Cookie tracking has been a pretty foundational part of the internet. It’s shaped how businesses track people’s online behavior, target them with ads and measure marketing campaigns.
The problem is that consumers hate cookies. This distaste has resulted in new privacy regulations and an industry shift toward first-party data. Cookies likely won’t go away completely, but they won’t be such a critical part of marketing in the near future either.
What is cookie tracking, and why does it matter?
Cookie tracking saves small bits of data to a user’s browser when they visit a website. Tracking cookies collect data like login info, items in a user’s shopping cart or their preferred language. Once stored, the site a user visited and other sites they work with (read: third parties) can access a user’s browser data when they recognize the user anywhere online.
Tracking cookies are used by over 40% of all websites to collect user data. They were originally created to personalize user experiences and make sites easier to navigate. However, they earned a bad reputation when companies weren’t upfront about the third parties who could also use those cookies.
Now, they’re central to the conversation about privacy. Consumers have realized they’ve been tracked without their knowledge, and the entire industry has been caught with its hand in the cookie jar.
Many individuals seek solutions to block tracking cookies so they’re no longer tracked. Also, regulators have developed privacy regulations to restrict how personal data is collected and require companies to be more transparent about their data practices.
How does cookie tracking work?
Tracking cookies work by storing and sharing data with third parties so users can be targeted with relevant ads.
How cookie tracking works.
Imagine you have a card with your local library. In addition to letting you check out books, your card holds data that describes which books you’ve read.
Your local library uses this data to personalize your book suggestions but also shares it with other libraries and bookstores in your area without your knowledge. They all use the data to target you with ads for new books whenever you use your card in person or online.
Your card is like your browser. It stays with you and stores your information.
You might be okay with your library tracking data on what books you check out so it can provide you with a better experience. However, the privacy issue comes with third-party sharing. You probably don’t know that your local library isn’t the only one using cookie tracking to store your data. Then, when you find out that another store knows what you like to read because the library shared your data, it’s unsettling — even if you appreciate the spot-on book suggestion.
What are the types of cookies?
The two main types of cookies are first- and third-party cookies. First-party cookies store information that improves the browsing experience, like login information or shopping cart items. Marketers started using them in the late 90s.
In the early 2000s, third-party tracking cookies were born. They could track site data on more than just one website, build complex user profiles that were helpful for ad targeting and integrate with other technologies like measurement tools and advertising platforms.
Third-party cookies enable advertisers to retarget users.
Other types of cookies serve specific functions like storing data temporarily or enhancing security. They include:
- Session cookies: They delete when the browser is closed.
- Persistent cookies: They stay on a user’s browser after it’s closed to remember settings or logins.
- Same-site cookies: They are only sent within the same domain to enhance security.
- Secure cookies: They are transmitted only over secure (HTTPS) connections.
- HttpOnly cookies: They remain inaccessible to JavaScript to protect against certain attacks.
- Supercookies: These are stored outside normal cookie storage to track users and resist deletion.
- Zombie cookies: They recreate themselves after deletion to continue tracking.
Third-party cookies, supercookies and zombie cookies are the most concerning for those with privacy concerns. But for marketers, they’re the most beneficial because they’re more permanent, which means they can track the effectiveness of your campaigns over a long period.
4 data privacy laws and how they relate to cookies
Many people realized they were being tracked unknowingly during the Cambridge Analytica scandal in 2018. It exposed how millions of Facebook users’ data was harvested and used for political advertising without consent.
Massive data breaches in Equifax and Yahoo also revealed how much cookie tracking was impacting data privacy. In response, governments around the world enacted new privacy laws to protect consumers. The following four data privacy laws collectively shaped how cookies would become regulated worldwide.
These are the most influential regulations that impact tracking cookies.
1. ePrivacy Directive (EU Cookie Law) – 2002
The ePrivacy Directive, also known as the EU cookie law, was one of the earliest to address tracking through cookies. At the time, cookies were used for advertising and site personalization without any legal obligation to inform consumers.
The ePrivacy Directive required websites to collect data consent before they could store or access cookies on the browser, which forced marketers to start using consent banners on websites. That would be like your library asking for your consent to keep track of the books you read on your library card every time you visit. Today, 18% of UK users say they reject cookies on websites daily.
2. General Data Protection Regulation (GDPR) – European Union, 2018
GDPR was a major milestone in data privacy put into place as a direct result of the Cambridge Analytica scandal. It introduced strict rules for data collection, data processing and consumer content.
It requires marketers to collect explicit consent and restricts them to only collect necessary data. They must also provide clear, accessible information about how data is used and stored. Users now also have the right to be forgotten, which forces marketers to delete their data upon request. A failure to follow these rules could result in fines of up to 4% of global revenue.
3. California Consumer Privacy Act (CCPA) – California, USA, 2020
CCPA was California's response to growing privacy concerns in the US. It was enacted after the Equifax data breach, which exposed sensitive financial information of over 147 million people.
Its requirements are similar to GDPR but were more impactful in changing how data-sharing happened between advertising partners than GDPR. It focuses on how data is shared and sold. Under CCPA, your local library would be required to tell you which other libraries and bookstores would have access to your data and give you the option to opt out of that data-sharing partnership.
4. California Privacy Rights Act (CPRA) – California, USA, 2023
CPRA strengthened CCPA by refining the definition of “sensitive personal information” to mean things like race, protected health information, location and financial data.
Marketers would now be required to allow consumers to opt out of sharing sensitive data. It also limited how long they could store customer data and required them to comply with data correction requests, which made data operations more complex.
Other important privacy regulations
There are many other data privacy regulations laws around the globe, which are significant in their respective countries, but less impactful on the global stage. Those include:
- Privacy Act – Australia, 1988: Regulates how government agencies and companies handle personal information with specific provisions for public sector privacy.
- Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada, 2000: Focuses on consent and accountability in how companies manage personal data.
- Act on the Protection of Personal Information (APPI) – Japan, 2003: Sets rules for private sector data handling and emphasizes consumers' rights.
- Protection of Personal Information Act (POPIA) – South Africa, 2013: Establishes data protection standards for public and private companies with a strong focus on compliance.
- Personal Data Protection Act (PDPA) – Singapore, 2012: Governs the collection, use and disclosure of personal data by companies with a focus on protecting consumer privacy.
- Data Protection Act – United Kingdom, 2018: Complements GDPR and ensures post-Brexit data protection rules by governing data handling for businesses within the UK.
- General Data Protection Law (LGPD) – Brazil, 2020: Modeled after GDPR, LGPD regulates data processing and grants individuals greater control over companies processing personal data.
- Privacy Act – New Zealand, 2020: Modernizes New Zealand’s privacy framework and introduces new rights for data subjects and stricter penalties for non-compliance.
These regulations and consumers’ massive call for more privacy have led marketers toward a world where they rely less on third-party cookies and more on first-party data.
The shift from third-party cookies to first-party data
Even though it makes life more challenging, we’d bet you genuinely want consumers to feel comfortable with how you’re processing their data. You just also want to be able to do your job well.
Most marketers are betting on first-party data being a huge part of how they make that happen. Consumers give first-party data willingly and it’s considered deterministic — it comes from known sources and is tied to a specific, identifiable individual. This shift has resulted in several new technologies to help marketers prepare for that reality.
Google's decision to keep cookies (for now)
Google has an insanely dominant role in online advertising. Google ads account for about 26.8% of total digital advertising revenue in the US, and Google is the largest digital ad publisher in the country.
When GDPR was enacted, they faced $57 million in cookie consent violation fines. So, in 2020, they announced their plans to phase third-party cookies out of Chrome browsers. This would force marketers to shift toward a more privacy-focused web using Privacy Sandbox, a collection of Google tools meant to facilitate targeting and measurement while keeping users anonymous.
In our library card scenario, the data on your card would be stored in the Privacy Sandbox, but anonymized so companies didn’t know it was yours. They could still use the data to serve you ads and track their campaigns, but without knowing it’s you.
A timeline of cookies’ demise.
Google initially wanted to eliminate cookies by 2022 but later delayed the deadline to 2024. The industry pushed back when they didn’t have confidence that replacement technologies would be effective, so Google delayed the elimination inevitably.
You’ll be able to continue to use cookies for the foreseeable future, but Google is still developing privacy-friendly targeting solutions. You should remain prepared for future adjustments.
Privacy-friendly targeting solutions
Some privacy-friendly solutions are being developed by Google, like the Federated Learning of Cohorts FLoC, which is part of Sandbox. This anonymously groups users based on their similar interests so their specific browsing behavior remains private.
That would mean the data on your library card gets tossed anonymously into a bucket with data from other library patrons who like similar books. You all see book recommendations from libraries and bookstores, but your specific reading history is anonymous.
Contextual advertising is another solution many marketers are adopting to get around the need for user data entirely. It targets ads based on the content of the web page. For example, you’d see ads for other horror novels when searching your library database for books by Stephen King.
Data management and processing solutions
Even with a focus on first-party cookies and first-party data to target consumers, you need to make sure you comply with regulations for data handling. Here are some popular solutions:
- Data clean rooms: Allow multiple parties to collaborate on customer data without sharing any sensitive information by aggregating and anonymizing data.
- Customer data platforms (CDPs): Collect and unify data to personalize customer interactions without exposing their information.
- Consent management platforms (CMPs): Manage customer consent tools like banners for data collection and processing in one platform.
- Encrypted customer matching: Hash emails to match customer data across platforms while keeping personal information secure and private.
First-party data and identity solutions
Lastly, some solutions will support marketers with a better way to identify consumers while keeping their data secure. Those include:
- Unified ID 2.0: An open-source identifier that’s designed to replace third-party cookies by anonymizing any email addresses collected with explicit consent.
- Identity resolution platforms: Platforms that create an identity based on different consumer interactions across websites without identifying the person.
- Server-side tracking: A way to collect consumer data directly from the server rather than the browser by bypassing ad blockers used by those who want to block third-party cookies.
- Fingerprinting: A way to identify consumers based on unique device characteristics like browser type, screen resolution or installed fonts.
These solutions might work, but they still seek to identify the individual when individuals don’t want to be identified. But it’s hard to turn them down when consumers are opting out of data collection, making your ad campaigns and measurement strategy less effective.
Instead of scrambling to collect as much first-party data as possible, brace yourself for a future that’s probabilistic. Statistical models that estimate the likelihood of certain outcomes or attributes based on patterns and probabilities rather than exact data offer insights that marketers need without encroaching on consumer privacy.
Target effectively and embrace privacy probabilistic data
First-party data should be used to fuel targeting and the multi-touch attribution (MTA) models you use for measurement. But first-party data will not be enough data to replace the data you’ll lose when the industry finally waves goodbye to the third-party cookie.
Instead, marketers will need to incorporate probabilistic data, which uses algorithms, to make educated guesses about identities, behaviors and preferences. It might feel uncomfortable at first because anonymized data like device information, location or browsing habits can be less accurate. However, probabilistic data will only get more accurate as artificial intelligence (AI) improves.
You can move toward this reality today by using marketing mix modeling (MMM) and incrementality testing alongside MTA as a part of your measurement strategy. MMM assesses the overall impact of different marketing channels using statistical modeling, whereas incrementality testing measures the impact of different campaigns using experiments and control groups. Together, they’re called triangulation.
Triangulation makes a future without third-party cookies a lot brighter.
Triangulation allows marketers to measure performance at multiple levels. MTA keeps track of user behavior, MMM gives a broader view of performance across channels and incrementally assesses the true contribution of each campaign to give marketers confidence in tactical decisions and strategic shifts.
Get started with marketing triangulation
Cookie tracking has been a cornerstone of marketing for decades, but regulations like GDPR and CCPA are reshaping how companies collect and use consumer data.
As a result, marketers are embracing privacy-centric solutions for ad targeting and measurement, like triangulation, which is a holistic approach to measuring and optimizing your marketing effort.