What Will Replace Third-Party Cookies?
By Kathleen Glass, CEO of Oinkodomeo
As marketers, we need to be thinking and planning now for the end of third-party cookies. This article covers a lot of ground, but really, the final chapter the story about end of third-party cookies isn't fully written yet. As the year progresses, stop back for updates.
At the start of 2020, Google announced the end of third-party cookies support in the Chrome web browser. Since then, the date has been pushed back to the end of 2023. But that doesn't mean marketers shouldn't be thinking about this now. For brands and the advertising industry, the magnitude of this change is huge. And even if you aren't a "big brand", if you do digital advertising or retargeting, you'll want to think differently about your marketing mix and budget. What HubSpot and GetApp found when they surveyed agencies recently is that this will increase marketing challenges and budgets. Similar surveys have indicated marketers expect this change to add up to 25% to their marketing budget in the coming year. On the positive side, this is an opportunity to think creatively about how to enhance consumer experience and build back trust that's eroded in recent years.
I’ll start with a little background. Interestingly, if you search, what’s not readily apparent are the various types of cookies, and what’s good and what’s not, so we’ll break it down here.
What are cookies used for?
- Session management (these are essential)
- Personalization (also essential)
- Tracking / marketing (non-essential)
Session Cookies are essential short-term cookies useful for, well, that session or website visit. Session cookies keep a user logged in to social media sites or able to conduct ecommerce transactions.
Secure Cookies, also called HTTP-only Cookies are session cookies, and can only be transmitted over a secure HTTPS connection.
First-Party Cookies, confusingly also known as Persistent Cookies, Permanent Cookies, or Stored Cookies, are similarly essential because they help the user experience by remembering such things as settings or login credentials.
Now we come to the non-essential cookies.
Third-Party Cookies are next. We'll explain those in a moment, but first a few words about “supercookies”.
There is a fairly new kind of UIDH-level supercookies which are unlike regular cookies. Fortunately, the major browser players Apple, Google and Microsoft, have caught on to these and already have been working to prevent the use of supercookies starting in 2019. You can read more about them in this article. I bring these up because it’s evidence that simply eliminating third-party cookies won’t be enough. Advertisers are always looking for new ways to track users, so we need to be very thoughtful in implementing new approaches that won’t leave the door open to new abuses.
What are third-party cookies and how are they used?
Third party cookies are tracking codes placed on a web visitor's computer which are generated by a web server different from the host server of the content, that of a "third party".
Cookies originated as session identifiers to help with the web user's experience. While privacy advocates create arguments against consumers being endlessly tracked, not all cookies are bad. First party cookies enhance the user experience on a site, such as helping to present the right content to the visitor or remembering what's in their cart. When Lou Montulli invented cookies at Netscape back in the 1990's, his intent was to make browsing better for the visitor by "remembering" them. However, within just a couple of years, there was an unintended consequence – advertisers figured out how to use this approach by combining it with other technologies that enabled cross site tracking with the ability to follow the user around.
Today, third party cookies are used by advertisers to track a visitor across multiple websites to learn about visitor behavior and serve them ads in their sessions. For example, if a user goes to a website that displays an ad, that ad might save a cookie on their computer that reports back to the advertiser. The advertiser can use this information for behavioral retargeting serving ads based on the user’s past visits.
Thinking about this untended outcome from the invention of cookies, we have to be very careful when we strive to "replace" third party cookies to avoid something similar happening again. This is tricky business which is why the change has been delayed by Google by nearly a year as they work with other web community players to find a consumer privacy-centric solution that's acceptable to the industry as well as consumers and privacy advocates.
Key driver: the principle of user consent
This move toward a more privacy-centric web experience has been in the works for several years. Firefox and Safari already blocked third-party cookies in 2013. And in May 2021 Apple rolled out iOS 14.5 that gave Apple users the option to opt in or opt out of data sharing in ads.
One of the principles of the EU GDPR introduced in 2018 was that websites can no longer rely on implicit opt-in for cookies and users must be able to control even which first party cookies are placed. EU law on cookie consent is clear: Web users should be offered a simple, free choice, to accept or reject. This notion of user consent is at the heart of the UK and EU GDPR and newer similarly modeled privacy laws being put into place around the globe.
Increased DPA activity
EU data protection authorities have become increasingly more active in this area. Many have recently issued new or revised cookies guidance—including the DPAs of Italy, Malta and Luxembourg—to help companies navigate compliance pressures.
Amazon is being hit with a record 746 million euros fine and corresponding practice revisions by Luxemburg’s DPA for its targeted ad system. Last year, France’s DPA fined Amazon ($42 million) and Google ($120 million) for automatically dropping cookies without user consent.
Moreover, the IAB Europe’s Transparency and Consent Framework—a consent pop-up system relied upon by the bulk of Europe’s online advertising industry (including Google) to obtain user consent to ad targeting—has been found in breach of the EU GDPR.
All these things lead to the urgency to change the current model.
What is the Google Privacy Sandbox initiative?
The Google Privacy Sandbox is an alternative to third-party cookie tracking that they want to be the standard for enabling measurement as well as preventing fraud and enhancing privacy. So far, it’s still in its infancy as Google develops it, receives feedback, and iterates. Google posts updates to their Privacy Sandbox here.
FLoC
Federated Learning of Cohorts, or FLoC, is a new proposed browser standard from Google that is based on guidelines set in the Goggle Privacy Sandbox.
FloC is an interest-based approach to advertising that gives advertisers a way of targeting ads without exposing details on individual users by grouping people with similar qualities or interests together into cohorts: for example, football fans, recipe collectors, retired travelers, etc. You can read more about it here on GitHub.
After the initial proposal, many major tech providers, web developers, and advertisers gave feedback that sent Google back to the drawing board. Importantly, it likely presented new privacy challenges that would not be acceptable under the GDPR.
What will Replace Cookies?
What other solutions will emerge in a post-cookie world that will replace third-party cookies used today? Where does this leave marketers in the meantime? Most experts don’t believe we’ll end up with one single framework. Really, it's about the future of identity and personal privacy- who controls it, how do we manage it?
Here are some options for marketers to consider.
- Identity - there are a number of companies developing “identity” solutions such as Unified ID 2.0 (UID2) which is an open source framework, as ways to identify consumers according to their permission parameters.
- Walled Gardens - which are closed platforms that keep technology, information, and user data to itself - best example is Meta / Facebook, who doesn't share the massive amount of data they collect with others.
- First Party Data - Build a solid first party data strategy by collecting and building your own opt-in database for targeting.
- Contextual Adverts - advertisements that are targeted to certain populations based on the website being visited, much like how magazines operate. You can go old school with contextual advertising such as pay per click (PPC) ads on websites that rank for similar keywords as your ads.
- Subscription-based search engines (ex. Neeva, created by former Google execs)
- Web3 - is a potential future of connected games, apps and services that lets everyone have control over the things they do online not just as content users but by being in charge of the platforms. This still a future vision but there’s been a lot of buzz about it recently as Jack Dorsey and Elon Musk commented on social media about it’s promise (or lack thereof).
I am sure that I’ve missed a number of others or technologies that are emerging, but this should get you thinking about other options than third-party cookies.
Is Google banning first party cookies?
Google isn't banning all cookies. So far, they say they are only phasing out third-party cookies on Chrome browsers.
Can I still use cookies on my website?
You will still be able to use essential first-party cookies on your website. Not all cookies are going away. If you go to a brand’s or publisher’s website, everything you do and all the information you enter counts as first-party data. First-party cookies are very much still operational, for now at least.
Will programmatic advertising still exist?
These are ads bought through automated exchanges supported by the ad industry and unfortunately this is largely built with third-party cookies which enabled marketers to identify their target audiences. This will have a big impact on the intent data landscape. Programmatic advertising will now need to rely more on first party or contextual data. You’ll need to work within walled gardens or sites that are more context specific (like targeting IT Directors on a community for IT folks).
Will I still need to have a Cookie Banner?
Yup. Sorry, you have to declare all your cookies: essential, marketing, analytics to be in compliance with the EU GDPR and other emerging privacy laws.
As I said above, this is an evolving story and I’ll keep it updated as we learn more. In the meantime, if you have questions, thoughts or suggestions, reach out to me on LinkedIn or complete our contact form.
About the Author
Kathleen is an active mentor and volunteer for a number of industry organizations including serving on the CompTIA IoT Advisory Council. In addition, Kathleen is a supporter of the San Diego technology startup scene, volunteering as a CONNECT w/ San Diego Venture Group Springboard Marketing Entrepreneur in Residence (EIR) and sales and marketing mentor for the CyberTECH NEST accelerator program. She is a past San Diego Chapter Officer for the International Association of Privacy Professionals (IAPP) KnowledgeNet, and she is actively involved in the Association of Inside Sales Professionals (AA-ISP) as a San Diego Chapter leader as well as sitting on the AA-ISP National Advisory Board.