A web cookie, also known as an internet cookie or a browser cookie, is a text file that contains information that the website needs to store relating to a particular visit or visitor. The file is stored on the user’s machine, can be deleted by the user, and can only be read by the user or the website that created the cookie.
Cookies, and other forms of local storage, are vital to running a usable web. Without Cookies, websites wouldn’t remember our settings or logins, our preferences or what content we have already seen.
Cookies are used for a broad range of purposes that can be briefly summarised as:
- Session Management – such as shopping cart contents and login information.
- Personalisation – including user preferences such as language, browser type and configuration settings for the user’s location.
- Tracking – recording and analyzing user behaviour.
Most of this concern centres around a couple of particular types of cookie.
First-party and Third-party Cookies
Cookies are discussed in terms of their “party”. A first-party cookie is one that is set by the domain of the website that the user is visiting. A third-party cookie is one set by another domain that the website has allowed to set a cookie.
First and third-party cookies are really the same thing. Only the domain that set them can read them. However, there are concerns particular to third-party cookies relating to how they allow users to be tracked.
A cookie set by the domain that the user is visiting. An example would be a website setting a cookie containing a user’s login details so that they are automatically logged in when they return to the site.
Third-party cookies are those set by a domain other than the one the user is visiting, such as when a remote script is embedded. An example would be a website using a live-chat script from another company that sets a cookie so that the conversation can be continued between page loads.
Most developers will tell you that second-party cookies don’t exist, but the term is beginning to crop up. It is being used to describe a first-party cookie that has been created with the contents of another first-party cookie meant for another domain. This can happen as part of data-sharing deals between companies.
If you are keeping up with cookie-parties, then the last to understand is a first-party cookie that is being used in a third-party context. This description has gained traction since Apple’s IPT privacy features began blocking this type of cookie. In essence, these are first-party cookies that are being used in a cross-site manner like a third-party cookie would usually be used.
As well as the context of a cookie (first/third-party) there are differences in how long those cookies, and the data they contain, can survive.
Some cookies are automatically destroyed when the browser window is closed. These are called session cookies. Others stay in existence longer and are called persistent cookies. Persistent cookies can theoretically hang around forever (or at least the life of the computer), which is also a privacy concern to some.
None of the types of cookie are inherently bad, and how comfortable users are with different types depends a lot on the individual. Generally speaking, very few users have issues with the concept of the first-party cookie. They are essential to the smooth running of the web and largely innocuous.
Third-party cookies (and those acting like third-party cookies) tend to cause more concern. This is understandable; whilst there are many good reasons for this type of cookie they have been widely abused too.
The cookie provides a convenient way to identify a user over time, which has a lot of appeal to the online advertising industry. In most cases, the cookie is being used to store a unique ID that allows a network or technology to recognise that user wherever they see them. Identifying the user is useful in three broad ways:
Matching ads to interests
If a user frequently reads photography content, then they can be shown photography-related ads (even when on a non-photography site using the same technology). This makes advertising more valuable to marketers.
A benefit to users of Cookie Matching is that users see ads that are more likely to be of interest to them. According to Marketing Dive, 71% of consumers prefer targeted ads over untargeted ads. A drawback to users is their interests being tracked by third parties.
Cookies also allow ad tech providers to track how often a user is being shown a particular advertisement. This allows advertisers to cap how often users see their ads. End-users benefit from this by seeing less annoying repetitive ads, but the downside is that some form of identity tracking is needed to do this.
Advertisers want to know when their ads produce results. Recognising whether a user has seen an ad then made a purchase enables this. This allows advertisers to focus on campaigns that get results, but also means that users are shown fewer ads for things that they have already bought.
The future looks increasingly shaky for the third-party cookie in particular. Privacy legislation such as GDPR and CCPA has already dealt a blow to the advertising tracking cookie, putting the user back in control with consent. Similar legislation is in the works in many other territories and many are anticipating the death of the third-party cookie.
The advertising industry certainly seems to be preparing for the demise of the third-party cookie. Numerous identity solutions have been launched to tackle this: The Trade Desk Unified ID, DigiTrust ID, ID5 and others.
The most recent, and probably the most decisive nail in the cookie’s coffin, is the announcement that Chrome will stop supporting third-party cookies by 2022. Although browsers like Safari and Firefox already block many of these cookies, Chrome’s massive market share just started the clock on the death of the advertising cookie at least.
Whatever the future holds for the third-party cookie, it seems that the future will be coming along quicker than many anticipated.