14 September 2022
Saying goodbye to Third Party Cookies
Google is phasing out third-party cookies.
After more than two decades, third-party cookies — or the small files that advertisers use to monitor your browsing history and serve targeted ads — are disappearing for good. By 2023, marketers won’t be able to track customers using those cookies, in large part because Google is phasing out those trackers on Chrome, as the notorious tracking technology has become unpopular with the public over the years. Google Chrome is used by roughly two-thirds of all internet users, and unlike browsers like Safari or Firefox, it allows third-party trackers on its platform. How does this affect targeted advertising in Digital Marketing. Let’s start by understanding what Cookies are.
What are cookies?
Normally, a cookie’s domain attribute will match the domain that is shown in the web browser’s address bar. This is called a first-party cookie. A third-party cookie, however, belongs to a domain different from the one shown in the address bar. This sort of cookie typically appears when web pages feature content from external websites, such as banner advertisements. This opens up the potential for tracking the user’s browsing history and is often used by advertisers in an effort to serve relevant advertisements to each user.
Tracking cookies are used to track users’ web browsing habits. This can also be done to some extent by using the IP address of the computer requesting the page or the referer field of the HTTP request header, but cookies allow for greater precision. This can be demonstrated as follows:
If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user. So, the server creates a unique identifier (typically a string of random letters and numbers) and sends it as a cookie back to the browser together with the requested page.
From this point on, the cookie will automatically be sent by the browser to the server every time a new page from the site is requested. The server not only sends the page as usual but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.
By analyzing this log file, it is then possible to find out which pages the user has visited, in what sequence, and for how long.
Corporations exploit users’ web habits by tracking cookies to collect information about buying habits. The Wall Street Journal found that America’s top fifty websites installed an average of sixty-four pieces of tracking technology onto computers, resulting in a total of 3,180 tracking files. The data can then be collected and sold to bidding corporations.
The possibility of building a profile of users is a privacy threat, especially when tracking is done across multiple domains using third-party cookies. For this reason, some countries have legislation about cookies.
Some history on cookies
In February 1996, the working group identified third-party cookies as a considerable privacy threat. The specification produced by the group was eventually published as RFC 2109 in February 1997. It specifies that third-party cookies were either not allowed at all, or at least not enabled by default.
At this time, advertising companies were already using third-party cookies. The recommendation about third-party cookies of RFC 2109 was not followed by Netscape and Internet Explorer. RFC 2109 was superseded by RFC 2965 in October 2000.
The European Union Cookie directive
In 2002, the European Union launched the Directive on Privacy and Electronic Communications (e-Privacy Directive), a policy requiring end users’ consent for the placement of cookies, and similar technologies for storing and accessing information on users’ equipment. In particular, Article 5 Paragraph 3 mandates that storing technically unnecessary data on a user’s computer can only be done if the user is provided information about how this data is used, and the user is given the possibility of denying this storage operation. The Directive does not require users to authorise or be provided notice of cookie usage that are functionally required for delivering a service they have requested, for example to retain settings, store log-in sessions, or remember what is in a user’s shopping basket.
In 2009, the law was amended by Directive 2009/136/EC, which included a change to Article 5, Paragraph 3. Instead of having an option for users to opt out of cookie storage, the revised Directive requires consent to be obtained for cookie storage. The definition of consent is cross-referenced to the definition in European data protection law, firstly the Data Protection Directive 1995 and subsequently the General Data Protection Regulation (GDPR). As the definition of consent was strengthened in the text of the GDPR, this had the effect of increasing the quality of consent required by those storing and accessing information such as cookies on users devices. In a case decided under the Data Protection Directive however, the Court of Justice of the European Union later confirmed however, that the previous law implied the same strong quality of consent as the current instrument. In addition to the requirement of consent which stems from storing or accessing information on a user’s terminal device, the information in many cookies will be considered personal data under the GDPR alone, and will require a legal basis to process. This has been the case since the 1995 Data Protection Directive, which used an identical definition of personal data, although the GDPR in interpretative Recital 30 clarifies that cookie identifiers are included. While not all data processing under the GDPR requires consent, the characteristics of behavioural advertising mean that it is difficult or impossible to justify under any other ground.
Consent under the combination of the GDPR and e-Privacy Directive has to meet a number of conditions in relation to cookies. It must be freely given and unambiguous: preticked boxes were banned under both the Data Protection Directive 1995 and the GDPR (Recital 32). The GDPR is specific that consent must be as ‘easy to withdraw as to give’, meaning that a reject-all button must be as easy to access in terms of clicks and visibility as an ‘accept all’ button. It must be specific and informed, meaning that consent relates to particular purposes for the use of this data, and all organisations seeking to use this consent must be specifically named. The Court of Justice of the European Union has also ruled that consent must be ‘efficient and timely’, meaning that it must be gained before cookies are laid and data processing begins instead of afterwards.
New potential replacement systems for cookies are still in the trial phase. But for now, marketers will have to depend on good old fashioned dynamic design and content in order to attract your target audiences.
Nexonta Technologies Inc.
On to the Next Level