The doomsday clock is ticking for third-party cookies. Google plans to stop supporting the cross-site tracking technology on Chrome, the browser used by over 60 percent of internet users, by 2022.
That means third-party cookies have less than two years of relevance left.
It’s not just Chrome that’s phasing them out, either. In fact, Chrome will be one of the browsers slowest to do it. Firefox’s Mozilla browser began blocking third-party cookies by default last year. And in March, Apple did the same in its Safari browser, a move that fit well with the company’s larger brand; Apple prides itself on protecting digital privacy in a simple way.
Third-party cookies, meanwhile, have become shorthand for the opposite of privacy — covert corporate surveillance.
What are Third-Party Cookies?
Digital privacy has become a top priority for many people recently, thanks in part to a slew of high-profile data breaches. Cambridge Analytica famously misused Facebook data to target political ads before the United States’ 2016 presidential election; then the Equifax hack leaked millions of people’s personal information, including hundreds of thousands of people’s credit card numbers.
As news of these breaches has rolled out, so have a smattering of new privacy laws — first the European Union’s General Data Protection Regulation of 2016, and then California’s Consumer Privacy Act of 2018.
These laws regulate third-party cookie usage, but they don’t ban the tracking technology outright. That means browsers aren’t phasing out third-party cookies out of legal necessity. Arlo Gilbert, CEO of Osano — whose software helps companies comply with the global patchwork of privacy regulations — argues that they’re doing it for an obvious, ethical reason.
“Third-party cookies are, most of the time, evil,” he told Built In.
“Third-party cookies are, most of the time, evil.”
Jason Downie, CRO of Lotame — a company whose data management software helps marketers and publishers target online ad campaigns — thinks it’s more about scapegoating an innocuous technology.
“Third party cookies are not ‘the problem,’” he told Built In.
Ultimately, these opposing opinions aren’t just about cookies. They’re about how the internet and online advertising works, and how it should work. Do we own our behavioral data? Can we expect privacy and a free internet?
Before we dig into those larger issues, let’s take a deeper look at how third-party cookies work.
A Crash Course in Third-Party Cookies
How common are third-party cookies today?
Very common. A single site often drops multiple third-party cookies on each of its users. In 2019 Geoffrey Fowler, a tech columnist at the Washington Post, found that, by blocking third-party cookies, he evaded more than 11,000 of them in a single week.
Who places third-party cookies on websites?
Third-party cookies are widely considered marketing technology, but it’s publishers who ultimately place these cookies on their sites, John Hyland, VP of publisher solutions at Centro, told Built In.
Marketers incentivize usage, though, often paying a premium for ads on sites with third-party cookies enabled. The cross-domain tracking technology makes ad space more valuable, and less of a black box, to advertisers — they make it clear which behavioral profiles have seen a given ad, and how they reacted to it.
What sort of data do third-party cookies collect?
It varies by cookie, but, in theory, third-party cookies can track all kinds of data. That includes basic demographic information, like age and gender, as well as more complex traits, like political affiliation, browsing history and digital behaviors — like how far a user typically scrolls down a page.
“It’s so deep,” Hyland said, of Centro’s library of third-party data. Type any keyword, and it will summon reams of relevant data, allowing advertisers to target Buick owners, Quentin Tarantino fans — you name it.
How is the data used?
Data from third-party cookies, according to Hyland, is most typically used to target programmatic advertising — in other words, the purchasing of digital ads through self-service online portals instead of through salespeople.
So, is that a bad thing?
That’s subjective, but, as Gilbert pointed out, it’s not all bad. Targeted advertising supports the free web, from Gmail to Twitter, and it’s “actually way better than badly targeted advertising,” he argued. “I want to see ads for cigars and cars and things for my upcoming baby. I want to see ads that are relevant.”
But targeted ads also mean we’re not entirely anonymous on the internet.
Is this a new thing?
No. Though the terminology “third-party cookie” only emerged in the past few years, according to Gilbert, the actual technology was born in the ’90s, out of a kind of involuntary collaboration between a founding engineer at Netscape, and ’90s ad companies like DoubleClick.
The Netscape engineer, Lou Montulli, invented cookies in 1994. As he told the Wall Street Journal, “the web didn’t have any concept of memory” back then — so if you filled a shopping cart somewhere and then bopped to another site, the first site where you had been shopping forgot you.
He imagined that cookies would fix the web’s chronic forgetfulness and improve the online user experience, without meaningfully compromising privacy. Cross-site tracking with cookies struck him as improbable; it would require building a complex web of relationships with countless websites, Montulli told Gartner.
But that’s exactly what ad companies did, almost immediately. Pioneered most notably by DoubleClick — founded in 1995, and bought by Google in 2008 — third-party cookies were a hot topic by 1996. A topic of discussion, then and now: Are third-party cookies creepy?
So, are third-party cookies creepy?
That’s the divisive question.
Third-Party Cookies Are ‘Not Nefarious’ Compared to Voice Assistants
If you’ve seen an ad online so perfectly suited to you that the precision targeting almost distracted from the substance of the ad — but how did they know? — then you’re not alone. The most common listener question technology podcast Reply All got, as of 2017, was, “Is Facebook eavesdropping on my conversations?”
It’s not just Facebook that’s sparked privacy concerns, though. Voice-activated, in-home assistants have also sparked questions about eavesdropping.
“Are these devices listening to you?” Downie said. “I believe they are.”
That’s not purely a hunch — last year, the Washington Post reported that some of these devices record any activity following their “wake words,” and permanently store it in such a way that the provider company’s employees can review it.
Downie isn’t personally concerned, though. “They just want to sell me more stuff,” he said, of the companies making voice assistants. “It’s really not nefarious.”
It’s just more nefarious, in his eyes, than third-party cookies. While voice assistants record otherwise inaccessible information about the sonic texture of home life, third-party cookies capture data that can easily be captured with other tracking technology.
First-party cookies, for instance, can capture very similar data, though they do it on behalf of the web domain a user is visiting, rather than an outside data aggregator.
Downie also noted that third-party cookies never collect personally identifiable information, or PII, Downie noted. This could include a user’s name, social security number, passport number, email address.
What exactly constitutes PII is complicated and jurisdiction-specific. In the United States, it depends on context; internationally, different countries define it differently, Downie said.
The core idea, though, is that companies only collect PII online when users actively choose to give it to them. Third-party data aggregators only collect anonymized, mundane data relevant to advertisers, but not many others.
If Downie clicked on an article about Kim Kardashian, for instance, the cookie wouldn’t report “Jason Downie read about Kim Kardashian.” It would report something like, “Cookie ID 12345 read about Kim Kardashian.”
But Some Call Third-Party Cookies ‘Evil’
Critics of the third-party cookie, however, argue that this anonymized tracking of browsing history and scrolling habits can still add up to alarming invasions of privacy.
In a deep dive on digital tracking technologies for the Electronic Frontier Foundation, Bennett Cyphers wrote that “[t]he most prevalent threat to our privacy is the slow, steady, relentless accumulation of relatively mundane data points about how we live our lives,” which get compiled into “sprawling behavioral profiles.”
Third-party cookies only contribute anonymized data to these profiles, it’s true. But internally, companies like Facebook and Google can combine that anonymized data with PII-rich first-party data.
Facebook, for instance, uses a third-party cookie, the Pixel, to track user behavior across the web — so “[i]f you’re logged into Facebook with the same browser you use to surf the web, the company knows exactly who you are and the vast majority of the websites you visit,” Casey Oppenheim, co-founder of Disconnect, told Consumer Reports.
Facebook isn’t unique, either. Many companies want to tie first- and third-party data together, or fuse third-party data on one user’s phone, smart TV and desktop behavior into one profile. This is an imprecise, “probabilistic” process, Downie said.
As Cyphers put it, “Across the marketing industry, trackers use petabytes of personal data to power digital tea reading.”
When it goes wrong, it’s laughable. When it goes right, it makes a person want to call Reply All. It’s the sheer scale of it that strikes Gilbert as “evil.”
What if our detailed-yet-imperfect personal profiles get nabbed by hackers? Or subpoenaed by the government? The risks range from leaked health concerns — due to, say, frequent searches for “heart arrhythmia” — all the way up to false criminal convictions.
Even Critics Might Miss Third-Party Cookies When They’re Gone
Montulli himself, the cookie’s inventor, has expressed misgivings about third-party cookies. “I am not comfortable with being tracked across the web,” he wrote on his blog in 2013.
However, Montulli didn’t recommend browsers block them by default, because he didn’t see that putting an end to behavioral tracking. He only saw it pushing the process underground.
Today, Downie foresees something similar. Third-party data is a multi-billion dollar industry, and those don’t dry up overnight.
“The [data] collection will still happen,” he predicted. “The aggregation will still happen.”
It’ll just be done via different technologies.
“It won’t even be that complicated [to switch tracking methods], to be honest,” Downie added.
Some innovative, privacy-friendly replacements for third-party cookies remain in the ideation phase in Google’s Privacy Sandbox. But in the meantime, marketers will turn to more familiar ways of identifying users, like first-party cookies and IP addresses.
The ecosystem of new tracking technologies will likely be less transparent than third-party cookie tracking was, though, and harder for users to opt out of. (Though browsers have only recently begun blocking them by default, individual users have long been able to block third-party cookies manually in their browser settings.)
So, overall, it’s hard to see the demise of third-party cookies as a meaningful win for data privacy.
If anything, Downie sees it as a win for big-name tech companies selling customer relationship management technology — used to store first-party data collected via cookies, among other sources. This type of software will only become more important now that third-party cookies are out of the picture.
Gilbert agrees that first-party cookies will become more important. He sees them taking on a lot of the tracking work once relegated to third-party cookies — and, unlike third-party cookies, they’re hard to block. It would be impossible for online shoppers to buy more than one item at a time without first-party cookies; in some cases, disabling first-party cookies crashes a website entirely.
He wishes that, instead, the two types of cookies had taken on increasingly specialized roles. “If you could guarantee that all advertising-related stuff would be third-party ... [and] the only stuff that’s first-party would be about the shopping cart and remembering your username, that’d be great,” Gilbert said.
That way, users who prioritized privacy could opt out of ad-targeting efforts, while enjoying an unconditionally easy, breezy user experience.
Instead, though, privacy advocates and digital marketers seem poised to continue their “cat and mouse game,” as Gilbert put it, with the resources concentrated on the digital marketers’ side.
“This is probably a race we can’t win,” Montulli wrote on his blog, addressing fellow privacy advocates.
He recommended tackling online privacy through regulation, instead. This makes sense to Gilbert too. To him, the real problem isn’t third-party cookies. It’s that individuals can’t control when their online behavior gets tracked.
(Even Chrome’s “incognito mode” is “the privacy equivalent of using an umbrella in a hurricane,” Geoffrey Fowler writes in the Washington Post.)
“Fundamentally, I feel like the ... game has gotten played enough now,” Gilbert said. “It will just continue ... until regulators step in and say, ‘Look, I don’t care what technical solutions you want to call it. You’re still taking people’s data without their permission and selling it. And that’s not OK.’”