What's Happening with Third-Party Cookies?

Third-Party Cookies have been getting a lot of hype over the past few years. You may have seen headlines around the “death of the third-party cookie,” or seen posts online that discuss third-party cookies in relation to data privacy. But what are third-party cookies and why do they matter?

If you don’t have an answer, don’t worry. That’s why we’re here. We’re going to cover everything you need to know about third-party cookies, how they work, and why they are a hot topic right now.

What Are Cookies?

We’ll start with the basics so that the rest of this article makes sense, and before you ask, when we talk about cookies we’re not talking about delicious confections full of chocolate chips.  

At their most basic form, cookies are small text files that contain pieces of data that are stored within a web browser. They then act as an identifier for your computer when you use a specific computer network. For the purpose of this article and the third-party cookie question, we are referring to HTTP cookies. Think of these as internet cookies, and they are sent using the HTTP protocol (hence the name). 

HTTP cookies have been built with a very specific use case in mind: to track, personalize, and save information about each user’s session. These cookies are generated by a web server and sent to a web browser that then stores the cookies it receives for a predetermined amount of time. Web browsers will also attach any cookies to future requests a user makes on the web server when relevant, building connections to paint a data picture.

What Are Cookies Used For?

Cookies are beneficial because they allow websites to provide a better and more personalized experience to each user. They have three main uses:

• User sessions: in this case, cookies will associate site activity with a specific user. They do this by creating a unique identifier for each user that consists of a string of letters and numbers. This identifier matches a user session with relevant data and content for that user. Since most cookies have an expiration date, you will get a new unique identifier if you don’t visit the site again before that expiration date, or if you clear your cache of all cookies. However, if you have a previous cookie stored, the browser will send this information to the server, which will then pull up other relevant data connected to you to help customize your experience.
• Personalization: in this use case, a cookie helps a site to “remember” what actions you took on it, or certain preferences you have, so that it can personalize your site experience to your taste. For example, if you were prompted to select a language for a site the first time you visited it, but the second time it automatically displayed your preferred language, this was due to a cookie being stored and relaying that information to the site.
• Tracking: cookies record user activity on a site, and are the magic behind analytics platforms that we all rely on to make data-driven decisions (like Google Analytics). Tracking cookies will keep note of what pages you visited on a site, how long you spent on each page, if you added shopping items to your cart, if you left the site without completing your purchase…the list goes on.

How Do Cookies Work?

Let’s bring in a metaphor to simplify the whole cookie thing. 

Say you are visiting your favorite amusement park and you see a feature to skip lines with a special pass they offer. You go to the ticket booth to grab one of these passes, and they assign your personal information to it so they know that it belongs to you. While you are riding rides, this pass keeps track of every ride you hop on, how many times you ride each ride, the amount of time between each ride you ride…you get the gist. At the end of the day you must return your pass to the ticket office where they will hold it for you until the next time you visit the amusement park. However, the next time you visit and go to grab your pass, the ticket clerk has something special just for you. They provide you with a map that outlines the quickest routes to the rides you rode the most last time. 

This is essentially how cookies work. When you visit a site, they create your unique identifier (your pass so to speak) and it tracks your behavior in an attempt to learn more about what you prefer. When you return to the site, this information is then used to provide you with the best experience possible.

What Party Does My Cookies Belong To?

When someone refers to a first-party or a third-party cookie (there is no second-party cookie), they are talking about where the cookie originates from. 

First-party cookies are set directly by the domain (site) you are visiting. In general, they are known as being more secure, as long as the site you are visiting is reputable and has not been compromised. Example: You log into your favorite streaming platform to watch a show on your computer. After you have finished your show, you exit out of the window instead of clicking the “logout” button. The next evening, you open a window in the same browser, type in the streaming service’s URL, and find that your account is still logged in. This is because a first-party cookie has been placed in your browser and knows to associate it with your account. 

Third-party cookies are created by a domain that is different from the one you are visiting, or what is visible in your browser when you are on any given site. Typically, they are used for tracking purposes and are placed by a small piece of JavaScript code. Third-party cookies are often used by advertising platforms and are the reason you get targeted ads for things you’ve been looking for on sites that aren’t related. Advertisers, marketers, and social media platforms account for the most common third-party entities that are using cookies.

So if you saw an ad for the blender you’ve been doing research on to buy while browsing social media, this is because a third-party cookie was involved with tracking your online activity. Third-party cookies relay information to a database for their respective entity, and can use this information to track your browsing history across the web. They are an integral part of piecing together your journey to determine what interests you, and what ad would be most effectively served to you.

Security and Privacy Risks with Third-Party Cookies

Now that we have an understanding of what third-party cookies are and how they work, let’s talk about the risks that come with them. I want to be clear here, cookies themselves (including third-party cookies) aren’t harmful, they can’t infect computers with viruses or malware. The data in them doesn’t change and they are more data tupperware than anything else. However, they present a serious data security risk and are seen as infringing on user privacy rights by some. 

The data security risk surrounding third-party cookies involves something generally referred to as cookie theft. Essentially, cookies can be hijacked and used in cyber attacks, providing cyber criminals access to your browser histories and potentially to personally identifiable information (PII). Once stolen, cybercriminals can gain access to PII like your email address, home address, login credentials, and even your credit card information. 

Take advertising pixels for example: when a website loads JavaScript from an advertising platform in order to place a cookie for remarketing, they are opening the door to a potential third-party entity accessing their user’s information. Since most websites use SSL and HTTPS protocol for security, their first party cookies are not vulnerable to this breach of information. By keeping all cookies and JavaScript sourced to the first-party site owner, a business is then able to take the necessary steps to protect their user’s data and PII. This is not to say that advertising pixels and remarketing tactics are no longer safe or allowed, but by avoiding third-party JavaScript and cookies, you are eliminating external sources from accessing your users’ data for malicious purposes. 

The other area of contention with third-party cookies surrounds privacy. As we’ve covered above, third-party cookies can be used to track a user’s browsing activity. Many users are uncomfortable with their online behavior being tracked, especially without consent. There is also a general lack of transparency over what is being done with this data, and the “transparency” that exists is often hidden within long, jargon-filled privacy policies that can be difficult to understand. Even when a third-party cookie is not directly tied to a user’s name or device, there is still a possibility of linking browsing activity to a real identity which can be used in a multitude of ways from unwanted advertising to harassment.

The Death of the Third-Party Cookie

The debate over user privacy and data transparency surrounding third-party cookies is continuous. Everyone is trying to determine where the ethical line should be drawn in the sand.  It has led to the creation of newer legislation like GDPR in the EU and CCPA in California, which aim to protect the privacy rights of website users. These regulations require that site operators notify web users of the presence of cookies, what information is being collected, where this information is being shared, and that they include an option to opt out at any time, or face civil and/or criminal penalties. These laws have led to an increase in the use of cookie banners that allow users to review and control what cookies are attributed to them while interacting with a site. While this is not currently a requirement for the majority of the United States, it stands to reason that new legislation will soon follow. 

In an attempt to conform to growing consumer and legislative pressure around third-party cookies, many web browsers have already moved away from third-party cookies.

• September 2019 – Mozilla updates Firefox with Enhanced Tracking Protection (ETP). ETP is turned on by default for all users worldwide as part of the ‘Standard’ setting in the Firefox browser and will block known “third-party tracking cookies”.
• March 2020 – Apple updates Safari Intelligent Tracking Prevention (ITP), effectively blocking third-party cookies. 
• September 2021 – iOS 14 is released and marketed as being “privacy-first.” In it, any apps that have been downloaded from the App store are now required to ask the user’s permission to track their data across third-party apps or websites upon the app installation.

You may notice that Google Chrome is not featured on this timeline. With a worldwide browser market share of 63.58%, Chrome Is currently the primary browser of more than 2.65 billion internet users. Third-party cookies are an essential part of many Google products including Google Analytics and Google Ads. Google first announced that it would update Chrome to give users more information around how they’re being tracked with cookies in May 2019. This was followed in January 2020 with an announcement that it planned to end support for third-party cookies in Chrome by 2022, and the announcement of alternatives to third-party cookies from 2020 – 2021. However, in July 2022, Google delayed its plan for a third-party cookie replacement until 2024.

What Does the Death of the Third-Party Cookie Mean for Me?

For the individual, the removal of third-party cookies will lead to more privacy. But if you own, work for, or engage in advertising for a business that relies on digital marketing to connect with your audience and make money, the death of the third-party cookie can have some pretty big implications like:

• The loss of website analytics data – Google Analytics and other analytics platforms are typically implemented through a third-party script that relies on third-party cookies to collect information
• The inability to effectively serve targeted ads – third-party cookies are integral to the systems that create different demographics or audiences to target
• The loss of retargeting – third-party cookies help to create the audiences that you rely on for retargeting campaigns

It’s safe to say that this is a time of great change for marketing and advertising. Data-driven decisions have been the golden standard for well-planned campaigns for years, and the potential loss of that data would shift the way we connect with our audiences. However, all hope is not lost. There are multiple solutions that are being proposed as a replacement for third-party cookies that also keep data privacy and the right of the user to choose where and how they share their data in mind. 

If you are using Google Analytics as your primary platform, our first recommendation is to make the shift to Google Analytics 4. You should already have done this as Universal Analytics is sunsetting in July 2023, but if not, now is the time to ensure that you have your GA4 property properly configured. GA4 tracks data in a distinctly different method than UA by relying on events as opposed to sessions.This will help with visibility on user interactions in a world without third-party cookies. 

The second step is to implement server-side tracking. In this process, you spin up a server for your site and utilize it to process data previously handled by advertising pixels before sending it to third-party platforms. Sites with server-side tracking still place cookies in the user’s browser and track their interactions, but it moves from a third-party cookie to a first-party cookie. Since you own the server placing this cookie, you have total control over where user data is being sent and how it is being used. You control which third-party applications gain access to it. It is also a more secure method for collecting this data since first-party cookies are secured by HTTPS Protocol. This solution adds a  layer of security to the data you collect while still allowing you to gain visibility on your users’ interactions with your site. It also helps with data loss from the browsers that are actively blocking third-party cookies. 

The last step we recommend is to be transparent with your users and invest in a good cookie opt-in tool. Give your users the option to allow you to track their behavior on your site and let them know what you are doing with their data. While you’re at it, review your privacy policy with legal counsel to ensure you are compliant. 

These steps will help you future-proof your site for continued legislation around data privacy while also receiving the data you need to make smart marketing decisions. If you need assistance with configuring your GA4, are interested in exploring server-side tracking, or just want to learn more, reach out to the team at Be Found Online.