Web cookies with a taste of privacy | by Radu Jitea | Mar, 2023

Personalized UX in the absence of third-party cookies

Due to privacy changes, third-party cookies are on their way out, but first-party ones could stick around for longer. The cookie situation is complicated and uncertain. As we move to a cookieless future, advertisers must get creative with targeting and personalisation, which could lead to remarkable innovations and fresh user experiences.

Update: This article was reviewed and updated on 1 April 2023.

In 1994, 23-year-old Netscape engineer Lou Montulli invented the HTTP cookie to address the early web’s poor memory. Previously, websites treated users as strangers each time a new page loaded, hindering the development of features like persistent shopping carts on e-commerce sites. Here is how he came up with the idea, in his own words:

“There were some interesting proposals, but one of the popular ones that kept coming up was to add a unique identifier to every web browser so that a website could individually identify each user and use that to build a session. I was very much against this concept because the unique identifier could be used to track a user on every website.”

Within two years after web cookies were launched, advertisers found ways to utilise cookies for tracking users online, something Montulli originally intended to avoid, resulting in the present-day cookie-dependent advertising targeting system. This approach is also known as “surveillance advertising”, which organisations such as The Electronic Frontier Foundation (EFF) have been fighting against ever since.

Almost 25 years later, we witnessed the implementation of the General Data Protection Regulation (GDPR) in May 2018 in Europe. This initiative is partly attributed to third-party cookies’ involvement in security breaches and privacy abuses, which has fueled user distrust and the need for government oversight. Since 2018, those analysing or enhancing website user experiences have noticed that a visitor’s initial interaction revolves around dealing with the cookie prompt. Much content has been written about web cookies and how they work between then and now.

On average, only a third of users “Accept All” when provided with the option, according to a Statista survey. The visitor’s ability to select a specific option depends on how these are presented and the degree of trust and familiarity with the website. In most cases, the cookie prompts try to convince the user towards a selection that would benefit the business (e.g. Accept All) while the visitor seeks the more privacy-friendly option (e.g. Necessary Only). Combined with a non-standard cookie prompt approach that varies from website to website, this push-pull dynamic turns into “solving the pixelated pastry puzzle” (also known as the cookie prompt) for the users.

GDPR has been introduced to give EU citizens more control over their data by regulating how organisations handle personal data and holding them accountable for its protection and use. Before GDPR was introduced, websites would collect as much data as possible, even if that data would sit there unused. Some companies would even sell this data to the highest bidder, and people generating the data must be made aware of this. This pre-GDPR period can be considered the Wild West of website personal data collection.

With initiatives such as GDPR in Europe and CCPA (California Consumer Privacy Act) in the US, the future of cookies is still being determined. Still, some types of cookies are more affected than others.

Web cookies are classified by duration, source and purpose.

Duration:

• Session cookies: temporary; deleted upon closing browser; are likely to remain due to necessity and low invasiveness.
• Persistent cookies remain on local storage until deletion; they have an expiration date; ePrivacy Regulation recommends a maximum lifespan of 12 months.

Source:

• First-party cookies: placed by the visited website; widely used; concerns over privacy and data protection; some browsers/platforms limit the use or increase user control.
• Third-party cookies: placed by different domains; phased out by some browsers/platforms; commonly used for online advertising; removal impacts cross-site tracking and targeted ads.

Purpose

• Strictly necessary cookies: essential for website browsing and features (e.g., holding items in online shopping carts); no consent is required, but an explanation is needed.
• Functionality cookies: remember past choices (e.g., language, region, log-in details); enables automatic personalisation.
• Performance cookies: collect anonymised website usage information (e.g., visited pages, clicked links); aim to improve website functions; may include third-party analytics cookies.
• Marketing cookies: track online activity for tailored advertising; can share information with other organisations or advertisers; typically persistent and third-party cookies.

A cookieless future is one scenario where websites no longer rely on browser cookies to track user behaviour or personalise the experience. However, cookies have also been used by marketers and advertisers to track users across multiple sites, build user profiles, and deliver targeted ads.

The main driver for a cookieless future has been the introduction of privacy laws like GDPR & CCPA that has increased people’s awareness of online privacy.

In a Google study from 2019, where third-party cookies were disabled for the top 500 global publishers, the average revenue decreased by 52%. Another 2019 study by Johnson et al. found that users that opt out of behavioural targeting generate 52% less revenue when compared with opt-in users. In contrast, a working paper by Marotta et al. reveals that revenue has only increased by 4% when cookies are available.

Advancements in alternative technologies and industry best practices can achieve similar goals without relying on cookies and addressing users’ privacy concerns. Here are a few examples:

1. Browser Fingerprinting: This technique identifies unique device characteristics, such as browser versions and installed plugins, to create a unique identifier for a user’s device. This information can track users across different websites without relying on cookies. However, browser fingerprinting has also raised privacy concerns, as it can be challenging to detect and control.
2. Local Storage: Some websites explore local storage, which stores data on the user’s device without relying on cookies. Local storage can be used to remember user preferences and login information, but it does not track user behaviour across different websites.
3. Contextual Advertising: Instead of relying on user data to deliver targeted ads, contextual advertising uses information about the website’s content to determine which ads to show. For example, an advertisement for running shoes might be displayed on a website about fitness.
4. Consent-Based Tracking: Some websites give users more control over their data by implementing consent-based tracking. Users must explicitly opt-in to allow the website to track their behaviour and deliver personalised content or ads.
5. Privacy Sandbox: This is an initiative by Google to develop a set of privacy-focused APIs for web browsers that will allow advertisers to show relevant ads to users without collecting their data. These APIs are still in development but aim to provide a more privacy-conscious alternative to cookie-based tracking. As part of the Privacy Sandbox initiative, by 2024, Google Chrome will also block third-party cookies.

For today’s websites, this means a chance to review the use of cookies and find opportunities to improve the user experience. Today’s cookie prompt is just the first step in a series of poor choices that can hurt the user experience, so you should take this moment to begin crafting a better experience. The focus should be on eliminating gradual systemic failure that the user perceives as an ungraceful degradation of the overall experience.

In the new cookieless reality, the primary source of customer data will be first-party data (interactions with the website, hashed email addresses & universal IDs). This data will include browsing behaviour, content consumption, location, device, and time of day. (source: Wired magazine).

Email addresses obtained during authenticated experiences will become the norm, with signed-in (durable ID) that can be used to connect customer data with third-party info for both prospecting and retargeting (source: EY).

Companies like Meta (Facebook) are also in an excellent position to capitalise on the transition away from third-party cookies, as they can fill the gap by serving as a digital identity source. Organisations will then use a combination of signed-in activity, mobile device usage, location and data providers such as Meta will be used to create a targeting strategy. (source: Forbes). Of course, this means a more custom approach instead of using ready-made solutions.

Existing tools, such as Indiepen, an open-source project that uses pure HTML, CSS and JavaScript, offer a privacy-friendly, lightweight, and accessible alternative.

The key message is that brands, organisations, and agencies must immediately start exploring third-party cookie alternatives and revise their marketing strategies. Failure to do so could lead to missed opportunities for innovation and user engagement with their products or content.

Even if third-party cookies still have a few more months left to live, first-party cookies might be here to stay for a while, with the evolution of the new privacy-focused model eating at the status quo.

There is still much to discuss on this topic. Still, it’s essential to remember that the future of cookies is complex and uncertain. The specific types of cookies that will stop working depend on various factors, including technological changes, user preferences, and future regulatory requirements.

In a cookieless future, the online advertising industry will need to adapt to new methods of targeting and personalisation. While it may pose challenges for some marketers and advertisers, a cookieless future can also offer opportunities for innovation and new approaches to user experience design.