How does the web cookie work & The future of third party cookies

This is part of a three-part blog series that covers our workshop we call “Cookies 101: Bulletproofing for the 3rd party cookie ban”. In this first article, we have Neil, our in-house Cookie Master, explain what an HTTP cookie is, what this third-party cookie ban is all about, and how it will impact marketing (specifically digital marketing) and marketers (specifically digital marketers).

You can watch the video or read the transcription below. [embed]https://www.youtube.com/watch?v=AgbPh4ISGHM\[/embed\] See the other 2 blog post to this series:

• The solution to a third-party cookie ban
• Case study: How a CPG brand solved the third-party cookie problem

Our other relevant cookie-related blog post

• Survival guide for the 3rd party cookie apocalypse
• Beat the 3rd party cookie ban, here’s the plan

Why are web cookies so important right now for marketing?

The web is constantly evolving, but these changes are now happening more rapidly than ever before, especially when it comes to consumer privacy and data. In response to the perceived lack of transparency, and control for individuals’ data breaches, as well as the creepiness factor in advertising. Privacy legislation across the globe now gives users control over their data. Effectively, these policies give users the ability to block various tracking technologies or request the deletion of their data. And tech companies have also responded by giving users control over how their data is used both within browsers and in devices. Against a broadening backdrop of data protection frameworks with issues and transparency and data ethics becoming a growing concern.

What’s happening in the world of cookies & customer data?

These days, in the media, almost weekly we can see evidence of the misuse of personal data alongside ever-fluctuating laws and increasingly serious ramifications for offenders. A couple of examples from 2020 through about now in 2021 GDPR fines have risen by nearly 40%, and penalties under the GDPR have totaled close to $200 million. Data protection authorities recorded over 120,000 personal data breach notifications, which is 19% more than the previous 12 month period. In Singapore by February 2022. Fines are being introduced for up to $1 million, or 10% of a company's annual gross income for personal data breach violators. So taking all of this into consideration, companies must strike a balance between respecting an individual's right to data privacy, and the organization's use of data for legitimate business activities. Curious about privacy laws for marketing? Check out our blog post about GDPR & PDPA

• GDPR – The Canary In a Privacy Mine. Is Your Company Ready?
• PDPA: Why every business in Singapore needs to take data more seriously

What are cookies?

So let's wind it back to the very beginning and ask what the cookies actually are. A computer cookie is also known as an HTTP cookie, a web cookie, an internet cookie, or a browser cookie. The name is a shorter version of the magic cookie, which is a term for a packet of data that a computer receives and then sends back without changing or altering it. No matter what it's called, a computer cookie consists of information. When you visit a website, the website sends the cookie to your computer, and your computer stores it in a file located inside your web browser.

Now the purpose of the cookie is to help the website keep track of your visits and activity. And this isn't always a bad thing. For example, online retailers use cookies to keep track of the items in a user's shopping cart as they explore the site. Without cookies, your shopping cart would reset to zero every time you clicked a new link on the site, which would make it virtually impossible to buy anything online. Now a website might also use cookies to keep a record of your most recent visit or to record your login information. And many people find this useful so that they can store passwords on commonly used sites or simply so they know what they have visited or downloaded in the past.

The actual mechanism works like this: when you visit a site for the first time the cookie is downloaded onto your computer. The next time you visit that site, your computer checks to see if it has a cookie that is relevant. That is one containing the site name sends the information contained in that cookie back to the site. The site then knows you've been there before. And in some cases, tailors what pops up on the screen to take account of that fact. For instance, it can be very helpful for a digital marketer to vary content according to whether this is your first-ever visit to a site or your 50th.

Types of cookies

First-party cookies & Third-party cookies

First up, we differentiate cookies according to their provenance. Technically speaking, first and third-party cookies are the same type of files and the term provenance refers to their place of origin. What's different is how they're created and used by websites.

First-party cookies are created by the host domain, i.e. the domain the user is visiting. These types of cookies are generally considered good. They help provide a better user experience and keep the session open. This basically means the browser is able to remember key pieces of information such as which items you add to shopping carts, your username, and passwords, or language preferences.

And the third-party cookies are created by domains other than the one that the user is visiting at the time and are mainly used for tracking and online advertising purposes. They also allow website owners to provide certain services such as live chats. So for example, in addition to a first-party cookie being created by a host site called let's say some new site.com. A third-party cookie is also created by addoubleclick.net. The reason for a third-party cookie is that the URL of addoubleclick.net does not match the domain of some new site.com. The cookie is left by a third-party advertising provider, hence the name third party cookie.

Session cookies & persistent cookies

Next up, we have 2 more types of cookies based on their duration. And these are further split into two categories. You have session cookies and persistent cookies.

Session cookies are temporary cookie files that are erased when you close your browser. When you restart your browser and go back to the site that created the cookie, the website will not recognize you, you will have to log back in if a login is required, or select your preferences themes. Again, if the site uses these features, a new session cookie will be generated, which will store your browsing information and will be active until you leave the site and close your browser.

Persistent cookies stay in one of your browser subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie’s file. And according to the ePrivacy directive, they shouldn't last longer than 12 months. However, in practice, you could remain on your device much longer if you don't take any action.

Purpose: Necessary, preference, statistics, and marketing cookies

Finally, we have purpose cookies which are further subdivided into four categories. You have strictly necessary cookies which are essential for a user to browse a website and use its features. A good example again is that these cookies hold the items in the cart while the user is shopping online. Without these cookies, the website will not work properly.

The preference cookies or functionality cookies allow a website to remember the choices that a user has made, such as preferred language region, or what is the username and password.

Next up we have statistics cookies or performance cookies. They collect data such as visited or clicked pages. This information cannot be used to identify you; it is all aggregated and anonymized. Performance cookies are also from third-party analytics services, as long as the cookies are for the exclusive use of the owner of the website visited.

And last up we have marketing cookies or targeting cookies. These track users' online activity to help advertisers deliver more relevant ads or to limit how many times they have seen an ad. Targeting cookies can share that information with other organizations or advertisers. They are persistent cookies, and almost always have a third-party provenance.

Third-party cookie ban - What’s changing for cookies & digital marketing?

Third-party cookies have been going through various phases of demand for some time, with Safari and Firefox blocking third-party cookie tracking. But when it comes to market share, Google's Chrome is currently the leader by some degree of magnitude, and so its switchover is the big one. On June 24, 2021, Google announced that they intend to delay by more than a year its self-imposed deadline to deprecate third-party cookies and its Chrome browser. The timeline was originally targeted for March 2022 but is now expected to be complete by 2023. What has undoubtedly pushed the timeline forward was Google's decision to work on a collection of adjustments to its privacy sandbox, including addressing the issues surrounding their proposed alternatives for third party cookies, which was known as the federated learning of cohorts or FLoC, which I will touch on in just a bit.

So the removal of third-party cookies will make it vastly more difficult to track activities on the web and then serve personalized content. Now that most browsers are limiting third-party cookies, more and more organizations are trying to implement a new data strategy and technology. However, there are still significant challenges to their success.

Google's FLoC

Chrome no longer enables individual-level tracking and targeting, there will be no more behavioral targeting or profile building in its ad products. And they have also committed to not building alternative identifiers such as hashed emails. However, Google will continue to allow advertisers to match their own customer data to Google's first-party data to target or measure campaigns, the catch has been as long as it resides within Google-owned inventory. So as I touched on earlier, Google's proposed solution for the deprecation of third-party cookies was known as the federated learning of cohorts or FLoC This is Google's alternative to third-party cookies and was based on machine learning.

The FLoC is a type of web tracking group where people enter cohorts based on their browsing history for interest-based advertising. It is promising but also quite problematic. Earlier this year, The Economist reported that it may be hard for Google to stop the system from grouping people together by characteristics they wish to be private, such as race or sexuality. The article also expressed privacy concerns suggesting that cohort systems could facilitate fingerprinting of individual devices. Now, because of all of this, it all seems to be up in the air currently, with Google backtracking and exploring a few other directions for flow, including moving from a cohort-based identifying system to a topic-based one. And this was where topic-centric IDs are associated with subject matters on websites that people visit, such as performing arts or fitness for example, as opposed to assigning in an opaque numerical cohort ID, which Google themselves found hard to express and it was even harder for the general public to comprehend. Now despite the apparent incomprehensibility, FLoC's original cohort-based approach raised some clear red flags amongst privacy advocates for how they could be used to identify people, and those fears turned out to be fairly well-founded.

Other browsers’ stance on cookies

The other main browsers, they've been focusing on this topic for some time now. In 2018, Apple launched restrictions in Safari browser with their intelligent tracking prevention ITP, blocking third-party cookies by default and limiting the lifespan of certain first-party cookies and data storage. And in 2019, Firefox also blocked third-party cookies by default. So to sum it all up, everyone agrees that third-party cookies aren't perfect, a moving past cookie-based marketing mix, philosophical, ethical, and practical sense.

However, this year-long reprieve enables companies to continue to develop their own solutions and to make up lost ground and last time. According to StatCounter, 83.7% of the global Internet traffic is already or will be affected by changes to third-party tracking. This means that the experience for users who leverage these browsers and for brands who advertise across these browsers will change. The experience will change to mean a greater shift towards opt-in or consent from users to be tracked. And the ramification for advertisers is that they will lose relevance and scale especially when it comes to retargeting. After all, personalization, measurement, and general customer experience are getting harder and harder to execute effectively. And the pandemic accelerated people's desire for meaningful, relevant, and personal experiences without sacrificing privacy and protection. Google is simply giving a temporary stay of execution, not a pardon.

3rd party cookie ban impact for marketers

A recent marketers survey conducted found that 80% of digital marketers reported being very reliant on third-party cookies, while fewer than half of those surveyed felt prepared for the upcoming changes.

In general, it will be harder for digital marketers & advertisers to target audiences with granular precision. Third-party data for example, in a DMP used for precision targeting, is less accurate due to its heavy reliance on third-party cookies. reliance on walled gardens, such as Google, for individual targeting, will increase because it will still allow customer matching. And it will be difficult to find new high-value audiences as finding prospects that are more likely to convert using propensity-based modeling which is no longer supported. For measurement, we will see inaccuracies in counts of unique views, which will be driven by losing the credible links between ad exposure to ad outcomes. This will ultimately result in complex performance measurements for ad campaigns across the media landscape. And finally, multi-touch attribution will be limited due to the reliance on third-party data. And this will lead many to move towards an ineffective last-click attribution strategy, where it's impossible to track the various stages of the all-important customer journey from initial interaction through to conversion.

A little wrap-up at the end, Chrome will phase out support for third-party cookies by 2023. Google holds the dominant position in online advertising and any changes to Chrome have a deep impact on the organizations. Furthermore, as we spoke about previously, Google isn't the only major player altering the digital landscape. Apple has already made changes to restrict third-party cookies in the web browser along with changes to mobile identifiers, and email permissions. Right now, the data Titans are making all the rules.

Our advice, don't wait for Apple, Google, and Chrome to solve these challenges. The era of third-party cookies is coming to an end. But that doesn't mean that companies should abandon personalization. It's just time for a new better approach, namely first-party data solutions, those that are built and owned by the brand. These are the foundation for navigating the new media landscape. And marketers (specifically digital marketers) should continue to invest in strategies that solve the delayed deprecation of third-party cookies. If you want a more detailed explanation of this and what to do next, read our "Beat the 3rd party cookie ban, here’s the plan" blog post.