Cookies are not inherently bad things. The web is stateless - meaning that from one request for a resource to another request the web server does not know what state the client (mostly browser) is. Thus for logging into websites such as a bank you need to have a way to link set of requests together so server knows its a logged in user. Cookies serve this purpose nicely, through there are other ways around the problem such as sending login id in URL each time.
The problem is abuse of cookies. When using website X such website has embedded code for "Ads mega server" site in it - this "Ads mega server", if not already created, creates the tracking cookie - which has "login info". Now as you visit sites Y Z etc. they also have Ads mega server site embedded - it reads its own cookie and checks where you have been - they see site X and display ads for site X.
Cookies can store a lot more data than just session ID or some identifier - but today AFAIK they mostly do that since Database access is fast.
Frequently parent companies do not fully know what is exactly going on - i.e. developers use a lot of 3rd party stuff for websites and these 3rd party providers can be dishonest - well, I guess same way the client can pretend to be anything it feels like. A lot of cookie creation now is done automatically - i.e. developer assumes some layer somewhere actually creates a cookie. I did not create a cookie by hand in about a decade...
I find it unlikely a bank would use a tracking cookie from 3rd party site to display ads later on - I feel this is mostly for login purposes - but technically they are tracking your login... so it is a tracking cookie. You can set cookies only for duration of a session, fixed time span or never expires.
Bottom line is, cookies were "good" until people started abusing them and made them "bad".
