We’ve all clicked “Yes” or “Ok” a thousand times when visiting a website for the first time and had to consent to their use before we were allowed to continue. Even if we’re not sure exactly how they work, we’re used to the idea that cookies have something to do with tracking our activity on a site and personalizing the content that we see. If you didn’t know that, go clear all the cookies in your browser right now and then go visit Amazon, Gmail or Facebook and see how you get treated like someone who’s never visited them before.
Cookies are something we usually don’t think about after that initial consent is given. For internet users, they’re a kind of ticket we must share to gain access to websites—a free ticket that we just have to get once. Spend three seconds giving consent to cookies and get personalized content and saved preferences in return? Sounds like a pretty good deal.
That’s why we don’t give cookies much thought. There’s no cost to us and we understand they are a necessary formality we have to agree to before we get down to the serious business of buying stuff online, browsing content or using social media.
But from the point of view of site operators, especially in ecommerce, cookies are an extremely important and fundamental aspect of the operation of any website. They form part of the backbone of commercial strategies, marketing campaigns and advanced techniques used in automated processes of every imaginable kind.
The dramatic rise of ecommerce over the past decade and its projected continued explosive growth are putting cookies at the center of a new battle involving titans of the online world. If you haven’t heard about this fight over new standards involved in online tracking, it’s time to catch up.
Two cookie flavors to choose from
Before we go any deeper, a review of the two different kinds of cookies involved will be helpful.
Think of cookies as your online fingerprint. Even without sharing your name and personal information, cookies placed in your browser by a website give you a unique identifier that allows that website to recognize you when you return. Later, if you provide your personal information after, for example, making a purchase, your previous activities made before you shared that information can be merged with activities going forward.
There are two types of cookies, first-party and third-party cookies. They are essentially the same from a technical perspective and collect the same types of information and only differ in who is using them and for what purposes.
First-party cookies are placed in your browser directly by the site you are visiting, hence the name. First party cookies are named after the domain that uses them. Sites use them to gather user behavior, remember user settings and provide an overall better experience. The idea behind these cookies is to enable users to customize the site to certain degree or to access it without having to provide logins every time.
First-party cookies ensure a certain level of continuity and convenience when using websites, especially one you visit often. They save bits of information that recreate the site as you last left it when you return to it. This includes things like:
- View history (for ecommerce sites, cookies help to build personalized content based on your view history—that’s why you see products similar to what you’ve viewed before)
- Cart status (remembering which items have been added to a cart and keeping them there until your next visit is an important function of cookies in ecommerce)
- Website configuration (if you select a certain language version, for example, cookies will remember it so you don’t have to select it every time you visit)
Third party cookies are used by sites other than the one you are visiting. They are named not after the site you are visiting, but after partner sites. This primarily means marketing services that provide banner ads and other promotional materials based on user histories as they move across multiple sites. Third-party cookies are also used by social media sites to track user behavior to better target ads served on those social media sites when you return to them later. These cookies are also sometimes used to enable certain services like live chat.
For as long as there has been smart online advertising, it has been driven by third-party cookies. By “smart”, we mean ads based on your search history or demonstrated interests. This doesn’t mean that every ad you see is something you’re interested in—far from it—just that there is some logical basis for the selection of ads that you see. Third party cookies allow advertisers to avoid being completely random in their attempt to get your attention.
Third-party cookies are primarily used to:
- Retarget (you’ve noticed that after viewing a particular product in an online store, you’ll often see ads for that same product in the ad space on other pages—that’s retargeting)
- Ad serving (third-party cookies provide data that helps ad services match ads to websites and collect and report data about clicks and impressions)
- Cross-site tracking (this means collecting and processing data from multiple sites visited by the same user for the purpose of serving more precisely-targeted ads)
But, after many years of stability on this front, things are suddenly beginning to change in a big way.
Privacy issues are changing the way cookies are used
The implementation of the GDPR laws (General Data Protection Regulation) in 2018 reflected the growing importance of how consumers view the collection and processing of their personal data. Privacy issues are now a major concern for consumers and the big players of the online world feel a strong obligation to respond to those concerns.
Apple is leading the way in introducing changes in how cookies are used and not everyone is happy about it. Normally, a mega-corporation like Apple wouldn’t worry too much about someone who didn’t like the direction they were taking but we’re not talking about just any “someone” here. The biggest resistance to Apple’s moves is coming from another tech titan—Facebook.
What’s the source of the conflict in this Godzilla vs. Megalon showdown of Silicon Valley monsters? Let’s take a closer look.
Apple is essentially trying to end the use of third-party cookies and restrict data collection activities to first-party cookies. Their argument is that third-party cookies ride on the back of consent that users are really giving to first-party cookies. When users give consent to xyz.com, they’re not really giving consent to the advertisers that work with xyz.com. Data gathered by those advertisers is de facto gained through a kind of mild deception and is not consistent with modern best practices governing privacy and data protection issues.
In fairness to Apple, they are simply stating an obvious fact that has been ignored for too long. Third-party cookies are rushed in through the open door created by consent that is clearly intended for first-party cookies. Most people are willing to voluntarily give consent for cookies to xzy.com but very few really want the third-party cookies that come with them.
Apple is correct to point out that users are rarely given a choice because all of those cookies are typically bundled together in an all-or-none proposition. They want to bring clarity to online data collection by eliminating third-party cookies that track activity across sites altogether.
That’s where the problems start. Such a fundamental change in the way things work is sure to step on someone’s toes. Someone who relies on tracking user activities across sites, for example.
Facebook, for example.
If there’s anyone left who doesn’t already know, Facebook’s business model is built on the transformation of data into targeted advertising segments. Want to guess how they collect much of that data?
That’s right, third-party cookies.
Actually, to be more precise and to better frame the conflict with Apple, Facebook also uses first-party cookies like third-party cookies. Confused? Let us explain.
The easiest example of this is something that you’re probably already familiar with. Many news sites use a Facebook plugin to allow readers to “like” a story or leave comments. That same plugin might allow users to share a news story directly on their Facebook page or send to a Facebook friend. To enable this functionality, Facebook places a first-party cookie on that news site because the user is directly engaged with Facebook by using it to leave comments, etc.
The problem, from Apple’s perspective, is that Facebook is then using this information gathered using first-party cookies to track users across sites, which is something that third-party cookies do. In other words, Facebook is technically not using third-party cookies but using first-party cookies to achieve the same marketing results that third-party cookies would deliver.
Apple doesn’t like this because it’s inconsistent with their new approach to data privacy.
That’s why they recently introduced Intelligent Tracking Prevention (ITP) 2.0 in their Safari browser and in iOS 11. It’s enabled by default and identifies cross-site tracking and makes it impossible to use first-party cookies as third-party cookie tracking devices. This is a major change to ITP 1.0, which allowed the tracking if the user visited the first-party site within twenty-four hours after the cookies were placed in the browser.
This was enormously beneficial to Facebook since so many people either visit their profile multiple times every day or never log out. Now, with ITP 2.0, this window has been closed and suddenly Facebook is confronting the possibility of having their data lifeline shut down.
Facebook’s problem has been magnified by the fact that, since ITP was introduced, other browsers, including Google’s Chrome, the biggest of them all, have introduced measures to severely restrict the data-gathering capabilities of third-party cookies.
Suddenly, Facebook’s ability to attribute conversions, retarget, exclude past purchasers from ads for products they’ve already bought and much more is in question. In other words, a fundamental part of their business activities is facing near-extinction You know it’s serious when Facebook is publishing stories of small businesses that rely on third-party cookies for targeted ads.
For now, Facebook is trying various hacks and short-terms solutions to keep up with the increasingly limited opportunities available after Apple’s pivot on the issue. How long can this last? Only time will tell.
The future of cookies in online marketing
Third-party cookies have been the foundation for online advertising for decades but it’s clear that this is coming to an end. The rise of ad blockers and other ways to avoid third-party tracking combined with a new emphasis on privacy issues means that we are headed into a new age of online advertising.
While the changes currently reshaping the industry are under the radar of most internet users, they represent a major shift in the way our online behavior is used to deliver customized content and tailored marketing messages. And while we don’t have a crystal ball to tell us exactly what the new normal will look like, we can be sure of a few things.
Whatever new solution becomes the default for communicating with consumers, it will have to be transparent and open about how data is collected and for what purposes. Data will be shared in the context of an open understanding of how that data will be used with no hidden agendas or actors involved.
It’s also clear that the handful of internet giants that make the rules that the whole world follows—Google, Apple, Facebook and a few others like Amazon and Microsoft—are in the early stages of a conflict that will ultimately work itself out, almost certainly to the benefit of the average web user.
We at edrone predict that there will be several concrete changes in the way online shopping is done thanks to the current “cookiepocolypse”. These include more stores explicitly asking for consent to gather data, the disappearance of “shop without registering” options in favor of mandatory account creation and generally an emphasis on creating identified users. We’re still expecting some big moves from Chrome regarding cookie processing before we can make more specific predictions but change is definitely coming.
GDPR has not only provided an important framework for the legal aspects of data protection, but symbolizes a broader movement towards a new way of approaching the subject of online privacy. Until now, cookies have been the primary mechanism for collecting and leveraging personal data so it only makes sense that a reevaluation of privacy matters would necessarily involve a reboot of the form and role of cookies. It’s evolution, not revolution.
Whatever form the new version of cookies takes, we’re looking forward to the increased trust and confidence it will inspire among users and the greater appreciation it will bring to effective but responsible marketing practices.
They say “content is king” but in fact it’s data that sits at the top of the hierarchy. The current cookie wars will ultimately result in better, more transparent ways of collecting and applying that data and that can only be a victory for everyone involved.
Even Facebook. Maybe.