Google to Phase Out Third-Party Cookies by 2022- What Advertisers Need to Know
In January 2020, Google announced that it will be phasing out third-party cookies on its web-browser Chrome over the next two years. The change comes as data breaches, geopolitical election interference and cyberattacks have accelerated new data privacy legislation, including the EU’s GDPR and the California Consumer Privacy Act. These new regulations will restrict how brands and technology providers collect and use consumer data, further limiting advertising capabilities.
What alternatives are out there and how are and should advertisers be preparing for this?
First, What is a Cookie?
Cookies are small text files that are dropped on a user's web browser by a website that the user was viewing. Each cookie contains a small amount of information such as a unique identifier that links a user to a specific website. This allows for a more personalized experience for the user as the browser remembers the user. The information stored in a cookie and its ability to track user activity on the web has been used by marketers and advertisers to serve more relevant advertisements to users and improve ad effectiveness.
Why is Google Phasing Them Out? And How it Affects Advertisers
Justin Schuh, Google's director of Chrome engineering, said in a blogpost: "Users are demanding greater privacy - including transparency, choice and control over how their data is used - and it's clear the web ecosystem needs to evolve to meet these increasing demands."
Third-party cookies, which follow users from site to site tracing their browsing habits, have also been banned by Apple, Microsoft and Mozilla.
The announcement, in January of 2020, was well timed with user data concerns but is even more timely now with rising user data concerns brought up by the TikTok Ban.
Without the third-party cookie, advertisers can no longer connect browser-based targeting, cross-site tracking, frequency capping and retargeting.
Are there Alternatives to the Cookie?
There are a few contenders for third-party cookie alternatives that are starting to get some traction, including redirect tracking and email identification. Keep in mind that the third-party cookie’s main advantage is that it allows cross-site tracking links a users behavior across websites, allowing for easy user identification as well as frequency and retargeting tracking. These alternatives are trying to bridge the gap between individual sites’ first-party data (the data collected within a single site) for easy identification and tracking across sites.
The issue remains what we are legally able to collect on the consumer while adhering to evolving standards surrounding consent and privacy.
Redirect tracking is a way for companies to track someone when they’re navigating between two sites. When a person clicks a link on Site A to visit Site B, they may be redirected to Site X before moving on to Site B. This redirect allows Site X to drop a first-party cookie on the person’s browser so that the cookie can be used to recognize the person when they navigate between other sites that redirect to Site X. It also is unlikely that the user will be aware of landing on Site X since it can happen within milliseconds and never appear on the user’s screen.
This tactic is already in use. In a research paper presented at the Privacy Enhancing Technologies Symposium in July, a group of computer researchers analyzed redirect tracking across the top 50,000 sites, as ranked by traffic analytics firm Alexa. Of the sites analyzed, the researchers found that “11.6% of the scanned websites use one of the top 100 redirectors which are able to store non blocked first-party tracking cookies on users’ machines even when third-party cookies are disabled.”
However, some browsers are blocking the use of redirect tracking. The anti-tracking feature in Apple’s Safari browser, called Intelligent Tracking Prevention, began blocking redirect tracking in 2018. However, Google’s Chrome browser — which has a 66% share of the global browser market, per StatCounter — does not block redirect tracking. A Google spokesperson said redirect tracking is not relevant on Chrome because the browser continues to support SameSite cookies and that it’s move to phase out support for third-party cookies will include protections against alternative tracking methods.
Firefox is not taking as strict of an approach. Instead of immediately wiping any data stored by Site X, Firefox will allow Site X to store a first-party cookie in a browser for 24 hours after the redirect happens.
Some platforms are proposing email as the Rosetta stone to “anonymously” identify the consumer. Let’s take cross-site tracking as an example. If platforms are left with first-party cookies, all of the data will be siloed by site. That means the consumer will have a different first-party cookie ID from site to site as they surf the internet. In this new paradigm, email will be used as the key to stitch the data together to reveal behavior and interests, same as before, except with strong standardized joining criteria for offline data.
Email represents another ID tied to the consumer vs. the device, and is even more intrusive. With this change, consumers can further be tied to offline data, such as home refinancing applications or store visits if they gave their email to receive digital receipts. An entity with raw consumer data and consumer emails can continue to link form-data/PII, therefore identifying the consumer all over again.
Device fingerprinting is a way to combine certain attributes of a device — like what operating system it is on, the type and version of web browser being used, the browser’s language setting and the device’s IP address — to identify it as a unique device. It’s an imperfect method of identification. Unlike the cookie, which is effectively a tracking monitor placed on an individual device, device fingerprinting relies on the probability that a device recognized as having certain attributes on one day is the same device seen with those same attributes on another day.
And since people can delete cookies from their browsers but are less likely to change operating systems or reset their IP addresses, device fingerprinting can provide a more consistent way of tracking people around the web. But it also makes device fingerprinting harder for users to protect or hide their device. People can use virtual private networks to disguise their IP addresses, but for the most part, device fingerprinting is hard for individuals to prevent. That’s because the information used for device fingerprinting is basic information that’s passed anytime a website loads in a browser in order to make sure the site loads properly, such as by recognizing that a person is using a browser that doesn’t support a particular feature or is set to view content in a particular language.
Many web browsers are starting to take action against device fingerprinting. Over the past year, Apple, Google and Mozilla have announced that they will be limiting device fingerprinting within their respective browsers. They are taking different approaches to this. Apple obscures the data that is collected and combined for fingerprinting in an effort to make it harder for companies to use that information to identify a device while still passing enough of the data for sites to load properly. Mozilla relies on a third-party list that names specific companies that perform fingerprinting and blocks those companies from accessing the information used for fingerprinting. And Google has proposed, but not implemented, a “privacy budget” to put a cap on how much of the information used for device fingerprinting a given company can access at a time.
At this time, there's not a clear contender because as long as tracking methods include user's identifiers, there will always be a concern over user privacy. The real challenge for the adtech industry -- and advertisers themselves -- is developing effective and agile media planning that allows for the flexibility required to ensure compliance with every-shifting policy, legislation and regulation requirements that dictate what consumer data companies can and cannot collect.