Cookies have been part of the internet since basically the beginning of the internet. As the internet has developed, advertisers have co-opted cookies from their original use and turned them into super data collection machines that track your every move across the web.
But attitudes are changing. Consumers and governing bodies are pushing back. Not only are governments passing legislation regulating transparency around cookie use, but major browsers have also pushed the envelope by developing technology to block third-party cookies.
Their moves are shifting the data privacy landscape.
Cookies are good as a food, less so as a technology
Cookies are small, randomly encoded text files that make e-commerce affordable for businesses by storing data about a user’s site visit on their own computer instead of on massive company servers. They also improve user experience by doing things like keeping carts full across visits and remembering log-in preferences.
By themselves, cookies aren’t dangerous. First-party cookies—cookies you place on your site yourself to improve and monitor functionality and personalization—give you a more seamless and enjoyable user experience on the internet.
Third-party cookies, though, are another story. Privacy advocates have been trying to get rid of them for years because they’re incredibly invasive. Data collected from third-party cookies can be used to create a profile that knows you better than you know yourself.
And data brokers sell that profile for a lot of money.
What do these dynamics mean for the business-consumer relationship, though? For consumers, trading away privacy can be a serious trust-breaker. Businesses are finding that preserving data privacy—and consumer trust—isn’t optional anymore. What’s more, businesses that put privacy and trust first can differentiate themselves from their competitors.
Nirish Parad, marketing technologist at Tinuiti notes, “Respecting privacy is one thing, but are we building trust? Netizens don't trust companies with their information. How do we earn that back? By leaning in. If you're collecting data, be intentional, respect preferences, deliver value, and invest in the experience.”
Where to start? Cookies. As consumers demand more control over how their data is used online, major tech companies are blocking third-party cookies altogether and making a big impact on consumer privacy.
Apple has led the browser privacy conversation since 2017, when they added the Intelligent Tracking Prevention (ITP) feature to their Safari browser. By March 2020, ITP updates made Safari capable of blocking all third-party cookies. More importantly, Safari now can block the workarounds ad networks that cookie makers had been using to circumvent earlier ITP versions.
Safari still allows first-party cookies, but they expire after one day instead of seven. This means that if you don’t visit a website every day to refresh the cookie, your device will get a new identifier the next time you hit the site.
Effectively this means that it will be very difficult for advertisers and data collectors to follow Safari users around the internet, making Safari one of the most secure ways to surf the web.
But Safari isn’t the only cookie-free part of the Apple universe. The most recent update for Apple products—iOS 14—is *literally* cookieless. As of this update, developers are required to ask for permission before tracking iOS users for ad targeting.
This opt-in requirement marks a big shift for smartphone users' privacy because it makes developers responsible for addressing privacy, not users. And it’s expected that users are going to take advantage of these new protections—it’s estimated that iOS users granting permissions to developers will experience a massive drop, from 70% to 10%.
Apple is a prime example of a company using aggressive privacy technology and policies to differentiate their brand. In a market almost entirely controlled by Google Chrome, Apple’s commitment to privacy has made Safari a major part of the digital privacy and internet tracking conversation.
With 69% of the market, there is no question Google controls the browser game. But while they may have been driving browser innovation, they are behind on the privacy side.
Part of the reason for this is that up to 83% of Google’s revenue is ad revenue. Google’s official line is that getting rid of cookies will increase the use of workarounds like device fingerprinting, but it’s hard not to notice that eliminating third-party cookies without a backup plan would more or less implode their business model.
Google Sandbox & Consent Mode
Google’s Privacy Sandbox is a work in progress, but its goals are to:
- Replace cross-site tracking processes with new technologies
- Separating first-party cookies from third-party cookies so third-party cookies can be eliminated
- Reducing the success of workaround tracking technologies used by bad actors
Reactions to the Privacy Sandbox have been mixed. Google will obviously benefit from having advertisers using their first-party tools. In turn those first-party tools will increase the control Google has of, well, everything.
In September 2020, Google also launched the beta version of its Google Consent Mode. According to Google, consent mode is an API that “allows you to adjust how your Google tags behave based on the consent status of your users.” From Google’s website:
“You can indicate whether consent has been granted for analytics and ads cookies. Google's tags will dynamically adapt, only utilizing cookies for the specified purposes when consent has been given by the user. You can use consent mode in Google Ads for conversion tracking and remarketing.”
Whatever Google’s motivations, Google Consent Mode is popular with companies that provide cookie and online tracking consent and compliance solutions.
According to Danish company Cookiebot, Google Consent Mode “is a big step forward in building a more sustainable internet economy that brings both elements into greater balance – moving away from mass personal data collection towards a consent-based dynamic system that respects the privacy and dignity of each individual user without breaking the underlying business model of large parts of the Internet.”
Google has also made the news very recently for a cookieless approach they're calling “FLoC” (or Federated Learning of Cohorts). FLoC works as a browser extension that compiles data from thousands of site users. FLoC hasn't been released for public testing as of yet—but look for a release in March, followed by advertiser testing in the second quarter of this year.
We can’t talk about cookie-blocking browsers without talking about Mozilla Firefox. Firefox was created by a nonprofit, which means they create features based solely on user experience without worrying about shareholders. They don’t sell data. Additionally, Firefox is not based on Chromium, Google’s open-source code project that forms the infrastructure of the Chrome, Edge, and Brave browsers.
Mozilla’s entire mission is to foster the creation of “an Internet that truly puts people first, where individuals can shape their own experience and are empowered, safe and independent.” Spurred by the Cambridge Analytica/Facebook scandal, Firefox began using “containers,” a technology that isolates browser tabs from each other, in 2016, before Apple’s ITP and long before Google’s Consent Mode.
Firefox started blocking third-party cookies in 2019, but they’ve had to play catchup to be able to stop the workarounds that inevitably popped up. Currently, Mozilla engineers are working on a new technology called DNS over HTTPS, or DoH. This technology encrypts your browser requests and traffic, making it much harder for trackers to spy on you.
Mozilla’s constant push for a user-centered, privacy-based internet has given them a clout that doesn’t match their market share because giving consumers more control over how their personal data is collected, used, and shared online is the issue of the internet’s future.
You can still track (and be tracked) without cookie crumbs
Cookies aren’t the only way users are tracked online — they’re just the most common. And major browsers dumping them doesn’t mean your privacy worries are over.
For starters, you still need to advise your users about the first-party cookies you have on your site, and you’ll still have to manage the data those cookies collect. This means knowing what you’re collecting, why you’re collecting it, where and how long you’re storing it, and how you’re protecting it.
Device fingerprinting, also known as browser fingerprinting, happens when someone (or some technology) collects information about your device, including your:
- Time zone
- Language settings
- CPU architecture
Alone, these little bits of data wouldn’t mean anything to anyone. But trackers combine these identifiers to create a recognizable profile for individual users that is incredibly accurate. According to Mozilla, “recent developments in cross-browser fingerprinting [make digital fingerprinting] capable of successfully identifying users 99% of the time.”
Using a VPN and blocking cookies can’t stop fingerprinting. And fingerprinting isn’t all bad. It was first used by banking websites for fraud prevention and fraud investigations. From a privacy standpoint, however, fingerprinting can create a profile even more accurate than cookies.
And unlike third-party cookies that come from your vendor, your website might have fingerprinting technology without you even knowing it.
A study from Princeton University found that more than 60% of the top 1,000 sites on the web share information with third parties, and many of those third parties are fingerprinting visitors and selling the data. They also found that 96.5% of websites have access to digital fingerprints even if they are not using the technology themselves.
Being proactive will allow you to find new, privacy-friendly ways to collect data on and communicate with your users before you legally have to. Rather than having forced downtime, you can set yourself up for an agile transition to whatever changes come your way.
Get on a cookie-free diet
Third-party cookies are an old technology whose time is almost up. If you want to minimize your risk for privacy action, increase trust with your users, and put your company at the forefront of one of the most important consumer issues of the next decade, you should shift your focus to first-party data. Think email marketing campaigns or retargeting campaigns—but in a privacy friendly way. And that’s where we come in!