Cookies are text files (code) that are placed on your smartphone, tablet, or computer by a website while you’re browsing. This allows the website to distinguish visitors from each other and analyse their behaviour using data. Cookies have a lifecycle. Some cookies are deleted when you close your browser. Others (for example, those with credentials) can remain on your computer for years if you don't delete them. Generally, you cannot see the exact functionality of a cookie. The content of the text files is usually unreadable code and the real data about you is in held in the website’s database.

There are three types of cookies, each with different functionalities.

1. Functional cookies (first-party)

These cookies are necessary for the website to function. Think, for example, of remembering your password and preference settings. Along with this, functional cookies store items in your shopping cart.

2. Analytical cookies (first-party)

It’s all in the name: analytical cookies measure everything that happens on your website. Think of the number of visitors, most visited web pages, conversions, and more. A well-known programme that uses analytical cookies is Google Analytics, but Adobe also provides a similar platform.

3. Tracking cookies (third-party)

Tracking cookies profile internet users. Tracking cookies build knowledge about users on websites based on the pages they visited. This allows advertisers to target users. Tracking cookies are usually placed by other parties from external domains. That is why we also refer to them as third-party cookies. Websites can also function well without tracking cookies.

In 1994, cookies were introduced in Netscape 1.0. Cookies became visible to internet users when the American computer programmer Lou Montulli had the option built into Netscape 3. This option alerted users when websites tried to place a cookie. Advertising agencies discovered the cookie at the same time and started used it for profiling.

Profiling builds up a profile of users. Information gathered from cookies can be used to bring products to user’s attention with online advertisements. We call it targeting when those profiles are used for targeted advertising.

A proposal was made to make cookies more transparent and prevent profiling in 1997. As a result, the user could decide which cookies they would accept and store.

Cookies were thrust into the spotlight when Google bought DoubleClick for $3.1 billion in 2007. DoubleClick wanted to link identifiable data to the internet user’s profiles and planned to sell that data. That would be very attractive for marketing companies — after all, serving targeted advertisements would be a lot easier. Under pressure from privacy organisations, DoubleClick did not sell the data.

The introduction of the General Data Protection Regulation (GDPR) in 2016, a European regulation that standardises the rules for the processing of personal data throughout the European Union. That GDPR legislation laid down strict rules on how companies and government agencies should handle personal data — which also includes cookies. To be clear, browsers do not necessarily follow this law in the first instance but offer the user more opportunities to limit tracking.

Google Analytics data is central to many marketers and organisations when they want to gain insights into the impact of their marketing campaigns. Cookie control measures were initially aimed at blocking third-party (advertising) cookies, now the signs are that in the new versions the controls are also aimed at first-party (functional) cookies. This has a direct impact on website analytics, A/B testing, and on-site research, for example.

Since (Safari) ITP 2.1, first-party cookies can be stored for a maximum of seven days. With ITP 2.3, cookies are only stored for one day in certain circumstances. Of course, this has an impact: it becomes more difficult to recognise your visitor, to prospect with relevant advertisements, and attribute them. You’ve probably already noticed that change in your data.

For consumers, the effects appear to be less severe. Nevertheless, these changes can inhibit digital innovation and affect local publishers, among others, because now it’s more difficult to create free, high-quality content. These parties are now researching alternative revenue models.

Let’s look at how the most commonly used browsers are blocking cookies today.

Safari

Apple is the first major party to make it more difficult to track their Safari users with cookies, with the introduction of "Intelligent Tracking Prevention" (ITP) in mid 2017.

ITP 2.3, the most recent version, also restricts the use of first-party cookies. When a client-side first-party cookie is placed in the following circumstances, that cookie is deleted even after one day:

• The user enters the website from an ITP-classified cross-site tracking domain (e.g., facebook.com, google.com).

• The URL contains a query parameter or hash fragment (for example, fbclid or gclid).

Firefox

Mozilla Firefox has had its own in-browser privacy protection called "Enhanced Tracking Prevention" (ETP) since September 3, 2019. This replaced what used to be an opt-in feature and blocks third-party trackers by default for all users.

ETP automatically blocks the following trackers and scripts:

• Social media trackers

• Cookies that track you cross-site

• Fingerprinters

• Cryptominers

• Tracking content (trackers hidden in ads, videos, and other in-page content)

In 2020, Firefox announced the roll out of ETP 2.0. ETP 2.0 is intended to protect users from redirect tracking, also known as bounce tracking. Redirect tracking records the websites you visit and where you come from. Redirect tracking was used to bypass third-party blocking. ETP 2.0 protects Firefox users from redirect trackers and erases them after 24 hours.

Google Chrome

Google Chrome is slowly withdrawing support for third-party tracking cookies, and at the same time hopes to come up with a good alternative to the cookies.

"Some browsers have responded to these concerns by blocking third-party cookies overnight, but we believe this has unintended consequences that can negatively affect both users and the ecosystem," said Justin Schuh.

Google is also actively involved in the Privacy Sandbox — an initiative that protects the online privacy of surfers, while helping organisations and developers start successful digital businesses. The Privacy Sandbox reduces cross-site and cross-app tracking.

Microsoft Edge

Microsoft introduced new privacy settings in the new Edge browser at its launch in 2020. For example, cookies from external websites that you’ve never visited before are automatically blocked, just like known trackers. There is an option to upscale your protection and block almost all trackers, although Microsoft warns that this can have an impact on the display of web pages.

So what does this post-cookie world look like? A lot of the changes are improvements for the consumer. It wasn’t clear to the consumer that free access to social platforms, apps, tools, and content, data was the revenue model and that it couldn’t really be influenced. In the first instance this changed because of GDPR legislation, and browsers also offer more and more control. Whether that control goes far enough is still a matter for enthusiastic debate.

In any case, there is a lot to do. For example, you can get started with server-side tracking yourself and there are developments in the field of first-party data and contextual advertising.

Server-side tracking for full data

Server-side tracking bypasses blocking client-side tracking. This is important to access the correct insights into the journey of all your (potential) customers. Now, cookies that you would normally send from a user's browser to, for example, Google Analytics, you send via your own server with a tool. Users can opt-in to this GDPR-proof cookie.

The advantage of this approach is that the cookies you place are treated differently by, for example, Safari and therefore remain in your users browser longer. Another benefit is that ad blockers don’t disable your analytics tool.

First-party data building by publishers

Two parties that have good data are of course Google and Meta. This gives them a dominant position in digital advertising with about 70% spend share. Amazon is operating in the Benelux and will make its advertising data available for external purchase.

In Belgium and the Netherlands, publishers are constantly looking for ways to break through the power of the giants with economies of scale and consolidation. For example, the major players in the region now are DPG ads (DPG Media) and Ads&Data (Telenet/SBS, Mediahuis, Pebble Media, and Proximus).

As far as we are concerned, building a stronger, more equal, and transparent relationship with your (potential) customer is an opportunity. The developments in privacy and technical areas mean that in many cases, quality does not have to be compromised, and it is beneficial for everyone if good local data exchange initiatives with consumers develop. Would you like to know more about how to make the cookieless future developments work for your organisation? We will help you to identify how to make the right trade-off between privacy, security and delivering a customised user experience. Then read 'Impact of the cookieless future on marketing'.