In my opinion, the adtech ecosystem is weird. I spent two plus years doing DevOps, and generally, a big part of our work was to constantly find new cutting-edge technologies to make the whole architecture harder, better, faster, stronger.
When I switched for this environment, instead, I found myself working with the basics of the web: URL parameters, cookies, client-side scripting, etc. Now, I’m not blowing my own trumpet, nor do I want to bash the current technology stack being used everywhere. I am also aware this is a gross generalisation and that there are genuinely some really good products which go beyond the simplicity of what is exposed on the surface. Still, you can imagine my surprise when I realised how heavily the industry relies on the basics, which despite getting the job done, they aren’t exactly ‘innovative’.
And so we reach 2019, where it seems nobody likes the third party cookie. What happened? Why now? After all, third party cookies are not exactly a new concept in this game nor anywhere else on the web.
The world is awash with data and software.
Here at SBDS we often say “we are in the midst of the most exciting marketing wave yet”. If you have been following the news over the last couple of years you may have also noticed we’re are in the middle of a privacy storm which doesn’t seem to be settling – in fact, it’s still raging despite starting its journey in 2013 after Snowden’s revelations to the American public about surveillance. At least, this is the date for me when the chain reaction started; with the data focus suddenly under the public spotlight.
Fast forward to early 2018 when Cambridge Analytica reminded everyone how dangerous the misuse of data can be, combined with the induction of the now infamous GDPR, it’s fair to say the focus on data has become firmly planted into our ecosystems.
This brief recap of events is just to show you how deep the connection between data and privacy is, and why third party cookies are getting the short end of the stick.
Time for a quick cookie recap.
A cookie is a small piece of data stored on your device by its web browser and it’s used, essentially, to remember something about you – a preference, your login status, a setting, or more simply generic information which will help the website serve you better and/or faster content on your next visit. When the site you are visiting is the one places the cookie, said cookie is labelled as “first party cookie” since the cookie’s domain matches the site own domain.
However, a lot of sites also use third party services to better serve their content, so the domain doesn’t always match. In that case the cookies set are called “third party cookies” since they are coming from an external party and not the site you are visiting.
Most of the time, those services are related to advertising and advertisers leveraging these cookies to track your behaviour and browsing history – in order to better tailor their ads based on your interests and on the content you are looking for. Which is a good thing, right?
The 'Brexit' technique.
Problem is, this is (or should I say, was) very often done without any sort of agreement on your part, or even a simple acknowledgement. This has of course, now changed, however in my opinion this change was far too late. What should have been a simple notice became a necessary communication existing because of regulations as an attempt to quench the public’s fear of tracking, instead of a transparency announcement aimed to prevent it.
While all of this was happening, tech giants began to make their own changes. And Apple and Google latest announcements are heavily influencing the advertising industry.
Apple announced on April 24 their latest version of the Intelligent Tracking Prevention, or ITP 2.2 for short. To simplify, Apple is capping cookies persistence on iOS to one day if the cookie falls under one of those categories:
- The website has been classified by ITP as having cross-site tracking capabilities;
- The user clicks a link which results in a cross-site navigation;
- A click takes you on a landing URL with a query string and/or a fragment identifier;
- A persistent cookie is set through ‘document.cookie’ function.
At the end of the announcement Apple points out, and I quote, “We hope web developers will join us in better protecting user privacy while concurrently creating the best user experiences on the web”. While I do not doubt the good intentions, I can’t help but notice how they are not aggressively degrading identity in the apps ecosystem, which incidentally, is their highest margin business by far. In fact, the damages are mostly directed towards the open web which hurts their direct competitors, Facebook and Google, while also pushing users towards apps.
Speaking of Google, they also did their part (well, technically nothing has changed yet) in giving their users a better form of control by announcing on May 7 their promise of an improved privacy when browsing with Chrome. This announcement is nothing new. Infact, this supposedly innovative approach in handling cookies has been a Mozilla prerogative since August 2018 (here’s an example). Still, it shows how Google is merely moving towards the general consensus in terms of browser privacy controls.
There’s also the fact that Google own one of the biggest, if not the biggest, advertising stack currently available on the whole web. Because of that, it’s hard to think they would intentionally hinder their ability to serve personalised ads inside the settings of their own browser. We are yet to see how Google will handle things, but surely even just the announcement alone is good PR exposure given their history with GDPR-related fines.
A few free tips and tricks.
If your business relies upon Apple customers, here’s a free suggestion: focus advertising on apps, leveraging the advertising ID.
This way, Apple will be helping you indirectly by constantly pushing the users towards the app system – like it or not, the future is going mobile. Don’t waste your time in looking for the perfect workaround for salvage cookies: in the best scenario you’ll find yourself with a laughable data pool, and in the worse scenario Apple will do a 360 and create a walled garden with their own data. You think I’m crazy? Perhaps, but after seeing a four digit monitor stand I don’t want to exclude any possibility.
I imagine Google is toying with some real innovation in the background which will end up creating an identification system similar to the one being used for apps, the advertising IDs, but for the browser. This way they’ll be able to both parade their commitment for a better web and still sell you their own advertising stack using “browser IDs”.
The future of the cookie jar.
The cookie will or will not survive: both scenarios are equally exhilarating.
On one hand, I want to be amazed while researching new cookie-less technologies; on the other I’d be curious to see how deep companies can go in fighting stricter and stricter policies.
I sincerely hope this will be a big eye-opener for everyone in the industry; a strive towards a better future; giving customers the control they deserve while making the whole web experience feel more relevant to them, but without that nagging feeling you are being predated upon by data-hungry monsters.
If you don’t know where to start and I have not bored you to death with this long article, let me recommend you this Internet Draft by Mike West which describes how we could possibly transition from the cookie to something more stable and secure.