Well, it could instead track your preferences in a URL component.
Ironically that would tend to mean a whole lot more loss of privacy than a cookie, because (for example) if you ever shared or bookmarked such a URL it would reveal the information about you that would otherwise have been kept privately in the cookie.
Depends how it is done. Some years ago I was helping code a few websites, including one which allowed a customer to select items from an online catalogue, for delivery by van, and as the items were to be paid for on delivery, there was no need to hold sensitive customer information. There was, however, the need to remember which items from different pages were selected, and how much they would cost.
I never found the need to use proper cookies, but did have to use what are called session cookies, without which the site would not have worked. Session cookies disappear at the end of the session so they are bit different to what is under discussion. It was certainly possible to pass this information from one page of a website to another page of the same website via a bit tagged on to the end of the URL and that would have been a security risk in that if exactly the same URL was copied to another computer, it would see the same page.
The original website is now long gone, replaced with a full ecommerce site, but the ability to pass information from one page to another on the same site via a code added to the URL is still available, but can be made vastly more secure using the curiously named “nonce” (number used only once).
A few years since I needed to remember this stuff, so I may misremember. I have used this “nonce” when writing a WordPress plugin to assist the same web developer who set up the site for the van delivery. The point about the jolly old nonce is that it is a code number generated once, and it is looked for by the second page to validate the rest of the URL sent to it. Also, it has to be a very short time after the number was generated and (I think) on the same machine or would be rejected.
I’d be surprised if something like that was not used on this site, unless there is a better way still.