Lou Montulli invented the HTTP cookie in 1994 to protect your privacy. That’s not a typo. The technology everyone now associates with surveillance was specifically designed to prevent tracking. The alternative Montulli was trying to avoid? A permanent browser ID that would follow users across the entire internet.
Cookies were the privacy-preserving option. Advertisers corrupted them within two years.
The Problem Montulli Was Solving
In 1994, the early web had a fundamental problem: HTTP is stateless. Every time you request a page, the server treats you as a complete stranger. That made shopping carts impossible. Login sessions impossible. Any website that needed to remember you—impossible.
The obvious fix was a permanent browser ID. Every browser would have a unique identifier, and websites could track you using that ID. But Montulli saw the danger immediately: a permanent ID would let anyone track everyone everywhere. No privacy at all.
His solution was elegant. Instead of a universal ID, individual websites could set small pieces of data—cookies—that only that website could read. Your bank could remember your login. Your shopping cart could persist. But the bank couldn’t see your shopping cart, and the store couldn’t see your bank activity.
“Cookies were designed to provide privacy,” Montulli explained in a 2022 interview with Quartz. “It is only through collusion between many websites and an ad network that ad tracking happens.”
You may be interested in: The Cookie Redemption: First-Party Data Is the Ethical High Ground
The Two-Year Corruption
Montulli’s design had one vulnerability he didn’t anticipate: third-party cookies.
When you visit a website, that site can set first-party cookies—cookies that only work on that domain. But websites often load resources from other domains: images, scripts, ads. Those external domains could also set cookies. And those cookies would work across any site that loaded that external resource.
Advertising networks spotted this loophole almost immediately. By 1996—just two years after cookies were invented—ad networks were placing tracking cookies across thousands of websites. If you visited Site A and Site B, and both loaded an ad from the same network, that network could track you across both sites.
The Financial Times warned about this privacy threat in February 1996 (Financial Times, 1996). The IETF—the body that governs internet standards—tried to close the loophole in 1997, recommending that browsers block third-party cookies by default (IETF RFC history, 1997).
The browsers ignored them. Advertising money was already flowing.
“Third-party was the one gotcha we had,” Montulli admitted in his Quartz interview—a vulnerability that enabled the surveillance economy we live with today.
Why This History Matters for Your WordPress Analytics
Here’s where cookie history becomes practical for WordPress store owners: the cookies you use for analytics are not the cookies people hate.
When visitors complain about cookies, they’re complaining about being followed across the internet. Ads that stalk them from site to site. Data brokers building profiles without consent. The creepy feeling that someone is watching everything they do online.
That’s third-party tracking. That’s the corruption of Montulli’s original design.
Your WooCommerce session cookie? Your GA4 client ID? Your login authentication? Those are first-party cookies doing exactly what Montulli intended: your site remembering your visitors. Not surveillance. Not cross-site tracking. Just your store recognizing a returning customer.
You may be interested in: Third-Party Cookie Update 2026: Google’s Reversal, What Actually Died, and Why It Still Matters
First-Party vs Third-Party: The Critical Distinction
The distinction is simple but crucial:
First-party cookies are set by the website you’re actually visiting. They only work on that domain. When you add something to your WooCommerce cart, a first-party cookie remembers it. When you log in to your account, a first-party cookie maintains your session. This is exactly how Montulli designed cookies to work.
Third-party cookies are set by external domains loaded through ads, scripts, or tracking pixels. They work across any site that loads that external resource. This is how advertising networks track you across the internet—and this is what corrupted the cookie’s reputation.
Safari and Firefox now block third-party cookies by default. Chrome still allows them but Google has flip-flopped on deprecation plans. The regulatory and browser pressure is entirely focused on third-party tracking.
First-party cookies remain legal, functional, and exactly what the inventor intended.
What This Means for Your Tracking Setup
When you collect analytics on your WordPress site using first-party methods, you’re not participating in the surveillance economy. You’re using cookie technology as designed: your site remembering your visitors.
Server-side tracking with first-party data collection honors Montulli’s original vision. Transmute Engine™ is a first-party Node.js server that runs on your subdomain (like data.yourstore.com). The inPIPE WordPress plugin captures events and sends them to your Transmute Engine server, which routes data to GA4, Facebook CAPI, and other destinations—all from your own domain. No third-party cookies. No cross-site tracking. Just your site collecting your data about your visitors.
Key Takeaways
- Cookies were invented to protect privacy. Lou Montulli created them in 1994 specifically to avoid a permanent browser ID that would enable universal tracking.
- Advertising corrupted them by 1996. Third-party cookies enabled cross-site tracking within two years of the technology’s invention.
- The IETF tried to stop it. In 1997, internet standards bodies recommended blocking third-party cookies. Browsers ignored them.
- Your first-party cookies are not the problem. WooCommerce carts, login sessions, and first-party analytics work exactly as Montulli intended.
- First-party data collection honors the original design. Server-side tracking from your own domain is cookie technology used correctly.
Lou Montulli invented HTTP cookies in 1994 at Netscape. The purpose was to protect privacy by allowing websites to remember visitors without requiring a permanent browser ID that would track users across the entire internet. Cookies were specifically designed as a privacy-preserving alternative.
No. First-party cookies are set by the website you’re visiting and only work on that site—exactly as Montulli designed. Third-party tracking cookies are set by advertising networks across multiple sites to build surveillance profiles. Your WooCommerce cart and session cookies are first-party and work as intended.
Advertising networks discovered the third-party cookie loophole in 1996, just two years after cookies were invented. By placing cookies across multiple sites, they could track users everywhere. The Financial Times warned about this in February 1996, and the IETF tried to block it in 1997—but browsers didn’t comply.
Your analytics cookies aren’t the enemy. Learn how first-party tracking honors Montulli’s original design.
