994 to solve the shopping cart problem—the exact same use case WooCommerce uses today
• His design was deliberately privacy-focused—only the originating website could read its own cookies
• Third-party tracking was a 1996 exploit—advertisers hijacked the technology within 2 years
• Montulli says first-party cookies have no privacy concerns he knows of—he distinguishes his invention from its corruption
• Your store uses cookies correctly—session cookies, cart cookies, and analytics cookies are first-party use cases

The inventor of cookies says what you’re doing is fine. First-party cookies for first-party purposes. That’s the story. See how Transmute Engine keeps your tracking first-party →