Table of contents
What are web cookies?
A web cookie, also known as an internet cookie or a browser cookie, is a text file that contains information that the website needs to store relating to a particular visit or visitor. The file is stored on the user’s machine, can be deleted by the user, and can only be read by the user or the website that created the cookie.
Cookies, and other forms of local storage, are vital to running a usable web. Without Cookies, websites wouldn’t remember our settings or logins, our preferences or what content we have already seen.
Why do websites use cookies?
Without cookies, a website cannot pass any information from one pageview to another. For example, if a website like Facebook didn’t use cookies to remember logged in users then users would have to enter their username and password every time they clicked a link and loaded a new page.
Cookies are used for a broad range of purposes that can be briefly summarised as:
- Session Management – such as shopping cart contents and login information.
- Personalisation – including user preferences such as language, browser type and configuration settings for the user’s location.
- Tracking – recording and analyzing user behaviour.
Are cookies dangerous?
Cookies are a very normal part of the web and perfectly safe. Cookies will not cause harm to you or your devices and cannot “leak” private information about you. But, like many technologies, they can be abused. There is growing concern about the (mis)use of cookies and the effect this has on user privacy.
Most of this concern centres around a couple of particular types of cookie.
First-party and Third-party Cookies
Cookies are discussed in terms of their “party”. A first-party cookie is one that is set by the domain of the website that the user is visiting. A third-party cookie is one set by another domain that the website has allowed to set a cookie.
First and third-party cookies are really the same thing. Only the domain that set them can read them. However, there are concerns particular to third-party cookies relating to how they allow users to be tracked.
What are first-party cookies?
A cookie set by the domain that the user is visiting. An example would be a website setting a cookie containing a user’s login details so that they are automatically logged in when they return to the site.
What are third-party cookies?
Third-party cookies are those set by a domain other than the one the user is visiting, such as when a remote script is embedded. An example would be a website using a live-chat script from another company that sets a cookie so that the conversation can be continued between page loads.
What are second-party cookies?
Most developers will tell you that second-party cookies don’t exist, but the term is beginning to crop up. It is being used to describe a first-party cookie that has been created with the contents of another first-party cookie meant for another domain. This can happen as part of data-sharing deals between companies.
What are third-party cookies used in a first-party context?
If you are keeping up with cookie-parties, then the last to understand is a first-party cookie that is being used in a third-party context. This description has gained traction since Apple’s IPT privacy features began blocking this type of cookie. In essence, these are first-party cookies that are being used in a cross-site manner like a third-party cookie would usually be used.
Session cookies vs persistent cookies
As well as the context of a cookie (first/third-party) there are differences in how long those cookies, and the data they contain, can survive.
Some cookies are automatically destroyed when the browser window is closed. These are called session cookies. Others stay in existence longer and are called persistent cookies. Persistent cookies can theoretically hang around forever (or at least the life of the computer), which is also a privacy concern to some.
So, which type of cookie is bad?
None of the types of cookie are inherently bad, and how comfortable users are with different types depends a lot on the individual. Generally speaking, very few users have issues with the concept of the first-party cookie. They are essential to the smooth running of the web and largely innocuous.
Third-party cookies (and those acting like third-party cookies) tend to cause more concern. This is understandable; whilst there are many good reasons for this type of cookie they have been widely abused too.
Why does online advertising use cookies?
The cookie provides a convenient way to identify a user over time, which has a lot of appeal to the online advertising industry. In most cases, the cookie is being used to store a unique ID that allows a network or technology to recognise that user wherever they see them. Identifying the user is useful in three broad ways:
Matching ads to interests
If a user frequently reads photography content, then they can be shown photography-related ads (even when on a non-photography site using the same technology). This makes advertising more valuable to marketers.
A benefit to users of Cookie Matching is that users see ads that are more likely to be of interest to them. According to Marketing Dive, 71% of consumers prefer targeted ads over untargeted ads. A drawback to users is their interests being tracked by third parties.
Frequency capping
Cookies also allow ad tech providers to track how often a user is being shown a particular advertisement. This allows advertisers to cap how often users see their ads. End-users benefit from this by seeing less annoying repetitive ads, but the downside is that some form of identity tracking is needed to do this.
Conversion tracking
Advertisers want to know when their ads produce results. Recognising whether a user has seen an ad then made a purchase enables this. This allows advertisers to focus on campaigns that get results, but also means that users are shown fewer ads for things that they have already bought.
Why do some users hate cookies?
The advertising industry has definitely pushed the use of cookies well beyond how they were intended and how users expect them to be used. Cookies have allowed companies to track huge amounts of information about users’ browsing habits and use that information to target advertising. Much of this has been done “behind the scenes” by companies the user has not even heard of, so the industry should not be surprised that people distrust them.
What is the future of cookies?
The future looks increasingly shaky for the third-party cookie in particular. Privacy legislation such as GDPR and CCPA has already dealt a blow to the advertising tracking cookie, putting the user back in control with consent. Similar legislation is in the works in many other territories and many are anticipating the death of the third-party cookie.
The advertising industry certainly seems to be preparing for the demise of the third-party cookie. Numerous identity solutions have been launched to tackle this: The Trade Desk Unified ID, DigiTrust ID, ID5 and others.
The most recent, and probably the most decisive nail in the cookie’s coffin, is the announcement that Chrome will stop supporting third-party cookies by 2022. Although browsers like Safari and Firefox already block many of these cookies, Chrome’s massive market share just started the clock on the death of the advertising cookie at least.
Whatever the future holds for the third-party cookie, it seems that the future will be coming along quicker than many anticipated.