Goumbik / Pixabay

The tracking cookie is breaking down and it’s going to create a big problem for marketers. Cookies are the most common way to track consumer behavior and collect data, and they’re used by almost all adtech and martech platforms. Advanced cookie-blocking features led by Apple’s Intelligent Tracking Prevention (ITP) and Firefox’s Enhanced Tracking Protection (ETP) now block third-party cookies by default, and even Google’s Chrome will soon have options for users to block cookies. Browser-level blocking, third-party ad-blocking apps, and new laws like GDPR and the California Consumer Privacy Act (CCPA) are quickly pushing the old cookie to the internet trash.

Adweek has called this a “fundamental change” in online advertising. What does the death of the cookie mean to marketers and advertisers like you? In this two-part series, we’ll look at what cookies are and why they died, and in part two, how marketers will adapt without tracking cookies. Grab a glass of milk and let’s dip in!

What Are Tracking Cookies?

Also known as “browser cookies” or just “cookies”, they are data that is set by a website or third party that is stored in the form of a text file in web browsers. Using the user’s IP address as a unique ID, cookies contain information like browsing history, user ID, session ID, and more. Cookies are created once any website is accessed that uses cookies. When returning to the same site, the browser sends the cookie file to the server and in turn, users get a personalized browsing experience.

The Difference Between First-Party Cookies and Third-Party Cookies

First-party cookies are set by the website a user is browsing and are used to keep track of activity as they move from page to page. They enable vital website functionality like authentication, maintaining shopping carts, website preferences, and login information. Without first-party cookies, users would have to log in on every page and would not, for example, be able to put an item in the cart and keep shopping, and no information (like shipping and billing addresses) would be stored, since very few websites store this data on their own servers. In short, without first-party cookies, the website experience would be awful to impossible. Since they only track activity on the site which someone is intentionally visiting, they are not generally subject to the ire (and blocking) that third-party cookies receive.

Cookie-blocking technology and government regulations are focused mostly on third-party cookies because they are the ones that track user activity across the web. They are placed in the browser via tracking pixels or Javascript code. What riles online privacy advocates is that third-party cookies do not originate from a website that a user has proactively interacted with. Advertising networks like Google Adsense, Propeller, and others are usually the source of third-party cookies, which are used to track users across multiple websites and use that information to more precisely target them with ads. There is no implicit or explicit permission to do this, so it can easily be seen as an invasion of privacy.

Firefox and Safari Burn Third-Party Cookies

Just like Apple quickly scuttled Adobe Flash from the digital landscape (which, honestly, nobody but Homestar Runner misses) it also put the first knife in the cookie. While both Mozilla and Apple have had third-party cookie blocking on by default for a while, ad networks quickly found loopholes in those protections.

With little financial interest in digital advertising and its main Google differentiator now being privacy protection, Apple made the move to Intelligent Tracking Prevention 2.2 (ITP) to seal up the digital loopholes and much more effectively block third-party cookies. Mozilla’s privacy-focused Firefox browser will follow suit with similar improvements to its Enhanced Tracking Protection (ETP).

Both ITP and ETP are able to block third-party cookies by preventing them from being stored in the browser, and to close the loophole exploited by advertisers, they can also prevent third-party cookies from being recorded as first-party cookies. Apple’s ITP 2.2 in Safari takes it a step further by cutting the first-party cookie lifespan from seven days to one day. They blockers are active by default in both Safari and Firefox.

Google’s business model relies on collecting data about consumers—what they are shopping for, what videos they watch, and what they read, and surf for on the internet. Given the search giant’s dominance in advertising and that Chrome browser accounts for over 60% of the browser market share, Google’s opt-in version of ITP will be the ultimate swan song for cookies—and why the company may run afoul of antitrust law.

Since cookies aren’t compatible with mobile apps, alternatives like Advertising IDs and location data are already being used as a “real-world behavior” cookie alternative. Where Google could run into trouble is when and if it further develops its own browser ID-based cookie alternative. Since Google controls a majority of the browser market, 30% of the email client market, and over 40% of the display advertising market, it’s ripe for monopolizing the digital advertising and data markets. When you couple the data that only Google can monetize from Google logins with a potentially proprietary browser ID system, the domination looks even more complete.

Google, of course, is keenly aware of the implications, which is why it is carefully marketing all of its new privacy controls as a benefit to consumers. “Our experience shows that people prefer ads that are personalized to their needs and interests,” Google engineering VP Prabhakar Raghavan said in a blog post explaining the shift, “but only if those ads offer transparency, choice, and control.”

It has also kept fairly mum on what it will do in the absence of third-party cookies. The big question is whether or not Google will make a market-dominating move with a replacement. This is possible under a business-friendly (though entirely unpredictable) administration in the U.S., though unlikely when you consider the GDPR-governed implications in the E.U. and potential future action under a domestic administration that is less keen to digital monopolies. Google most certainly has a plan, but all we have for now is speculation. No matter what Google does, its digital dominance assures that it will guide the future of the entire adtech market.

Does the California Consumer Privacy Act (CCPA) Regulate Cookies?

California’s upcoming CCPA enforcement in 2020 does not directly regulate the use of tracking cookies. However, CCPA defines the phrase “personal information” to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It specifically identifies cookies as a type of data that qualifies as containing or being “personal information.” Since CCPA appears to treat persistent tracking cookies—such as those used by behavioral advertising networks—as personal information, it may cause companies that use them to fall under the purview of CCPA and require websites that use them to display an EU-style “we use cookies” banner and opt-in CTA. Beyond the disclosure requirements, it does not appear that CCPA regulates or bans the use of cookies per se.

While the death of cookies will have far-reaching consequences across the marketing and advertising landscape, you don’t have to completely freak out yet, because at least we’re all in the same boat.

The biggest impact will likely be felt in programmatic advertising because programmatic relies almost entirely on third-party cookies as the foundation for user-level targeting and measurement. Without cookies, marketers can’t target users with highly relevant ads or determine whether those ads lead to sales. And given that digital ad spending in the U.S. alone is expected to exceed $129.34 billion this year and that programmatic advertising is largely seen as the financial foundation of the internet, this is a really big deal. Of course, the next generation of ad targeting is already in the works thanks to contextual targeting that was once the domain of mobile, so I would not expect this to cause the ad world to crumble. However, it may be a big shock to an already struggling media industry if their main source of income (digital ads) is in any way disturbed, which here is a distinct possibility.

One unintended consequence of shortening the lifespan of first-party cookies could impact how marketers track website visitors. Previously, an undeleted Google Analytics cookie could live on a browser for two years. With that lifespan shortened to as little as one day in Safari, it will cause a duplication of unique users and massive inflation of their numbers in GA.

While that might make you look good for a second, what it’s really doing is blowing up years of benchmarking user counts. Whether you are a publisher looking at unique pageviews or an e-comm marketer looking at site visits, this can end up making a mess of your historical data. “The fundamental challenge facing marketers with this latest release is visibility into how their digital marketing is performing,” said Ryan Storrar, SVP and head of media activation for Europe, Middle East and Africa at Essence in an interview with Digiday. “ITP 2.1 is the latest chapter in this story. There are steps that can be taken to limit the impact in the short-term, but, more broadly, a post-cookie world is clearly on the horizon and marketers need to get ready.”

Next Week: What Will the Post-Cookies World Look Like for Marketers?

Speaking of getting ready, in part two coming next week, we will look at what will replace cookies, how marketers are adapting, and if cookies will have an impact on call tracking platforms like Invoca. Stay tuned!