The big news in the publishing industry is that Google Chrome is removing support
for third-party cookies by 2022. There are many reasons behind the move, but the headline Google is leading with is that third-party cookies are problematic when it comes to user privacy.
Cookies, and the implications that come with them, are now fairly widely known. They are trackers. Users are now starting to push back against the level of tracking they are subjected to in order to do anything online. Yet, first-party cookies are not treated in the same way as third-party cookies.
First-party cookies are the friendly face of online tracking, and are not going anywhere — so why is that? What are the key differences between first and third-party cookies that are making Google terminate one and embrace the other?
Cookies contain, at a basic level, two pieces of information: a unique identifier to ‘mark ‘ the user and then some specific information about that user like their location, logins, or language preferences.
First-party cookies are created by the host domain – basically the website that the user is on. They make the browser able to remember key information, like analytics data, language preference, and take care of other functions that improve the user experience. There is a direct relationship between the user, the website, and the information being shared. Users can also control the information they share via the consent management platform.
The information stored in a first-party cookie can only be accessed by the domain that created it. All major browsers still support these cookies, but they can be disabled. The reason they are rarely disabled is that they offer users advantages that outweigh the concerns over privacy and security that come with giving some personal info to one website.
Without first-party cookies, you’d have to log in to every site, every time. Add something to your shopping basket and check another page, without a first-party cookie the basket would reset. The important distinction is that first-party cookies just store the information you are already giving to the website. You want the website to know what language you speak, pre-fill your email. With first-party cookies, this data stays between you and the website.
Intrinsically, third-party cookies are the same creature as first-party. They are a token that stores information and a unique user identifier. But, rather than being created by the website’s domain, third-party cookies are created by a separate (third-party) domain, usually an ad server. Using a script or tag on the page, the information in the cookie can then be read by any website running that ad server’s code.
The issue with third-party cookies is that they spread like a virus. By visiting one page, your data becomes open to an entire network of other pages. Like 6-degrees of separation, with a third-party cookie, you’re only one click away from your data being open to a sprawling system of all kinds of websites.
There is nothing fundamentally bad about this. Users can block these cookies, or select the sites to share with, ( around 97% of users give consent). The sites then only want to serve more relevant ads to users. Few news publishers are using this data to build our robot replacements that will work in the tin and zinc mines on Mars.
The issue is that users don’t really know the scope of who their data will be shared with and how it will be used. It also raises security questions. You may be happy to give your data to a well-known, major brand’s website. You can be confident that they have some checks and balances for security and that there would be recourse if there was a leak. But, if your data is spread freely across any site, any expectation of security is basically gone. If there is one weak link in the chain it risks exposure to everyone.
Additionally, third-party cookies open you up to the kind of tracking people tend to find creepy. You may want a website to know your preferences for how you use that site. It’s less likely that you want an ad server to follow all of your online activity with the hopes of building a picture of you that’s clear enough to drip targeted ads to.
Third-party cookies make online activity more public than most people would intend to and they expose more risk to data breaches. But, there is always more than one side to the story.
Issues with first-party cookies
The block of third-party may seem like a win for the consumer, at the expense of advertisers. But, when the oil company wants to buy your house, it’s good to ask some questions first.
The internet is huge. But, the majority of online journeys start with the same handful of websites. Google has an unimaginably large network of first-party information conceivable. Facebook, Apple, and Amazon, too.
Only having access to first-party cookies makes these monoliths stronger. They are now able to offer advertisers rich, detailed profiles based on the activity on these sites. Google searches Gmail, Youtube activity. All of this can be stored in a first-party cookie and used to deliver targeted ads that are not possible on other sites without third-party cookies.
For many publishers, this is a competitive advantage
that equates to a monopoly. Google’s own study has shown that the top 500 publishers stand to lose an average of 52%
of their revenue due to this change.
While the block of third-party cookies may be a positive nudge forward for user privacy, it won’t put an end to insidious tracking, or give users true online privacy.
Additionally, it may help sites comply with growing regulations, but publishers will have to find an alternative solution. Publishers need user data to give advertisers information about their audiences in order to compete with networks that have spent a decade building vivid profiles of first-party information.
In our next post, we are exploring some of the alternative options publishers have in a world without third-party cookies.