It’s the end of the road for third-party cookies—and that’s a good thing.
Perhaps you don’t know what third party cookies are. Let’s begin by explaining why cookies exist at all.
What Is a Cookie?
A cookie is a parcel of data stored in the browser to speed-up and simplify interactions between the browser and a website it is connected to. Any data can be stored in a cookie.
How Do Cookies Work?
The browser provides a place where websites can store data when that website is being accessed, and the browser stores it. The idea was invented by Lou Montulli of Netscape Communications in 1994, the year that the Web was born.
The problem was that a PC could disconnect from a website for many reasons: the PC or the website might crash or the internet could disconnect. So the website cookie could store your identity data, your preferences, and maybe even session information. Then, if anything failed you could restart near to where you left off.
Since then things have become more complex and there are several different types of cookie, as follows.
The Different Types of Internet Cookies
The Session Cookie
These are temporary cookies that last only for the duration of a session. They tend to store mundane data like login credentials and usually evaporate when you reboot the computer or close the browser. They can also be used to help with website performance like ensuring fast page loads.
There’s unlikely to be anything objectionable stored in these cookies.
The Persistent Cookie
Websites that plant these cookies in your browser usually give them an expiration date, which could be any time from seconds to years.
You know you have a persistent identity cookie if you are on a website and reboot your computer only to discover when you return to the website that you are still logged in.
Such cookies are commonly used to track your on-site behavior and to tailor your user experience.
There is unlikely to be anything objectionable about these cookies either.
The Secure Cookie
These cookies assist with encryption and hence are definitely good guys. They are only transmitted securely (via HTTPS) and they are used to implement security on banking and shopping websites.
They keep your financial details secret but allow the site to remember those details.
The First-Party Cookie
All the above are examples of first-party cookies. Technically first-party simply means that it’s a two-way arrangement between you and the website. However, many websites monitor website traffic with help from external vendors, particularly Google with Google Analytics.
The cookies placed by Google for that purpose are usually thought of as first-party cookies because they just monitor the site visit. Think of them as first-party by proxy.
The Third-Party Cookie
Third-party cookies are what drives “behavioral advertising”. They are called third-party because none of the websites you visited put them there. They were slipped into your browser by some advertiser’s ad server.
Advertisers add tags to web pages so that in conjunction with the cookies they place, they can recognize you as you skip from one website to another. They build a user profile of you and your habits in the hope of targeting you more effectively.
Whichever way you look at this, it’s a violation. They do not seek your permission and they are aggressive.
The bad advertiser practices of the web depend on these cookies. They include:
Cookie-bombing: This focuses on quantity over quality, to the detriment of both the user and the advertiser. It is “pray and spray”, matching the ad with neither the website nor the user. Think of, say, feminine hygiene products advertised to men who are visiting a bookstore website. Think of ads appearing in obscure places on a web page that you will never notice, except by accident.
Incessant retargeting: This is where ads seem to follow you around the web from one site to another.
The March of the Ad Blocker
Nowadays, 30% or so of people use ad blockers. The top three reasons for doing so, according to GlobalWebIndex, are: too many ads (48%), ads are annoying or irrelevant (47%), ads are too intrusive (44%). A lot of this can be put down to the kind of ads that third-party cookies thrust upon you.
Ad blockers are a severe problem for the digital advertising industry. It isn’t just that most users would rather see no ads. The digital publishing industry has no easy way of making a profit other than by ads. Web-users visit news and magazine sites page by page rather than go to one or two sites for their news. The web has no equivalent of a newspaper or a magazine.
However, there can be synergy between websites and ads, where ads are found in the context of a website to which they relate. The ads for yachts on a yachting blog, hiking gear on hiking blogs, and so on. Brand advertisers don’t want their brand ads to appear just anywhere, they want the context of the ad to be brand-positive.
Most advertisers, like most web users, do not want what third party cookies deliver, and neither do the software companies that develop browsers.
The Cookie War and the Browsers
As I noted at the beginning of this blog, the days of the third-party cookie will soon be over. It has no useful allies. All the browsers are waging war on it.
Safari
It began with Apple. In 2017, it introduced “intelligent tracking prevention” to stop cross-site tracking by third-party cookies.
Since then, Apple has improved the capability to the point where Safari will tell you which ad trackers are running on the website you’re visiting and will provide a 30-day report of the known trackers it’s identified, and which websites the trackers came from. Safari now blocks most third-party cookies by default.
Of course, Safari has less than 10% of the browser market. So, on its own, that doesn’t spell the death of the third-party cookie.
Firefox
In 2017, the Firefox browser also moved towards stronger privacy adding an optional feature that restricted cookies, cache, and other data access so that only the domain that placed the cookie had access to it.
Since then, Firefox has tightened up its privacy features. Currently, Firefox offers three levels of privacy: “Standard” (the default), “Strict”, and “Custom”. Standard blocks trackers in private (i.e. incognito) windows; it blocks third-party tracking cookies and crypto-jacking. The Strict setting does the same but also blocks fingerprinting and trackers in all windows. The Custom setting allows you to tune your privacy settings in fine detail.
As a side note, perhaps you’ve not heard of crypto-jacking. This is when a website, without so much as a “by-your-leave”, puts a script in your browser which sits there, chugging away mining cryptocurrency for the website owner. Firefox can block that.
Maybe you’ve not heard of fingerprinting either. This is when a server gathers data about your specific configuration of software and hardware in order to “fingerprint” you (i.e. assign a unique technology identity to you).
There are many details that can be gathered: your browser version and type, your OS, the timezone, active plugins, language, screen resolution, browser settings, and so on. It is really unlikely that any two users have identical information.
One study estimated that there is only a 1 in 286,777 chance that another browser will have the same fingerprint as you. The fingerprint is used to track you as you move from website to website.
Firefox’s market share is similar to Safari’s — a little under 10%.
Microsoft’s Edge
A long time ago, Microsoft’s Internet Explorer was the dominant browser. Its market share gradually declined to a few percent and Microsoft decided to reinvent its browser with Edge.
Edge provides 3 privacy settings to choose from: “Basic”, “Balanced” (the default), and “Strict”. Balanced blocks trackers from sites you haven’t visited. Strict blocks almost all trackers. Basic block trackers used for crypto-hijacking and fingerprinting.
How much traction Edge will get is uncertain. Right now it seems to have about 4% of the browser market.
Opera
Despite a fairly low market share, Opera is perhaps the most highly functional browser. It provides configurable security that is as tight as any other, including a configurable built-in ad blocker, a crypto wallet, and a VPN. It has been offering such features since 2017.
Brave
This is another niche browser but with a much smaller user base than Opera.
By default, it blocks all ads, trackers, third-party cookies, crypto-hijacking, and third-party finger-printers. It even has a built-in TOR private browsing mode (TOR stands for “The Onion Router”, open-source software that enables fully anonymous communication).
Brave tends to attract users who care deeply about privacy.
If you add up the market share of the browsers already discussed, you get less than 30%. The market gorilla is Google Chrome with a little under 70% market share.
Google Chrome
The death knell of the third party cookie sounded loud when Google joined the opposition with its Chrome browser. Google has decided to eradicate that scourge over a space of 2 years. Chrome will soon have a Privacy Sandbox, a privacy-preserving API.
Naturally, Google is very pro advertisements — they are its core business. So with Chrome, it is unlikely to shoot itself in the foot. It is far more likely to skew the ad market to its advantage.
Google’s intentions, in outline, are to hold individual user information in Chrome’s Privacy Sandbox and allow ad tech companies to make API calls to it. When they do so they will get access to personalization and measurement data to help them target ads and measure their impact, but they will get no access to your personal details that might help them identify you. The advertisers will get targeting data only.
The question is: if you eliminate third-party cookies how can ad tech companies target users and measure an ad’s effectiveness? The Privacy Sandbox is Google’s answer. It will run trials and make adjustments over the next two years to get it right.
Because Google Chrome is open-source, other browsers will be able to analyze what Google is doing and imitate it, if they choose to.
Publishers are particularly concerned about the Cookie Wars, because they may become collateral damage. Google released a study claiming that removing third-party cookies would reduce publisher ad revenue by 52%.
Making sure the change doesn’t greatly damage publishers is a sensible priority. So Google’s upcoming trials will compare monetization for publishers between the old and new setup for Google’s digital ad business (Google’s search ads and YouTube are unaffected).
The iPhone and iPad, and IDFA
What is an IDFA? The abbreviation stands for IDentifier For Advertisers, Apple’s unique mobile device number provided to ad exchanges to help them track user interactions and behavior.
It is the mobile device’s equivalent of a third-party cookie, enabling user tracking, marketing measurement, attribution, ad targeting, ad monetization, device graphs, retargeting of individuals and audiences, and programmatic advertising from demand-side platforms (DSPs), supply-side platforms (SSPs), and exchanges.
If you were unaware that Apple assigns a number to your iOS device to help track you, I’m not surprised. It may be because it is an opt-out feature you have to notice and opt-out of to prevent its use (if you have an iPhone or iPad and wish to opt-out, go to Settings > Privacy > Advertising and then turn “Limit Ad Tracking” on).
Recently, however, because of Apple’s increasing concern for its customers’ privacy, it decided to make the IDFA opt-in for every single application. Thus, with the release of iOS 14 in September 2020, each app on your device will have to ask you if you want to opt-in and reveal your IDFA.
Apple‘s change of policy will have a negative impact on companies that provide mobile ad targeting, including Google, Facebook, and Twitter. It may also affect apps like Spotify, Uber, and Lyft that invest heavily in user acquisition and depend on user data from their apps.
Apple vs. Google
You can view what’s happening with respect to tracking as a struggle between Apple and Google.
On one side of the net is Apple. It has a very self-contained business model and has pursued it through good times and bad.
When you buy Apple, you tend to go the whole hog — Apple hardware on the desktop running the Mac OS and apps from the App Store. Your mobile phone is an iPhone running iOS with App Store apps and your tablet is an iPad. If you’re into digital watches it will likely be an Apple Watch.
Apple makes the hardware, nowadays even the chip gets a cut of most of the software and builds some of the apps itself. And, of course, it sells music, videos, podcasts, etc.
What it doesn’t care about is advertising revenue. Apple is an ad-free business and has no reason to care whether Google, Facebook, or any other advertising platform gets ad revenue from its devices or not. It is without an ax to grind. It cares about customer satisfaction, and thus its primary goal is to provide its users with bulletproof, but configurable privacy.
On the opposite side of the net, Google clearly wants to maximize its ad revenue. It is the last of the browser companies to prevent third-party cookies and it intends to do so in a way that does not damage its revenues.
But, when it comes to the mobile world it is poorly placed to dominate ad traffic on iOS devices. Right now, the iPhone has about half the cell phone market in the US, and Safari has more than 50% of the browser market on the iPhone. It also dominates browser usage on the iPad. Those Safari browsers have a simple setting to stop third-party cookies dead in their tracks.
Where the IDFA comes in is for placing ads in iOS apps. You probably didn’t know it but Google has an app called AdMob for placing ads in mobile apps. AdMob is installed in 1.5 million iOS apps of which, in total, there have been 375 billion downloads. Those ads generate revenue for the app maker, but now they only work if the user opts-in.
How many users do you think will want to opt-in for such ads? Perhaps none. Facebook plays the same game, by the way, but has less of the market. Its ad distribution app is installed on a whole host of iOS apps of which there have been billions of downloads.
You probably have some of those apps installed. Tim Cook’s point is that nobody asked for your permission to be an ad victim and yet those ad distribution apps are sitting there on your iPhone or iPad anyway. Well from here on in, permission will be required.
It’s All About Permission, Permission, Permission.
Let me explain my perspective on this. I don’t even like Apple’s solution, even though I think what they are doing is not exploitative.
At the birth of the Internet, cookies were an excellent idea that helped to maintain “session integrity”. They made the web work better. Since then, they have been bent badly out of shape and been used by the Internet giants to exploit anyone who ever lifted a mobile phone or touched a keyboard.
Any data stored that can enhance the technology and the user experience is welcome. Let’s not call such data cookies, let’s refer to it as “the performance data cache”. No-one should have any problem with technical innovators adding data to this cache if it improves your digital life.
Beyond that, there is no need whatsoever for cookies of any other kind. Let’s hope they sink into the dustbin of technology and never resurface.
It is crashingly obvious that any interaction between a person and a website should be completely device-independent. It is an interaction between a person, assisted by their stored personal data, and the website with all its capabilities, including its abilities to serve ads.
The user can give permission for the use of the data and the website can interact accordingly. Under these circumstances, the user can retain control and choose to allow the advertiser to examine all their personal data for the sake of targeting, especially if the advertiser is willing to reward the user for their time and data in watching its ads.
Kudos to those that facilitate the asking and granting of permission for use of data for the purpose of targeting. Permission.io does you one better and ensures that you are compensated for data shared. It’s the only fair and transparent solution. After all, it’s YOUR data.