The tracking cookie is crumbling and it’s about to make a big mess for marketers. Cookies are the most ubiquitous method for tracking consumer behavior and gathering data, and they’re used by nearly all adtech and martech platforms. Smart cookie-blocking technology led by Apple’s Intelligent Tracking Prevention (ITP) and Firefox’s Enhanced Tracking Protection (ETP) now block third-party cookies by default, and even Google’s Chrome will soon get controls that let consumers block cookies. Browser-level blocking, third-party ad-blocking apps, and new regulations like GDPR and the California Consumer Privacy Act (CCPA) are quickly relegating the old cookie to the internet dustbin.
Adweek has called this a “fundamental change” in online advertising. What does the death of the cookie mean to marketers and advertisers like you? In this two-part series, we’ll look at what cookies are and why they died, and in part two, how marketers will adapt without tracking cookies. Grab a glass of milk and let’s dip in!
What Are Tracking Cookies?
The Difference Between First-Party Cookies and Third-Party Cookies
First-party cookies are set by the website a user is browsing and are used to keep track of activity as they move from page to page. They enable vital website functionality like authentication, maintaining shopping carts, website preferences, and login information. Without first-party cookies, users would have to log in on every page and would not, for example, be able to put an item in the cart and keep shopping, and no information (like shipping and billing addresses) would be stored, since very few websites store this data on their own servers. In short, without first-party cookies, the website experience would be awful to impossible. Since they only track activity on the site which someone is intentionally visiting, they are not generally subject to the ire (and blocking) that third-party cookies receive.
Firefox and Safari Burn Third-Party Cookies
Just like Apple quickly scuttled Adobe Flash from the digital landscape (which, honestly, nobody but Homestar Runner misses) it also put the first knife in the cookie. While both Mozilla and Apple have had third-party cookie blocking on by default for a while, ad networks quickly found loopholes in those protections.
With little financial interest in digital advertising and its main Google differentiator now being privacy protection, Apple made the move to Intelligent Tracking Prevention 2.2 (ITP) to seal up the digital loopholes and much more effectively block third-party cookies. Mozilla’s privacy-focused Firefox browser will follow suit with similar improvements to its Enhanced Tracking Protection (ETP).
Both ITP and ETP are able to block third-party cookies by preventing them from being stored in the browser, and to close the loophole exploited by advertisers, they can also prevent third-party cookies from being recorded as first-party cookies. Apple’s ITP 2.2 in Safari takes it a step further by cutting the first-party cookie lifespan from seven days to one day. The blockers are active by default in both Safari and Firefox.
Update: Google Chrome to Limit to Cross-Site Tracking By Default Starting February 2020
Google has rather quietly begun spreading the word that its Chrome browser will begin blocking cross-site tracking cookies. With the release of Chrome 80, Google Chrome will stop sending third-party cookies in cross-site requests unless the cookies are secure and flagged using an internet standard called SameSite. Cookies that aren’t proactively labeled according to the standard will cease to function in Chrome, and all cookie data that was generated prior to being flagged will no longer be accessible.
“For those that don’t make the deadline, their third-party cookies will break,” said Ratko Vidakovic, founder of ad tech consultancy AdProfs, “which means everything that relies on those cookies will break: audience recognition, analytics, attribution – you name it.” This means that if you are not already on HTTPS and your SameSite settings, you’re going to have a mess on your hands come February.
According to AdExchanger, In order to continue functioning, SameSite cookie attributes in Chrome must be set with one of three values: strict, lax or none.
Specifying a cookie as “SameSite=Strict” allows no cross-site sharing. That cookie won’t work anywhere else other than on the domain it was dropped on. “SameSite=lax” is less restrictive, and allows a site to share cookies across domains owned by the same publisher.
“SameSite=none” enables full-on third-party cookie sharing, as long as it’s secure. Today, SameSite=none is the default in Chrome, and lets the ad tech ecosystem function. As of February, SameSite=Lax will become the default for developers that don’t proactively enable SameSite=none.
As long as you are on top of these settings, your advertising should not be impacted. That is unless Google decides to change that.
Why Chrome’s Cookie Blocking Might Have a Bigger Impact
Google’s business model relies on collecting data about consumers—what they are shopping for, what videos they watch, and what they read, and surf for on the internet. Given the search giant’s dominance in advertising and that Chrome browser accounts for over 60% of the browser market share, Google’s version of ITP will be the ultimate swan song for cookies—and why the company may run afoul of antitrust law.
Since cookies aren’t compatible with mobile apps, alternatives like Advertising IDs and location data are already being used as a “real-world behavior” cookie alternative. Where Google could run into trouble is when and if it further develops its own browser ID-based cookie alternative. Since Google controls a majority of the browser market, 30% of the email client market, and over 40% of the display advertising market, it’s ripe for monopolizing the digital advertising and data markets. When you couple the data that only Google can monetize from Google logins with a potentially proprietary browser ID system, the domination looks even more complete.
Google, of course, is keenly aware of the implications, which is why it is carefully marketing all of its new privacy controls as a benefit to consumers. “Our experience shows that people prefer ads that are personalized to their needs and interests,” Google engineering VP Prabhakar Raghavan said in a blog post explaining the shift, “but only if those ads offer transparency, choice, and control.”
It has also kept fairly mum on what, if anything, it will do in the absence of third-party cookies. The big question is whether or not Google will make a market-dominating move with a replacement or a new ability to control much of cross-site tracking via the dominant Chrome browser. This is possible under a business-friendly (though entirely unpredictable) administration in the U.S., though unlikely when you consider the GDPR-governed implications in the E.U. and CCPA launching in California in January 2020. Google most certainly has a plan, but all we have for now is speculation. No matter what Google does, its digital dominance assures that it will guide the future of the entire adtech market.
Does the California Consumer Privacy Act (CCPA) Regulate Cookies?
The Consequences of Cookie Blocking
While the death of cookies will have far-reaching consequences across the marketing and advertising landscape, you don’t have to completely freak out yet, because at least we’re all in the same boat.
The biggest impact will likely be felt in programmatic advertising because programmatic relies almost entirely on third-party cookies as the foundation for user-level targeting and measurement. Without cookies, marketers can’t target users with highly relevant ads or determine whether those ads lead to sales. And given that digital ad spending in the U.S. alone is expected to exceed $129.34 billion this year and that programmatic advertising is largely seen as the financial foundation of the internet, this is a really big deal. Of course, the next generation of ad targeting is already in the works thanks to contextual targeting that was once the domain of mobile, so I would not expect this to cause the ad world to crumble. However, it may be a big shock to an already struggling media industry if their main source of income (digital ads) is in any way disturbed, which here is a distinct possibility.
One unintended consequence of shortening the lifespan of first-party cookies could impact how marketers track website visitors. Previously, an undeleted Google Analytics cookie could live on a browser for two years. With that lifespan shortened to as little as one day in Safari, it will cause a duplication of unique users and massive inflation of their numbers in GA.
While that might make you look good for a second, what it’s really doing is blowing up years of benchmarking user counts. Whether you are a publisher looking at unique pageviews or an e-comm marketer looking at site visits, this can end up making a mess of your historical data. “The fundamental challenge facing marketers with this latest release is visibility into how their digital marketing is performing,” said Ryan Storrar, SVP and head of media activation for Europe, Middle East and Africa at Essence in an interview with Digiday. “ITP 2.1 is the latest chapter in this story. There are steps that can be taken to limit the impact in the short-term, but, more broadly, a post-cookie world is clearly on the horizon and marketers need to get ready.”
Next Week: What Will the Post-Cookies World Look Like for Marketers?
Speaking of getting ready, check out part two to see what will replace cookies, how marketers are adapting, and if cookies will have an impact on call tracking platforms like Invoca.