Is this the end of third-party cookies?

Whenever you visit any website, the first thing you notice is a big annoying banner that is supposed to let you know about how/if cookies are used. Some cookie banners are smaller, some bigger; some are more compliant, others are less compliant, but they are always there.

If you want to access the information on that site quickly, there is always the temptation to just click on “accept” and dismiss the banner, so you can finally read through the website.

Now, I am sure that you and I are not the only one that frequently gives into that temptation.

I am also sure that we are not the only ones wishing that, one day, these banners would disappear. In many cases they do not even actually ask you for consent (the cookies are implanted either way) or they don’t even allow you to reject the cookies (the lack of consent has no effect).

Nonetheless the banner must be there for compliance purposes, at least for the time being. The privacy laws in Europe require that users are informed about the use of cookies and give consent for using any cookie that is not strictly necessary. Moreover, publishers are supposed to list all third parties that install cookies on users’ devices. It puts the responsibility on the publishers and makes them vulnerable as it is not an easy task for them to check whether third parties do with the cookies what they declare.

Until recently, it seemed that there are no alternatives for advertising companies to get the data they need about customers’ behaviour and preferences. But users are becoming more and more aware of their rights. They are demanding greater privacy, including transparency, choice and control over how their data is used. They do not want to be tracked by cookies. Hence, the online ecosystem must evolve to meet these demands.

Cookies were never really meant to do as much work — or contain and share as much information — as they currently do. The list of things that third-party cookies do is very long and finding agreement on how (or whether!) to replace them is not easy.

But we can already see this happening – cookies, or at least third-party cookies, are being phased out. As a non-Apple user, it was surprising to learn that, already almost a year ago, Apple’s browser Safari was updated in a way that it would block third party cookies by default —after all (and unlike Google) they don’t rely on cookies to keep their business viable.

How browsers started to fight with cookies

The changes that Apple introduced last year raised the bar for web privacy standards. Right now, by default no third-party cookies are allowed in Apple’s browser. It means that no company can follow you around the internet using cookies. This is a significant improvement for user privacy, as finally no cross-site tracking is allowed, unless the user explicitly changes the default settings.

Safari employs a feature called Intelligent Tracking Prevention which uses machine learning to determine which websites can track you across the internet. The idea is that Safari blocks and deletes third-party trackers from sites the user has not visited over the last 30 days. If they come from sites visited frequently, Safari will allow them to function as third-party cookies for 24 hours. After that, they are partitioned off so they cannot track the user across the web, but can still keep the person logged in. If the user does not visit that site for another 30 days, they are deleted.

But Apple is not the only company that introduced such changes. Mozilla turned on similar features and since 2019 Firefox blocks third party cookies by default too. Other browsers with lower market share have grown in popularity after many privacy related scandals.

DuckDuckGo is one of them, and it takes privacy a step further. Not only they do not allow third party cookies but also, they do not collect any user personal information —even the IP address is hidden. In DuckDuckGo when you click on a link, it redirects that request in such a way to prevent it sending your search terms to other sites. The sites know that you visited them, but they do not know what search you entered beforehand, nor can they use personal information to identify you.

Chrome

While Apple and other companies have been pushing to achieve a higher degree of privacy for users, Google is taking a slow path. The internet giant claims that third party cookies will be phased out within the next 2 years. But why such delay?

It is well known that Google (as well as Facebook) is in the advertising business. By allowing third-party cookies, Chrome is effectively granting access to a huge network of advertisers to user data. After visiting one website your information can be accessed by a whole network of sites that have access to the advertiser’s cookie. Google needs that information from cookies, and until a viable business alternative was found, there was no chance that Chrome would follow Safari’s footsteps in blocking third party cookies by default.

Google need time to propose new technologies that would help marketers but will be less invasive and annoying than tracking cookies. So, for now they have created a “privacy sandbox”, where websites are able to gather some information but ultimately hit a wall where the browser cuts them off. The Privacy Sandbox is supposed to be rolled out this spring. The change will start rolling out in April with the Chrome 90 release.  

As of then users will be able to switch it on. All information, such as browsing history and ad interests, will stay within the browser, and there will be no direct access to it by advertisers, nor place for third-party user profiling.

By using algorithms, the browser will group together internet users who have similar browsing patterns. In turn, businesses can serve relevant ads to these clusters of like-minded people, removing the need to track users individually. Any reporting about campaign performance will also be done on an aggregate level, no user level view will be available.

In principle this sounds like an interesting and a viable solution. Google Chrome’s Privacy Sandbox is a secure environment for ad personalization and measurement.  Chrome sees the Privacy Sandbox as a new standard for the web — one that has user privacy at its core and is still ad supported.

Users’ perspective

While Apple, Mozilla and other companies’ policies on cookie rejection were a great move for users’ privacy, Chrome has almost 70% of the market share. Only Google’s implementation of the new solution would be able to eliminate the use of third-party cookies. Of course, the users always have a choice – as I said there are a lot of alternatives available.

Google’s Privacy Sandbox looks very promising from users’ point of view. If all promises are kept, the most significant aspect of the solution is the fact that all user data will be kept locally within the browser and nothing except for aggregated data will be shared with third parties. As data stays locally, the user becomes the ultimate controller of his data.  

It is worthwhile noting that this initiative goes well beyond what is being demanded by the EU regulator, as the ultimate goal is elimination of third-party cookies in general.

From users’ perspective, there is also a downside to all this. With limited possibilities of profiling, the users might experience an increase in irrelevant ads. In my opinion, this is a fair price for more privacy while I browse the internet.  

Marketing perspective

Companies in the marketing space have long used cookies to gather the data they need to provide their clients with relevant, actionable insights. While the practice of mapping online user behaviour has proven tremendously effective, according to people’s expectations it is not so acceptable anymore.

With some of the browsers  blocking of cookies and with the introduction of Google’s Privacy Sandbox, and potential elimination of third-party cookies, marketers and advertisers will have to completely rethink the way they collect and analyse the data they will receive. And understandably they are not too happy about it.

The result of these changes may be a new marketing landscape that will require marketing teams to be creative and find new ways to understand their audience, and ways in which companies can best serve their customers’ wants by putting privacy first. Consumers want to know that the businesses they engage with respect and value them by handling their personal data with respect. Transparency will be key.

Advertisers will not be able to show ads to users based on their behaviour. Attributing ad views to conversions will not work anymore either as it will not be possible to track back the purchase.

The winners of these changes will be ones that primarily use first party cookies. Publishers with a large and engaged audience are in the best position. They have a direct relationship with internet users, so they will be able to collect first-party data and use it for as targeting.

Will this further strengthen the giants like Google and Facebook at the cost of marketing firms? That is likely – and will this ultimately result in more privacy for individuals? That is unknow?

Share this post
Share on linkedin
Share on email
Share on print

Leave a Reply

Your email address will not be published. Required fields are marked *

AI and Machine Learning in the DPIA
Artificial Intelligence

Artificial Intelligence and the GDPR: incompatible realities?

Introduction This article explores one of the ongoing criticisms made of the GDPR and seeks to explain why one specific emerging technology – Artificial Intelligence (AI) – is causing so much fuss in the field of data protection. Is regulatory reform the only answer to the

Read More »