In March 2021, Google announced on its Ads & Commerce blog that it was “Charting a course towards a more privacy-first web”. The blog post was a re-affirmation of Google’s commitment, first revealed in January 2020, to remove support for third-party tracking cookies in Chrome from 2022, and contained further details about how it plans to protect user anonymity once these are phased out. But it was also a sign of just how much the conversation around third-party cookies has shifted over the past few years.
The debate around third-party cookies, which for years have been heavily relied-on by the marketing and advertising industry to compile records of a user’s browsing history and build up a profile of their interests, preferences and habits, stretches back as far as 2013, when Firefox, Safari and even Internet Explorer all began implementing some form of default blocking of third-party cookies or ad tracking.
At the time, this decision to disallow third-party cookies – even coming from most of the major internet browsers – was highly controversial among industry commentators. They argued that cookies were necessary for the ad campaigns that fuel the internet to function, or that cookies – at their heart simply a piece of technology designed to retain preferences by identifying when the same user returns to a website – are not inherently intrusive, rather that certain applications of them are.
And for all that steps to block third-party cookies were taken by web browsers very early on, it took several more years for some of them to implement comprehensive blocking, as well as for the web browser with the largest share of the market – Google Chrome – to join them. During that time, cookies remained pivotal to the way that marketers tracked, targeted and measured the impact of their campaigns; but the conversation around privacy on the web, particularly as it related to advertising, was changing.
Fast forward to 2021, and the demise of the third-party cookie (nicknamed the “cookiepocalypse”) is now an accepted fact, with discussions turning instead to how marketers can prepare, and what kinds of solutions and alternatives should be adopted. But how did we get to the point where one of the biggest web advertising heavyweights is withdrawing its support for third-party cookies, and where do we go from here? In this briefing, I’ll look at the recent developments that led to our current situation, the stances being taken by key industry players, and the alternatives that promise to balance privacy with marketing effectiveness.
Covered in this briefing:
A more positive – and private – future
The cookiepocalypse: a timeline
While 2019 was by no means the beginning of the debate about cookies – as we’ve established – it was in many ways when the tide really began to turn against third-party tracking cookies, with a number of huge developments taking place in a short space of time. And while the calamitous impact of the Covid-19 pandemic overtook the global conversation early into 2020, significant developments on the privacy and tracking front still took place in 2020 and early 2021 as players like Apple and Mozilla entrenched their established positions and moved to block additional forms of tracking.
March 2019: Apple releases Intelligent Tracking Prevention (ITP) 2.1 for Safari, the latest version of a feature designed to prevent cross-site tracking by placing limitations on cookies and other website data. First introduced in 2017, ITP prevented cookies from being used in a third-party context after 24 hours, and purged website data and cookies altogether after 30 days if the user hadn’t interacted with the website again during that time.
Adtech companies responded to the implementation of ITP by finding ways to make third-party cookies behave like first-party cookies, circumventing the block. So, with ITP 2.1, Safari squashed this workaround by wiping first-party cookies after seven days. In May 2019, it upped the ante with ITP 2.2, which deleted certain types of first-party cookies after just 24 hours, further closing the loophole. This seriously rattled advertisers, as Safari is the world’s second-most popular browser (with a current market share of 19.14%, according to GlobalStats) and the default for anyone using a Mac, Macbook, iPad or iPhone.
May 2019: At Google’s annual developer conference, Google I/O, the Chromium team announces upcoming changes that will give users more visibility over the types of cookies being set in their browser and options to block them. It also announces plans to “reduce the ways in which browsers can be passively fingerprinted” – fingerprinting being a catch-all term for more difficult to detect methods of user tracking that subvert cookie controls.
July 2019: The ICO publishes stringent new guidance that rules out many of the pretexts that advertisers have been using to set cookies in users’ browsers without actively obtaining their consent. The guidance specifies that websites:
Do need to obtain consent for analytics cookies (which are not considered essential to the functioning of the site)
Cannot use a ‘cookie wall’, which restricts access to the site until users consent to cookies being set
Cannot rely on legitimate interests, a lawful basis for processing personal data under GDPR, to set cookies without consent.
August 2019: A study by researchers from the University of Michigan and Ruhr-University Bochum finds that 86% of cookie consent notices offer no other options than a consent button, while 57% are found to use dark patterns in order to influence a user into consenting.
September 2019: Mozilla announces that Enhanced Tracking Protection (ETP), which blocks third-party tracking cookies and cryptominers, will be enabled by default in Firefox on desktop and Android. It had previously enabled ETP by default for new users in June; the September update deploys it for all Firefox users across the board. While Firefox has a much smaller market share than Chrome or Safari (currently standing at 3.76% worldwide), it is still the world’s third-most used web browser and its implementation of cookie blocking by default is another blow for marketers and advertisers.
Apple also releases ITP version 2.3 for Safari, which blocks two additional workarounds that ad companies have been using to track users: localStorage and document.referrer.
January 2020: The loudest death toll yet sounds for third-party cookies as Google announces that it will withdraw support for third-party cookies in Chrome by 2022. Executives at the Association of National Advertisers (ANA) and the American Association of Advertising Agencies (4As) issue a joint statement warning that, “Google’s decision to block third-party cookies in Chrome could have major competitive impacts for digital businesses, consumer services, and technological innovation”, and that it “would threaten to substantially disrupt much of the infrastructure of today’s Internet without providing any viable alternative.”
March 2020: Apple confirms “full third-party cookie blocking” in iOS, iPadOS and Safari, blocking cookies for cross-site resources by default across the board. John Wilander, the WebKit engineer behind Safari’s ITP, writes that, “This is a significant improvement for privacy since it removes any sense of exceptions or “a little bit of cross-site tracking is allowed.”” He celebrates that Safari is now “the first mainstream browser to fully block third-party cookies by default.”
In the same month, AdExchanger reports that an unnamed business group within the World Wide Web Consortium (W3C) is petitioning Google to delay the phase-out of third-party cookies in Chrome in light of the unfolding coronavirus pandemic. Google product manager Marshall Vale later writes to the W3C to say that it is “premature” to discuss any adjustment to the cookie phase-out timeline, although he promises that Google will “revisit” the topic as the situation evolves.
June 2020: At WWDC20 – Apple’s World Wide Developer Conference – Apple announces that the next version of iOS (iOS 14) will ask users whether they want to be tracked by any given app, and that app developers will be required to self-report the kinds of permissions that their apps require. This development, called App Tracking Transparency or ATT, was later pushed back beyond the launch of iOS 14 to give developers additional time to prepare; it will now form part of iOS 14.5, which entered developer beta on 1st February, and is expected to be deployed fully at some point in March.
While not directly related to cookies, Apple’s move to require apps to disclose the data they track is in line with its broader push towards protecting user privacy, and is particularly relevant to the question of whether and how users can be tracked within mobile apps, where cookies (which are browser-based) cannot be set.
November 2020: Apple announces further enhancements to ITP to defend against something called CNAME Cloaking – a tactic that maps an internal domain to an external one and allows a tracker to circumvent the division between first-party and third-party cookies, giving it the same level of access as a first-party cookie.
February 2021: Firefox introduces “Total Cookie Protection” as a feature of ETP Strict, an optional, more privacy-conscious version of ETP.
According to the blog post published by Mozilla, Total Cookie Protection “works by maintaining a separate “cookie jar” for each website you visit. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website.” It goes on to add that Total Cookie Protection “makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers … Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.”
Meanwhile, Bloomberg reports that “according to people with knowledge of the matter”, Google is exploring an Android version of Apple’s App Tracking Transparency. To this end, it is “seeking input” from stakeholders such as developers and advertisers in a bid to find a solution that does not compromise their ability to generate revenue. The report goes on to state that Google’s solution “is likely to be less strict and won’t require a prompt to opt in to data tracking like Apple’s … The exploration into an Android alternative to Apple’s feature is still in the early stages, and Google hasn’t decided when, or if, it will go ahead with the changes.”
March 2021: Google reveals further details on how it plans to handle user identification and tracking in the blog post ‘Charting a course towards a more privacy-first web’. In particular, it confirms that it does not have any plans to create “alternate identifiers” that would track users around the web – which many marketers, publishers and content creators see as a betrayal of their interests. Instead, Google intends to draw on the vast amount of first-party data at its disposal – thanks to its ownership of properties like Youtube, Google Maps, and of course Google Search – to target users, which will further entrench its dominant position as one of the most powerful online advertisers.
Google has also not made any commitments to phasing out the use of Google Advertising IDs, or GAIDs, which are used to anonymously track user ad activity on Android devices, in a similar fashion to a third-party cookie. Given that increasing amounts of activity take place within mobile apps and away from the open web, this would arguably be a bigger concession for Google – and while there have been hints that Google may implement an ATT-style solution on Android, it is still ultimately in Google’s interests to be able to track users and the effectiveness of its own advertising, whatever that entails.
An end to cookies, but not to behavioural targeting
While Google has been making all the right noises in its cookie-related announcements about the need for privacy on the web, in reality it is not about to do anything that would seriously compromise its own ability to effectively target and drive conversions from advertising. Marketers always knew this, of course – but had hoped that Google would throw its considerable weight behind one of a number of proposed industry solutions such as Unified ID, an initiative with widespread support among adtech providers that uses an email-based identifier to target users while purportedly giving them more control over how their data is shared.
Instead, Google has made it clear that it is only interested in implementing home-grown solutions like Federated Learning of Cohorts (FLoC) – an interest-based targeting method that Google claims will provide “at least 95% of the conversions per dollar spent when compared to cookie-based advertising”. Marketers are waiting to see whether this claim is borne out – but what is evident is that while cookies may be going away, behavioural targeting will not.
FLoC is a more anonymised method of targeting than third-party tracking cookies in that it uses machine learning to divide users into groups with similar interests and target ads based on those interests. As Google puts it, this method “effectively hides individuals “in the crowd” and uses on-device processing to keep a person’s web history private on the browser.” Users may not be tracked across browsers or across devices, but their activity within Chrome will still be tracked and used for ad targeting, with presumably no capacity to opt out (except by using another browser). This has not gone over well with privacy advocates, and privacy-conscious users may see it as little improvement over third-party tracking cookies.
Meanwhile, as marketers wait to discover more information about the effectiveness of FLoC, some of the drawbacks are already becoming clear: FLoC’s interest-based groups will not be precise enough to measure interest in a specific product, which jeopardises advertising methods like product-specific retargeting. FLoC will also make attribution and measuring campaign effectiveness much more difficult, with metrics like viewability potentially taking precedence over conversions.
There’s also the issue that the introduction of FLoC only promises to further entrench Google’s position as the dominant force in web advertising. Google’s blog post was a reminder that in a world without third-party cookies, first-party data will reign supreme – and fortunately for Google, it has access to a wealth of it, through properties like Search, Youtube and Maps. The UK’s Competition and Markets Authority (CMA) has already launched a probe into Google for “suspected breaches of competition law” over its plan to phase out third-party cookies in Chrome, following complaints that Google’s plans for a replacement would “abuse a dominance position” in advertising.
Marketers have known for some time that the mass withdrawal of support for third-party tracking cookies by the major web browsers would require changes to the way they track and measure campaigns, and many have been preparing for the change for some time. Nevertheless, a considerable number have been left dismayed by the approach that Google has chosen to take instead.
With Google retreating further behind its own walled garden with the introduction of FLoC, and the second- and third-most-used browsers (Safari and Firefox) blocking identity-based tracking of almost every kind, where should marketers go from here?
Alternatives to third-party cookies: what should marketers use?
As it became increasingly clear that the writing was on the wall for third-party cookies, the industry has been abuzz with talk of alternatives: alternative identifiers, alternative forms of measurement, alternative data sources, and alternative forms of advertising.
Some of these are more viable than others. Many alternative identifiers, for instance, encounter the issue of the need for universal adoption: while Unified ID has attracted widespread support from adtech players, Google’s refusal to support it has thrown its future into question, and there are also doubts as to whether consumers would agree to adopt it. Another potential cookie alternative, digital fingerprinting (which uses attributes like operating system, web browser type and version, language setting and IP address to identify and track a user’s device), is seen as even more intrusive than cookies, and Safari, Firefox and Chrome have all either taken steps to block digital fingerprinting methods or have pledged to reduce the ways that users can be targeted by them. And device-level IDs, like GAIDs or Apple’s IDFA (ID for Advertisers), still present problems with regard to privacy and with cross-device tracking.
But identifiers aren’t the only means of personalising advertising for users in a meaningful way, or of measuring campaign effectiveness. With the eradication of cookies, marketers have known they’ll need to get creative, and possibly employ a variety of methods to achieve the same results that they were able to obtain with cookies. However, there are also benefits to using these alternatives. Let’s take a look at some alternatives to cookie-based targeting and measurement, and the reasons why marketers should employ them.
First, second and zero-party data
“First-party relationships are vital,” wrote Google in its Ads & Commerce blog post, and this statement isn’t just true for Google – it’s true for marketers, publishers, and businesses of every stripe. First-party data is data a business collects from its users directly, and can take a wide variety of forms, from things like internal searches carried out on an ecommerce site to previously purchased items, CRM data, loyalty programme data, and much more. All of these pieces of information can enable businesses to tailor marketing and the customer experience in a way that feels genuine and helpful rather than intrusive.
A subset of first-party data that has attracted considerable industry interest in the wake of regulations like the GDPR is ‘zero-party data’. This refers specifically to data that the consumer has shared proactively, such as profile information (which can include demographic data like date of birth and gender), content preferences, responses to polls and quizzes, and many other varieties. Again, this can be used to more authentically personalise a consumer’s experience, but without the need to infer preferences from their behaviour.
One advantage of the cookie crackdown is that it is prompting marketers and brands to look more closely at the relationships they have with their own customers, review the data they already have at their disposal, and think about smart ways to use it in marketing and advertising campaigns. And while larger businesses may seem to have an unfair advantage in that they have access to significantly more first-party data than smaller businesses, small amounts of first-party data can still be used for predictive modelling, analysed, and built out into audiences. Forming data partnerships with another organisation (data obtained in this way is known as second-party data) is another solid strategy and a way of evening out the playing field.
In other words, cookie data is far from the be-all and end-all – and using other data sources will lead to improved relationships with customers, better personalisation and more accurate results.
Contextual ad targeting, a method of delivering relevant ads based on the content of the page a user is viewing rather than who the user is (or is thought to be) has enjoyed increased attention with the looming cookiepocalypse throwing the future of behavioural targeting into question.
And although the likes of Google have signalled their intention to continue targeting users based on behaviour (just in a slightly less precise way), contextual targeting is still an option worth exploring, offering many of the same benefits in terms of ad relevance as behavioural targeting, plus some arguable advantages from a user perspective. After all, a user who reads about marketing technology for their day job might not be interested in having martech ads follow them around off the clock – but they might be interested in an ad relevant to the hobby-related article they are reading for fun.
Contextual targeting on the web has been around for decades, and to some marketers, might seem like a rather basic and outdated method of ad targeting compared with more precise cookie-based methods of targeting. However, as Patricio Robles wrote for the Econsultancy blog, “Contextual advertising in the 2020s will be more sophisticated … Better technology allows marketers to apply their first-party data to contextual ads, and they will also be able to target by various non-unique attributes, including device type, location, and time of day, many of which can impact the effectiveness of campaigns.”
Alternative forms of measurement
Measurement and attribution were already challenging enough for marketers before the demise of the third-party cookie. In an online world that has fragmented into countless touchpoints, channels and devices, how can marketers determine exactly which of their actions moved the needle or resulted in a conversion?
But many have seen this as a positive opportunity: cookies were far from a perfect solution to marketing measurement, particularly in the age of mobile where so many interactions already take place away from browsers. And while there isn’t one single, ideal measurement solution that will allow marketers to comprehensively measure campaign performance in the post-cookie age, a variety of methods exist with different strengths marketers can call on in different circumstances to achieve their goals. Here are just a few of those methods:
Econometrics/Marketing Mix Modelling
Econometrics, also called Marketing Mix Modelling, is a method of using statistical analysis to understand the impact of a range of different variables – from sales promotions to the weather or the economy – on marketing KPIs.
It pulls in data from a wide range of different sources, meaning that it depends relatively little on third-party cookie data, but it is also most effective when run over time, using a large number of data points. This makes it less of a viable option for marketers who don’t already have a lot of data. Marketing Mix Modelling is useful for informing high-level decisions like budget split between channels, but can’t inform granular decisions like how to optimise bids.
Incrementality testing is a specific variety of A/B testing that allows marketers to measure the lift provided by a particular type of advertising by comparing the conversion rate of one group, which was not exposed to that advertising, with the conversion rate of another that was. The difference between the two groups’ conversion rates can be used to calculate the incremental lift provided by that advertising – assuming that all other variables between the two groups are the same.
In other words, incrementality testing is most effective when you can control all of the variables that are likely to impact on uplift – otherwise you might be attributing conversions to the wrong one. Incrementality testing can be useful for determining the true impact of a particular piece of advertising, channel or campaign on conversions and finding out whether it offers value (and how much) or just takes ‘credit’ for an action that would have occurred anyway.
Brand lift studies
Brand lift studies are a type of market research that surveys consumers to find out whether their level of awareness, their perception of a brand, and/or their likelihood of making a purchase has changed after being exposed to an ad. Many ad providers, including Facebook and Google, offer native brand lift tools to help marketers measure the impact of their ad campaigns.
Brand lift studies are useful for providing detail on the effectiveness of a specific campaign or channel, but are difficult to generalise beyond that. Wider brand studies can also be carried out as a means of obtaining consented, first-party data; providing a benchmark that future brand lift studies can be measured against; and obtaining more in-depth insights from consumers like their opinions on the category as a whole.
More detail on other cookie-less methods of measurement, including attribution analysis, controlled and uncontrolled audience testing, and geo-testing, can be found in Daniel Gilbert’s insightful post, How to measure marketing in a world without cookie tracking, as well as in Econsultancy’s Measuring Digital Marketing Effectiveness Best Practice Guide.
A more positive – and private – future
The announcement by Apple that it will be prompting users for their consent to share data with apps, and by Google that it will not be supporting an identity-based alternative to cookies going forward, has collectively galvanised the industry into searching for sustainable alternatives to the old methods of targeting and measuring ads. This has not been – and will not be – an easy transition for marketing, but many believe the outcome will be beneficial for marketers and consumers alike. At the end of 2020, Harmony Murphy, GM Advertising at Ebay UK, gave her views on the ‘post-cookie’ future for marketing in a 2021 predictions roundup for Econsultancy, saying,
“Instead of relying on quick wins, a cookie-less, premium, user first experience is a move in the right direction for brands. After all, this is what advertising is about: quality engagement with consumers that helps them and genuinely delivers ROI for the brand. It’s about engagement and relevance, not irritation.”
Read more: econsultancy.com