Cookie Monster Forever
Unless you have been hiding your head in the sand, you know that third-party data is disappearing, someday, somehow and potentially that ‘Cookies’ and browser blocking have something to do with it. You may even have heard that server-side is the solution to all our problems.
There are times when you may need to loosely understand the absolute foundations of how all this works, how it’s changing, and why. It can help us reason through potential issues, why your data will always, always be just a little bit F**ked, and why that’s OK. We’ll look at the causes, as well as how you should collect data in the future and questions you may need to ask. If you absorb anything, know that data collection is very flawed. Your data should only be 90–95% accurate from any other comparable source, and that’s OK.
Third-party cookies and web browsers power pixel tracking, also called client-side tracking or cookie-based tracking. Cookies are simple, and web browsers do all the work of storing and sending information in pixel tracking, so it’s easy to implement and use. Unfortunately, cookies are also easy for browsers to block, users to delete, and bad actors to leverage, leaving marketers and their campaigns at risk – not to mention that pixel tracking only works on desktop web, not mobile.
So, is the party over? For over 20 years third-party cookies have formed the bedrock of digital advertising, passed back and forth by publishers and advertisers, collected and stored unsuspectingly on all of our personal browsers. Our personal information and user behaviour could be used to target us without our permission or knowledge. Dialling up the internet signalled our acceptance, and if we wanted access to all this free information, there was a form of unwitting acknowledgement, like above-the-line media, that we would see some ads. Then it started getting creepy to the point that we are getting paranoid, but perhaps with good reason. Who has discussed a need for a product with a friend only to see an ad for it appear later on Facebook?
The move away from third-party cookies is gathering momentum as tech companies respond to growing consumer and regulatory concerns around personal data. Apple ended support for third-party cookies in Safari in 2018, and Google plans to do so in its Chrome browser by the end of 2023. This represents a tipping point since the two browsers between them have an 80% market share. Companies are being sued for using personal data without consent and, more recently, just for storing any customer data in countries outside of where the data was collected. Shit is getting real.
What are cookies, how much should I know, and why do I care? Search ‘cookies’, and you get something like this.
Different types of cookies: (A) a first-party cookie directly set by the visited website, (B) a third-party cookie set by a third party embedded in the website, and (C) a synchronised cookie shared between two parties. The Unwanted Sharing Economy: An Analysis of Cookie Syncing and User Transparency under GDPR.
Simple right? This is a problem for marketers. Although this is an excellent diagram for the experts, the concept of first-, second-, and third-party cookies is pretty esoteric, and even when you do get it, it changes because this is all still being worked out.
Remember, all this is considered client-side tracking. Let’s start with the difference between each, why it’s used, and examples of what comes under each category. Remember, whether something is first party or third party is in reference to the user on the website, and there are ongoing debates around what cookies should be considered first, second, or third party, including whether there are such things as second-party cookies. Many of these debates are being thrown around in the courtrooms right now, but it’s safe to say companies don’t want to be identified as 3rd parties if they can avoid it. We’ll cover some of this in Section 8.3, Let’s Go Tool Shopping – Data Sovereignty.
A user visits a website called news.com. Cookies placed on this domain by news.com are first-party cookies. A cookie placed by any other site, such as an advertiser or social media site, is a third-party cookie.
Source: TechTarget. (n.d.). What is a third-party cookie?
What Are First-Party Cookies?
When you visit a website, it may store information about your visit using cookies. These cookies are created and stored by the website you are visiting and are known as first-party cookies. They can store information about your session, viewed pages, items in your shopping cart, login credentials, or other preferences. The website developer decides what data points to collect to enhance your experience on their site. First-party cookies are stored under the same domain you are visiting, except in rare cases when other sites are involved.
What Are Third-Party Cookies?
Third-party cookies, on the other hand, are created and stored by websites that are not the ones you are currently visiting. They collect information about your online behaviour and browsing history and are often used by providers of advertising, retargeting, analytics, and tracking services. For example, if you were browsing shoes on shoe-in.com, a third-party cookie might store information about the products you viewed or added to your cart. This information could then be passed on to an ad server like DoubleClick. Later, when you visit another website like randomnewspaper.com, DoubleClick might use that information to display ads for shoes that you recently viewed. This is known as retargeting or remarketing.
Third-party cookies are set by servers, not by the websites that you are currently visiting.
When you visit a website such as shoe-in.com, it may load a piece of code from an ad server like DoubleClick that collects data about your visit to that site. If you then visit another site like randomnewspaper.com, that site may also load code from DoubleClick, which can identify you as the user who viewed shoes on shoe-in.com. Depending on shoe-in.com’s advertising objectives, DoubleClick might then display an ad for shoes while you are browsing randomnewspaper.com. The newspaper website earns revenue from showing you ads based on the number of impressions, clicks, or purchases.
Technically there are only two types of cookies. Still, the cookie we used only partially fits into either category and, depending on the judge, often an actual judge, can be treated differently, thus resulting in data loss and screwy data. Our ‘Web Cookies’ example table says confidently that first-party cookies are ‘tracked’ on or by the domain you’re on – e.g. randomshop.com. However, Google Analytics uses www.google-analytics.com/collect to send data to other servers, often across state and country lines, and we regularly use GA for cross-domain tracking. The difference is that in most browsers, these cookies are set as being on the ‘allow list’, even if they don’t match the URL of the host domain (the website that is first-party to the user). This potential mismatch is happening on the client side.
Second-Party Cookies
This is where an argument is presented that an agreement can be made to share data from one to another from the first party to the second. As long as the original website user has given permission, this can be considered second-party, almost extending the rights of a first party to what would otherwise be regarded as a third party. We’re saying, ‘hey, they’re with us. I know them’.
What Are Second-Party Cookies?
Second-party cookies are not really considered cookies. There are either first- or third-party cookies – cookies that are either stored by the domain you’re visiting or by another domain (like the shoe-in.com example). It means two parties who agreed to share cookies. So, you have a first-party cookie stored by the website you visited. The whole file is then transferred to another party by mutual agreement or partnership. As discussed, this is all considered ‘client-side’ tracking.
Server-Side Tracking
Unlike Pixel and JavaScript SDK tracking, server-side tracking or postback tracking does not rely on web browsers to work. Postback tracking uses direct server communication instead, also called server-side tracking or server-to-server tracking. This frees marketers from cookie-based browser restrictions and provides complete control over campaign tracking. It also works better cross-channel on the desktop web, mobile web, and mobile apps.
Server-side tracking dates back to the early 1990s when website statistics consisted primarily of counting the number of client requests (or hits) made to the web server. Web servers record some of their transactions in a log file. It was soon realised that these log files could be read by a program to provide data on the website’s popularity.
To get around this problem of client-side cookies and to enable safer and more accurate data collection, Google and other companies began introducing more readily accessible server-side technologies, and this is where the lines continued to blur. On June 30, 2020, Google released the server-side Google Tag Manager. Server-side tagging allows Tag Manager users to move measurement tag instrumentation out of their website or app and into server-side processing via Google Cloud.
It seems Google was set for server-side tracking, but very few companies have made the transition as yet. Google has just declared their cookies first-party. Even with the coming tracking solutions server-side, if the data appears in Google servers as well as our own (with permission from our customers), then Google is still a third party; perhaps second based on agreement and permission, but is not first party, and it really should always come down to consent.
Server-side tracking solves the tracking issue by getting past the coming browser restrictions and third-party tracking limitations by moving data collection behind a veil. However, it does not answer the ethical, data sovereignty, and permission-based questions; these still need to be addressed.
Focus on the core permission issue first, and you won’t go far wrong. See this as just a technical issue to be hacked, and you may open yourself to legal consequences or have all your hard work become too risky and be thrown out. There are some large organisations on this type of rope, but for obvious reasons, I shall not name them.
