Cookies: what they are, what they are for and what is changing
They are nicely called cookies, but they are often anything but pleasant, even if they are very useful for profiling users for marketing purposes. In view of the great revolution announced by Google, which by 2022 will delete most third-party cookies from its Chrome browser, let’s figure out something more about these tracks and what this change means for companies.
What cookies are
Web cookies, or more simply and par excellence cookies, are identifying trackers used by server-side web applications to save and retrieve information on the client side through an additional header present in a request (Cookie:) or response (Set-cookie:) HTTP.
In practical terms, they are small text files, which generally contain letters and numbers, created by the websites visited and stored on every type of technological device connected to the Network (desktop PC, mobile device or Internet of Things tools) for two main reasons:
- Store users’ preferences and improve their experience of using a site or an app, saving browsing data.
- Analyze traffic to that site and track the browsing behavior of users.
What cookies are for
The first duty of cookies is to keep a user connected to the site: thanks to these trackers, you can store personal preferences for each site visited, save previous interactions, identify access to an account, make more operational sites, load pages faster, collect statistical data on visitor behaviour and offer relevant content locally.
These digital cookies are able to store personal data – such as IP address, user name, unique identifier or email address – but may potentially also contain other non-personal data, such as language settings or information about the type of device used by the user. In addition, cookies may also contain tracking Ids such as advertising Ids and user Ids.
Typologies of cookies
Cookies are distinguished in various types according to their characteristics. The biggest difference is between owners and third parties, depending on who makes the installation request. To be precise:
- First party or proprietary cookies are set by the domain of the host site, the one that the user is visiting and which displays in the address bar; can read only that site and, usually, they serve page owners to save details such as user passwords, which will then have easier and faster access to accounts.
- Third-party cookies are created by a different site and hosted by the one that the user is visiting; the domain that sets cookies is the owner of some of the content, such as ads or images, which uses them to make targeted advertising.
Another important distinction is that between:
- Persistent cookies, stored on the user’s computer until the scheduled expiry or manual deletion. Through these trackers the sites automatically recognize users who access the site (or any other users who use the same computer), which however have the ability to manage preferences and eventually reject cookies through the settings of the browser.
- Session cookies, which are deleted when the user closes the browser and therefore are not stored persistently on the device. Cookies are strictly limited to the transmission of session identifiers that are necessary to allow safe and efficient exploration of the site, without therefore having to resort to other computer techniques that could potentially be prejudicial to the confidentiality of the navigation of the users.
Main cookies
The list of trackers is then completed with a further more specific classification, between:
- Technical cookies, required by some computer systems and necessary for the user to authenticate, use multimedia content or to set a language of navigation.
- Non-technical cookies, used for profiling and marketing purposes, which in turn are grouped according to the functions. We recognize as follows:
- Analytics, the cookies used to collect and analyze statistical information on access and/ or visits to the website. These, when combined with other information (such as credentials entered for access to restricted areas), may in some cases serve to profile the user (in particular personal habits, sites visited, downloaded content, types of interactions carried out and so on).
- Widgets, graphical components of a program’s user interface, which facilitates user interaction with the program itself. Examples are Facebook or Twitter cookies.
- Advertsing, the cookies used to advertise within a site.
- Web beacons, fragments of code that allow a site to transfer or collect information through the request of a graphic image. They can serve several purposes, such as the analysis of the use of the sites, control and reporting activities on advertising and personalization of advertising and content..
From a technical point of view, instead, trackers can have the form of browsers or HTTP cookies, or use less known tracking technologies, such as local storage objects (Lso) or flash cookies, software development kits (Sdk), pixel trackers (or pixel gif), buttons “I like” and social sharing tools as well as fingerprinting technologies.
Fingerprints are considered one of the most aggressive forms of tracking cookies: they are small fragments of information that vary depending on the characteristics of the user (from the device owned to the fonts installed) and allow to generate a unique identifier that can be used to match a user through websites. In addition, unlike with classic cookies, users cannot delete passive activities related to fingerprinting, and therefore have no control over how they collect their information.
Cookies and advertisements, why they are important
Appeared online for the first time in 1994 (the first use was on the Netscape site, to check if readers were new or returning), is for more than 25 years so that cookies are part of the Web system and are essential because “without them there would not be the advertising ecosystem we see today“, as Ratko Vidakovic, founder of the consulting firm Adprofs, told the Financial Times.
The online advertising and adtech industry makes extensive use of cookies at every stage, from campaign planning to targeting, up to measuring and attributing sales.
The use of all trackers for advertising purposes has so far been one of the most profitable for the sector, because these data packages allow to feed the delivery of targeted ads within seconds from the opening of a website by the user and, above all, they allow users to specifically monitor the content they access and how they behave, tracing dynamic IP addresses of their device or other similar information.
Starting from this tracking we create a profile that allows you to classify the user within a specific cluster, so you can direct profiled and targeted advertising. In summary, this information is valuable because it creates demand, “inducing consumers to desire products and services they did not know existed” (Wired).
The cookie apocalypse, toward the end of an era?
For almost a quarter of a century then cookies (especially third-party) have been the cornerstone of Internet advertising and have allowed companies to make huge gains, but the situation is changing (more or less) suddenly.
The first signs arrived in 2017, when the Safari browser began to block third-party tracking cookies, followed in 2019 by Firefox, up to the decision of Google, that announced at the beginning of the year the intention to definitively stop these trackers on Chrome, the most used browser in the world (about two-thirds of marketshare).
It was Justin Schuh, director of Google Engineering for Chrome, to clarify the moves of Mountain View, which will block cross-website trackers by February 2022 to ensure greater protection of privacy and greater security of users’ browsing.
What happens with Google’s decision
In the words of Schuh, also reported by our italian Sole 24 Ore, the company is putting in place a “strategy to redesign the standards of the web, to make it the default for privacy. There has been a lot of attention on third-party cookies because they are certainly one of the tracking mechanisms, but this is just a tracking mechanism and we call it that because it is what people pay attention to”.
Moreover, Google is working actively “across the ecosystem, so that browsers, publishers, developers and advertisers have the opportunity to experiment with new mechanisms, test whether they work well in various situations and develop support implementations, including ad selection and measurement, the prevention of denial of service (Dos), anti-spam/fraud and federated authentication”.
The first concrete effect came in February, when Chrome began limiting “cross-site tracking” and the sharing of unprotected data by introducing a new tagging system that integrates the SameSite label to explain how cookies are to be considered and processed, requiring that those labelled for the use of third parties are accessible only through an HTTPS connection. Without attribution indication, Chrome considers such trackers as first party only and therefore not distributable via external sites.
Google’s Privacy Sandbox
This is the first step of the Privacy Sandbox Project, a broader initiative that aims to replace cookies with a “open web” API technology, credible and feasible for targeting and tracking conversions, created to protect the privacy of users and, at the same time, to allow advertisers to track them within the browser without sharing their data.
It is therefore a system that puts an end to individual targeting to promote targeting for user groups, so as to prevent abuse of various kinds and safeguard the display of advertising content.
Implications of this move
Before understanding what companies can do in this new context, it is still good to clarify what may be the effects of Google’s decision.
The first, crucial, point is that not all cookies are disappearing: first party cookies, created by the domain visited by a user to remember shopping carts or user accounts, are not affected by abandonment and, In fact, they see their value increase as a data source to adapt ads to people.
Within the advertising market, this could lead to a further shift of power, as the Financial Times always notes: “we would move from the open Internet, where adtech once thrived – and cookies tracked user activity between sites – to more closed domains that have detailed data on their direct users”. Such a closed world extends from small retailers or publishers, who may ask users to register or pay subscriptions, to large platforms such as Facebook or Google, which contain huge amounts of data about their users.
And there is no lack of those who highlight the role played by Google, which should go to strengthen its market power, making Chrome an almost indispensable intermediary for advertisers who need data to accurately target ads and monitor their effectiveness.
Three ways to a cookieless future
Having to find new solutions in view of the obsolescence of third-party cookies over time are advertisers, vendors, tech companies focused on retargeting and all those whose business is based on performance, as well as of course those who have relied on third-party cookies or fingerprinting unsafe.
An article by Engage identifies three possible scenarios for those who have to change strategy and continue to acquire more prospects and connect with their target.
- Use of other data sources
It is quite predictable to think that the end of third-party cookies will make other data sources more important, such as second-party data (or login data): this means that advertisers “will have to rely more on publishers and tighten even more relationships with premium publishers to ensure that brand safety standards and contextual targeting needs are met”.
In this scenario, “brands will have to regain control and make better use of their first-party data by encouraging authentication of users on their site or app through valuable content, loyalty programs” and more, “assigning the consumer a unique user ID at the time of authentication” to have “a clear view of the behavior and actions of that cross-session and cross-device user”. In addition, it becomes crucial to analyze trends and insights for the planning of your campaigns.
- Development of partnerships with the “big techs”
G as Google, Facebook and Amazon (which together consume over 70 percent of digital advertising revenue) will be increasingly needed for brands, in an environment bound by new privacy regulations, because they offer the best sets of proprietary data. Therefore, “identifying and addressing these channels will allow brands to continue to innovate and deliver targeted and engaging advertising to the right audience”.
- Contextual targeting
The last route indicated by the article is the use of contextual targeting “to match ads with keywords and thus place them in a context relevant to your product”. This solution is favored by the use of Machine Learning and Artificial Intelligence based technologies, which “provide a more accurate understanding of the content and allow to obtain a greater granularity by targetting video metadata, titles descriptions, keywords and even comments inside and outside the content”and allow contextual targeting to “go deeper into what consumers are actively looking for when they are hunting for something”, so as to provide more personalized messages.
The case of Netherland’s national television
Exactly of contextual targeting speaks the site Profession Reporter, which tells a case of success of brands that has decided to give up cookies in advance (and what the article defines “the empire of Google and cookies”): it is the Nederlandse Publieke Omroep, public TV in the Netherlands (so to speak, our RAI or the BBC), which since 2018 has adopted a revolutionary cookie policy.
After the introduction of the GDPR launched by the European Union to protect personal data and privacy, the Dutch TV decided that “visitors to its sites would no longer be forced to say yes or no to cookies” and, unlike what happens almost in all cases, “Skipping the privacy note would not be considered an ok to tracking, but rather a no“.
Ninety percent of users chose the no, pointing it directly or skipping the option, but this did not mean a disaster for Npo’s advertising revenue – despite a study by Google that claims that “giving up cookies would have reduced advertising revenue by 50 percent” – and in 2020 decided to give up cookies altogether, no longer relying on programmatic advertising through Google, but contextual advertising served by the local agency Ster.
The result, history of these months, is that the company’s advertising earnings have dramatically risen, even after the Coronavirus shock, and Npo discovered “The advertising notices served to users who refused cookies had brought the same or higher revenue than the notices served to users who had said yes to cookies”.
In practical terms, since the beginning of 2020 visitors to Npo sites are not tracked: only “in January and February revenues from digital advertising grew by 62 and 79 percent, compared to the same months of the previous year, and even during the subsequent months of Coronavirus grew in double digits”.
The explanation is simple: now Nederlandse Publieke Omroep “collects everything that advertisers spend to publish on its pages, while before it left an important share of revenues in the hands of bunch middlemen, the group of intermediaries (data management platform, demand-side platform, supply-side platform)”.
Toward a cookieless future?
We are still in the middle of an evolving situation and it is not yet clear how the abandonment of tracking cookies will actually happen and what kind of impact this change will have.
Certainly, the time has come to start looking at the data differently and prepare for this future cookieless: not to lose ground, brands will have to develop new skills, to plan systems to measure the audience and effectiveness of an advertising campaign and to be able to involve consumers as effectively as possible.
Cover image from https://blog.google/technology/research/makings-smart-cookie/
