The Death of Third-Party Cookies: How We Got Here
Digital advertising has come a long way since the first display ad in 1994. And as new technologies have emerged, so has interest in how and why ads are being shown to consumers.
Over the last several years, tracking methodologies that allow advertising technology suppliers to create targeting mechanisms have been subject to increased scrutiny. In response, technology developers and regulatory bodies have taken action in protecting and enforcing users’ right to privacy and choice.
Let’s take a look at some of the privacy-focused steps that tech companies and government bodies have taken over the past several years, building up to the expected “death” of third-party cookies by 2022:
In 2018, Mozilla released Enhanced Tracking Protection (ETP), a setting of Firefox 63 that allows users to block third-party cookies. A year later, the company made changes so ETP would only block known trackers and not all cookies—Mozilla found that blocking all cookies “leads to scenarios where some websites may not function properly.” They took this modified approach to prevent “potential usability issues,” and users who preferred more protection and privacy could change the tracking settings from the default “standard” to “strict.”
Microsoft soon followed suit, and in 2019 introduced Microsoft Tracking Prevention (MTP). Like Mozilla’s ETP, MTP offers users multiple protection levels: Basic, Balanced (the recommended/default option), and Strict. MTP blocks third-party cookies from known tracking sites and, in strict mode, blocks calls to those sites. But unlike ETP, Microsoft does not offer a custom mode, and doesn’t behave differently between InPrivate or normal browsing.
And then, of course, there is Apple. With the release of Safari 13.1 in March 2020 and through updates to its Intelligent Tracking Prevention (ITP) privacy feature, Apple now blocks all third-party cookies in Safari by default. John Wilander, Security & Privacy Engineer at WebKit (Apple), explained that users were unlikely to notice any changes because ITP had already been doing some of this for several years. “It might seem like a bigger change than it is,” Wilander said, “but we’ve added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.”
And with the release of iOS 14, Apple now gives users a prompt to opt-out of tracking, thus reducing the availability of the Identifier for Advertisers (IDFAs), a random device identifier assigned by Apple to a user’s device. Advertisers have used this to track data so they can deliver customized advertising. The April 2021 release of iOS 14.5, specifically, brought with it a new privacy framework called App Tracking Transparency (ATT), which gives users more insight into how their data is used, how their online activity is tracked, and introduces an “opt in” environment on the iPhone when it comes to cross-app tracking.
Government Regulation Around Cookies
Browsers aren’t the only bodies who’ve been reacting to users’ demands for increased privacy controls—governments in Europe and North America have been developing laws to protect consumer’s data. North America started with an opt-out approach, whereas Europe’s stance has been stricter with an opt-in system.
In 2016, the European Union approved the General Data Protection Regulation (GDPR), which was put into effect in May 2018. The regulation governs the collection and processing of personal data of European member state citizens. Under GDPR, personal data that is used to offer goods and services, or to profile users, can only be collected for explicit, specified purposes, and the processing of that data must be compatible with those same purposes.
There are only a few very specific legal bases for processing personal data—most notably, through the consent of the data subject. In addition, data subjects have very broad rights, including the right to transparent information about the data collection and processing, the right to be forgotten (erasure of data), the right to object, and others.
The intention of the regulation is to give data subjects more control over their personal data: who can use it, how it is used, who it can be shared with, etc. All companies that interact with European end-users are obligated to comply with this law, regardless of that companies’ geographic location. As a result, advertisers need to ensure that their advertising activities are lawful under the GDPR when targeting EU member states in their campaigns. Advertisers that collect and process personal data, and who have determined that their activities fall within GDPR’s scope, need to be certain they have a valid legal basis (such as user consent) for doing so.
Privacy regulations have also come to the US—notably, when the California Consumer Privacy Act (CCPA) was signed into law in June 2018 and became effective in 2020. CCPA gives California residents new rights regarding their data, including the right to know what personal information a business collects about them and how it is used and shared; the right to delete personal information collected from them (with some exceptions); the right to opt-out of the sale of their personal information; and the right to non-discrimination for exercising their CCPA rights.
Building upon the CCPA right to request access to the personal information a business has collected about a person in the preceding 12-month period, the forthcoming California Privacy Rights Act (CPRA) expands this to include any information collected—regardless of when it was collected—unless doing so proves impossible or would involve a disproportionate effort. CPRA goes into effect January 2023, so the clock is ticking.
Looking Toward the Future
For digital marketers, these steps have led to a particular reckoning: how to operate after the death of the third-party cookie.
A third-party cookie, for the uninitiated or less-than-tech savvy, is a piece of code set by a website other than the one a user is currently on. This snippet of code is primarily used to identify and track visitors between websites and display more relevant ads.
These cookies have helped media buyers execute targeting tactics so their ads are shown to the right person, in the right environment, at the right time—via audience targeting, retargeting, geo-based retargeting, cross-device targeting and tracking, and frequency capping. Additionally, cookies have facilitated a variety of attribution measurements, such as foot traffic/walk-ins, app installs, and conversions via click-through and view-through.
So, what does the demise of the third-party cookie mean for digital marketers, and how should they proceed moving forward? Check out Centro’s guide, “Embracing the Identity Crisis,” to learn more about some of the potential solutions and to see why, in the words of Centro Founder & CEO Shawn Riegsecker, this is in fact “an opportunity” for the advertising industry.