For decades now, marketers have used cookies to track website visitors, improve the user experience, and collect data to help target their ads to the right people.
But in the past few years, the cookie’s reign has been threatened, with attacks on its use from almost all quarters. But why is the cookie so apparently dangerous? And what will replace it?
In this article we explore the history of the cookie, why it’s being phased out, and share a brief summary of the recent attacks on both the first and third-party cookie, and a clever solution for the cookie that is fully compliant and already delivering impressive results.
What’s the history of the cookie?
The cookie was invented by Lou Montulli in 1994. At the time, Montulli was an engineer at Netscape, the company that built one of the internet’s first widely used browsers, and he was trying to solve a common problem on the early web: the poor memory of websites.
This meant that every time a user loaded a new page, the website would treat them as if they’d never visited it before, making it impossible to build features like personalised content, logging in, and shopping carts that remember our purchases as we continue to browse on the site.
As Montulli says, using websites pre-cookies was “a bit like talking to someone with Alzheimer disease. Each interaction would result in having to introduce yourself again, and again, and again.”
So Montulli came up with the cookie, a small text file passed between a person’s computer and a single website, as a solution to help websites remember visitors.
While developing the cookie, Montulli had initially come up with a simpler solution, which was to give every user a unique, permanent ID number that their browser would reveal to every website they visited. But he rejected this option because he and his Netscape team were concerned that it would enable third parties to track people’s browsing activity.
Advertisers learned to hack the cookie
However, within two years of launching the cookie, advertisers had learned to hack cookies to do exactly that: follow people around the internet. And eventually, the system of cookie-based ad targeting we know today became commonplace.
As much as this wasn’t Montulli’s intention, cookies do have a positive role to play in advertising. Much like the issue with early websites, without cookies brands are advertising almost blind. They have much less control over who is seeing their ads, and how relevant their ads may be.
As a result, we’d live in a world where we were seeing ads about anything, rather than ads tailored to our interests and life stage. In other words, ads for things we may actually want or need. Without cookies we also risk being served ads for things we’ve already bought, or brands we really don’t like.
As Montulli says of his invention: “Cookies are not perfect, but they have certainly proved good enough and much of the functionality of the web depends on them.”
What’s the difference between first and third-party cookies?
Today, there are two types of cookie: the first-party cookie and the third-party cookie.
A first-party cookie is a code that is generated and stored on your website visitor’s computer by default when they visit your site. This cookie improves our user experience by remembering passwords, our preferences and other basic data about us, such as our language.
A first-party cookie remembers what users did when visiting your website, sees how often they visit and other basic analytics. However it cannot see any data regarding your users on other websites.
Third-party cookies are tracking codes that are placed on a visitor’s computer after being generated by a website other than your own. The, when that web visitor visits your website and others, the third-party cookie sends this information to the third-party who created it.
Third-party cookies allow advertisers to learn about people’s overall online behaviours, including websites they often visit, purchases, and interests. This detailed data helps them to build useful visitor profiles so they can create a retargeting list to send ads to past visitors or people with similar web profiles.
Why are cookies dying out?
So if cookies are so helpful, why are they being phased out? The reasons for the attack on the cookie is less about relevant targeting, and more about the risk of a loss of privacy, and what could happen to our data if it was in the wrong hands or abused.
The data most websites hold about you can’t be used to identify you personally. However, a few large companies, such as Google, Facebook and Amazon, hold a huge amount of personally identifiable information about millions of people. That data could tell someone information such as any medical conditions you had, or your sexual orientation, and is highly likely to be linked to your real name.
So, over the past few years a growing battle has been waged against the cookie. In 2010 the Federal Trade Commission (FTC) fired one of the first arrows by asking social networking sites and browser developers to create a ‘do not track’ cookie system. This meant that sites would not capture a user’s browsing habits and not deliver customized ads. Instead, a cookie would be created and enabled by a browser button.
At the time the FTC said: “With respect to ‘do not track,’ we are giving companies a little time, but we’d like to see them work a lot faster in making consumer choice a lot easier.”
However, one company that didn’t heed the warning was Google, who agreed to pay $22.5 million in 2012 to settle FTC charges that it misled consumers about its use of tracking cookies on the Safari browser.
The problem in this instance was that Google’s opt-out cookie mechanism didn’t work for Safari users. And while Google told Safari users that they didn’t need to worry about the unavailability of opt-out because Safari’s cookie controls would provide the same protection, the FTC say this promise wasn’t kept. Instead, Google placed tracking cookies in many Safari users’ browsers.
How the war on cookies has heated up
In 2011, the e-Privacy Directive changed the law regarding cookies in the European Union. To comply with the law, website owners had to tell visitors about the cookies they use and gain their consent. This meant websites needed to display a pop-up when people first visited that linked to an explanation of their cookie policy and allowed them to accept it.
Since then, the war on the cookie has heated up. In 2017 Apple rolled out Intelligent Tracking Prevention (ITP), which limited the ability for website owners and advertising platforms to track users across domains by purging third-party cookies after 30 days. Then, in 2019 Apple launched ITP 2.1, which caps the lifespan of first-party cookies to a maximum of seven days. When combined with ITP 2.2 which limits first-party cookies to just 24 hours, it meant that marketeers were, in effect, working blind in Safari.
In May 2019 Google also announced changes that enabled Chrome users to delete cookies used for online ad targeting without losing first-party data. At the same time they pitched a “Google Universal Browser ID” which would give them even more control over all advertising globally.
Guidance from the Information Commissioner’s Office (ICO) has also since confirmed that there is to be no tracking without explicit consent. And GDPR, which came into force in May 2018, means that websites can’t rely on implicit opt-in where a website displays a cookie banner but the user continues to browse.
In January 2020, Google announced that it was planning to block third-party cookies from its Chrome browser by 2022, and replace them with something it called Federated Learning of Cohorts (FLoC), a “privacy-first” and “interest-based” advertising technology. With FLoC, Chrome would keep track of users’ browsing habits across the web, and then place them in audiences, or “cohorts,” based on their habits. Advertisers would then target their ads to cohorts, as opposed to individual users.
However, in June 2021, Google announced that it was delaying its plans to scrap third-party cookies until late 2023. The announcement was made after considerable regulatory scrutiny and concerns over FloC. Indeed, trials have already been abandoned in markets where they don’t meet local consumer privacy standards.
It’s not just organisations and companies fighting the cookie; users have been demanding greater privacy – including transparency, choice, and control over how their data is used – too. And many of the changes and new regulations we’ve seen have been an attempt to meet these increasing demands.
Who’s the biggest loser in the death of the cookie?
As you can see, there’s been a concerted attack on the cookie from all directions over the past few years. This has led the claim that the third-party cookie is all but dead.
But while privacy and consent are indeed essential, the death of the cookie risks taking us backwards, with several losers including brands trying to legitimately advertise to people who want and need what they are offering, customers looking for products and offers they want, and businesses like publishers who rely on advertising to support their free content model.
Research shows that customers prefer seeing relevant ads to irrelevant ones. But not at any cost; without transparency about how this is delivered this perception can change. Advertising is the lifeblood of the internet’s free content model, and every brand knows that the right message, at the right time, with the appropriate relevancy delivers results and customer loyalty.
What can replace the cookie?
As long as it’s done transparently, why shouldn’t brands with the right legal means (explicit consent) deliver ads to customers who want to see them? And why shouldn’t businesses who rely on advertising be able to show relevant ads? As long as all three parties’ consent to it, it’s a win-win-win situation.
So what can replace the cookie? According to Google, simply blocking third-party cookies has “unintended consequences that can negatively impact both users and the web ecosystem”.
Google continues: “By undermining the business model of many ad-supported websites, blunt approaches to cookies encourage the use of opaque techniques such as fingerprinting (an invasive workaround to replace cookies), which can actually reduce user privacy and control. We believe that we as a community can, and must, do better.”
How we’re already successfully operating cookie-less
So what does ‘better’ look like? Over the past few years we’ve been perfecting our own technology to replace the role of the cookie. Our solution includes our own consenTag, which manages consent, and our non-cookie-based user targeting and attribution technology ActiveID, which allows advertisers to accurately target without cookies.
Our combined solution works by managing consent preferences, using relevant targeting for better performance, and joining the dots with attribution. As a result we are already successfully operating cookie-less in Apple and Firefox Browsers right now.
Unlike other inadequate non-cookie solutions, our technology means that we don’t need to build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products. Our web products are powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.
And we’re delivering exceptional results for our happy clients – including more new customers, higher conversion rates, increased organic search results, and industry-beating ROI, CTR and CPA.
So while the world continues to wage war with the cookie, and grapple with the best solution to replace it, our clients are continuing to reach new, current and lapsed customers with fully-compliant, relevant, consented ads containing the right messaging at the right time.
Want to find out more about our cookie-less solution? Get in touch and we’ll be happy to chat.